How DNS Attack Dynamics Evolved During the Pandemic

The Domain Name System (DNS) is the “Internet’s address book;” the essential, trusted, rarely scrutinized protocol that keeps the internet running by mapping readable domain names to IP addresses. More than 2.2 trillion DNS queries are processed each day to guide web traffic where it needs to go. Unfortunately, these qualities also make DNS threats an appealing vector for cyberattacks. Moreover, internal DNS servers share their domain server names and IP addresses with anyone who asks. DNS queries are also capable of delivering small amounts of data between systems. Bad actors have long recognized this opportunity, and use techniques like DNS tunneling to execute malware commands on and exfiltrate data from victims’ hardware. This threat has only grown in severity and complexity with the onset of the coronavirus pandemic in 2020.

While distributed denial of service (DDoS) and other ‘brute force’ attacks deserve the media attention they receive, organizations should be careful not to overlook DNS security. This is all too common, highlighted by the SIGRed vulnerability in Windows DNS that was in place for seventeen years before being discovered in July 2020. Cybersecurity professionals should understand the shifting DNS threat landscape to guard against serious consequences.

The DNS Attack Standard: Tunneling

DNS tunneling has been around for twenty years, and still remains the most consistent DNS-based threat to organizations. Attackers hide data within DNS queries that are sent to a compromised server. Since DNS requests are generally allowed to pass through firewalls and other security measures that otherwise block malicious traffic, it’s a convenient way for hackers to bypass defenses and gain access to internal systems.

Cyberattackers use DNS tunnels to take advantage of organizations in several ways, but command-and-control activities are the most common. Once an internal device has been compromised through phishing or malware, the attacker will maintain contact with the device to run commands. The DNS protocol gives them a pathway to activate damaging malware like remote access trojans. It’s also possible for bad actors to use DNS tunnels for data exfiltration. Hackers can siphon away an organization’s sensitive data by encoding it into thousands of DNS responses, a tactic that is very difficult to detect.

DNS tunneling attacks are on the rise, in part because they are among the most accessible threat vectors. Easy-to-use tunneling toolkits and guides are widely available on hacker forums – there are even how-to videos on YouTube – so even novice hackers can learn to burrow into otherwise secure domains. But experienced, more sophisticated players also rely on the technique. The OilRig threat group, for example, has made widespread use of DNS tunneling for command-and-control communication with infected hosts. They’ve gained illicit access to 97 different organizations across the globe, exfiltrating many thousands of usernames and passwords.

DNS Threat Dynamics Are Shifting

The complexity of the DNS threat landscape has grown in the wake of COVID. According to Neustar’s “Online Traffic and Cyber Attacks During COVID-19” report, there was a dramatic escalation of the number of attacks and their severity across virtually every measurable metric from March to mid-May 2020 – particularly DNS-related attacks.

That’s not surprising given the sharp rise in DNS queries from employees working from home. Whereas business networks tend to be relatively secure and protected by experienced security professionals, home routers are set up by un-savvy employees, and are therefore more vulnerable to DNS exploits.

Hackers are taking advantage of this vulnerability using a technique called DNS hijacking. They gain access to unsecured home routers and change the devices’ DNS settings. Users are then redirected to malicious sites and unwittingly give away sensitive information like credentials, or permit attackers to remotely access their company’s infrastructure. Neustar has seen a dramatic rise in this type of attack since the onset of the pandemic. Given that many home networks remain exposed, this problematic trend is poised to continue well into 2021.

Similar, simpler techniques are also becoming more prevalent. DNS spoofing and cache poisoning also redirect traffic to malicious websites, but instead overwrite local DNS records or DNS cache values with fake ones. The end result is the same: users are duped into giving hackers access to their systems.

We’ve also seen an increase in DNS amplification attacks, a type of DDoS attack that exploits vulnerabilities in DNS servers to turn small queries into much larger payloads. These attacks can quickly overwhelm an organization’s servers. One of the latest DNS server vulnerabilities, the NXNSAttack, amplifies DDoS attacks by a factor of 1,620.

As attacks become more varied and sophisticated, DNS infrastructure will continue to be vulnerable unless organizations take steps to protect themselves.

Monitoring for Protection and Proactive Response

Though DNS is an increasingly targeted threat vector for attackers, the prognosis is far from hopeless. Organizations can protect themselves with regular DNS audits and monitoring. A thorough understanding of your organization’s DNS traffic and activity can prevent the majority of DNS attacks and limit their destructive power.

Effective monitoring also represents one of the last lines of cyber defense for an organization. Cybersecurity experts recognize that DNS data can provide valuable information related to pre-attack, mid-attack and post-attack activities against their organizations.

This information isn’t limited to DNS-type attacks. Since DNS protocols are often used for malware command-and-control, it is one of the last things a bad actor will attack before attempting to steal data or harm system infrastructure. A hacker accessing malware through a DNS backdoor is often the best opportunity to detect malicious activity from a compromised device.

Depending on the level of DNS insights available, security professionals can identify which internal resources have been compromised, and then address the issue. They can also better understand who is on the other end of that attack and improve the accuracy of attribution.

With the right systems in place, DNS is much more than a directory of IP addresses; it’s a way for organizations to proactively address attack activities and stop the vast majority of malware, viruses and malicious content before critical systems are impacted.

Avatar photo

Michael Kaczmarek

Michael Kaczmarek is the VP of Product Management for Neustar’s Security Solutions business unit. He is responsible for evangelizing the vision, strategies, and tactics for the successful launch and expansion of products into new and existing markets. Prior to joining Neustar, Michael was with Verisign for more than 18 years where he served in various capacities including VP of product management and marketing for Verisign Security Services. He previously served as a systems engineering manager for Lockheed Martin in charge of their Solid Rocket Motor Disposition in Russia Program. Michael holds a Bachelor of Science in aerospace engineering from the University of Maryland and a Master of Engineering in environmental engineering from Johns Hopkins University.

michael-kaczmarek has 4 posts and counting.See all posts by michael-kaczmarek