On the Anatomy of a DNS Attack – Types, Technical Capabilities, TTPs, and Mitigation

[harlan4096]

DNS Attack Classification. Prophylaxis and Mitigation(s)

The Domain Name System (DNS), with its quirks, kinks, and compulsion to create unnecessarily long acronyms is a world of its own (design). At this point, any DNS treatise, article, paper, or cheat-sheet, makes Encyclopedia Britannica’s letter “A” volume look like a “quit smoking” leaflet. There’s a perfectly sound reason behind DNS’s complexity  – everything happening on your web browser right now, including you reading this article, is the Domain Name System weaving its magic.

Although I’m quite tempted to blabber away about the awesomeness of the Internet’s Yellow Pages, I’ll just stick with a quick refresher of what DNS is (and is not). The article you’re about to read is entirely dedicated to your friendly neighborhood hacker; probably the only person that can turn something as innocuous as an intelligent cooker into a full-fledged IED. So, without further ado, let’s take a closer look at the DNS attack. I’ll be covering classification, techniques, and available mitigation and\or fixes. Enjoy!

DNS 102 – Blast from the not-so-distant past

Just to refresh our memory (pun intended) about what DNS is and is not, I’ve jotted down some info that will definitely help you put things into context much easier.

DNS – stands for Domain Name System and, as I’ve mentioned in the intro, it’s the phone book of the Internet. The analogy is pretty neat, clearly illustrating how human-readable info (e.g., google.com, heimdalsecurity.com) can ‘dumbed down’ into forms that are machine-friendly. Tech talk coming to DNS is defined as a methodology that “provides translation of a networked machine’s (host’) name to a machine-readable IP address so that packets are routed over the network correctly.

Conversely, for security reasons, a server on the network may use “reverse lookup” in order to assure its administrators that the proper people are connected to it.”  Cornell University really knows its DNS. So, for your browser to display your favorite website, the machine needs to know the IPv4 or IPv6 address associated with the name. Kind of a neat trick you would want to boast in front of your non-geeky friends: fire up a command prompt window, type in “nslookup” followed by the address of your favorite website. You’ll get the server’s address and its corresponding IP address. One more thing: this collection of IP-name addresses all fit in nicely into a big address book called the DNS record.

Resolvers – little delivery boys that fetch the numerical address of a queried, human-readable address.

DNS namespace hierarchy – The Library of Alexandria of DNS administrative domains. The hierarchy is as follows: the root of “.”, TLDs (Top-Level Domains) for things like “.edu”, “.com”, “.org”, SLDs (Second-Level Domains), Sub-Domain of Parent, and Host.

DHCP – stands for Dynamic Host Configuration Protocol and it’s used to fast-track the process of how devices use services such as DNS or NTP by automatically configuring IP assignation.
Still here? Well, if you’re not half bored to death, let’s talk about the various types of attacks that leverage vulnerability or design limitations found in the DNS.

DNS Attack Genealogy
 

---

Denial-of-Service (DoS)

---

As far as descriptive acronyms go, DoS really manages to capture the essence of this type of cyber-attack. Short for Denial-of-Service, this attack is aimed at barring users from a machine or a network by either exhausting its resources or effectively shutting it down. A least known fact about DoS(s) is that this type of action on target is mostly used to either hide tracks or to hamper the victim’s recovery efforts.

Basically, this would be the cherry on top. As far as variety is concerned, there are several kinds of DoS attacks, each levering a vulnerability or protocol\system\code limitation or…unexpected machine-side replies. DoS attacks are commonly employed by threat actors hunting down HVTs with advanced cyber protection. Anyway, before I go about the other attacks, I just want to show you this really nifty and simple DoS attack you can try at home.

All you need are two virtual machines, one running Linux, and the other one running Windows.

I tried it out on Oracle’s VM VirtualBox, but you can probably use any type of OS emulation software. This attack is called the Ping of Death (boo-hoo-hoo!) and it’s used to crash, freeze, or force-reboot a server or another network-bound resource. PoD leverages a limitation TCP\IP packet transmission– the max limit is 65,536 bytes. Normally, if a data packet is larger than the admissible limit, it will be broken down into smaller packets. That’s called data fragmentation and it’s something very normal.

What’s not normal is using the ping command to send data packets larger than 65,536 bytes. The result – the server could freeze, crash or reboot. Now, to test out the Ping of Death attack, go ahead and set up the machines and then download this free PoD software on your Linux machine. Unpack, execute, and go crazy. Please be sure to do this in a controlled environment, otherwise, it may be construed as a hacking attempt. With this in mind, let’s now turn our attention to other DoS attacks.
...

Continue Reading