DNS is one of the primary technologies enabling the Internet – translating the names people type into a browser into an IP address so the requested service can be found on the internet. It is one of the key elements in the network that delivers content and applications to the user. If DNS goes down, most web applications will fail to function properly so it is critical to have a strong, secure and scalable DNS infrastructure.
A bunch of recent DNS outages show that while protecting the application from the typical SQLi, XSS and other OWASP Top 10 related risks is important, if DNS is not answering, those application hacks do not really matter since no one can get to the site anyway.
This month, 3 Dutch web hosting companies had their name servers altered by attackers. They, according to articles, changed the various company's name servers to malicious servers hosted by the crooks. They apparently managed to break into the national domain registrar, SIDN, to make the malicious change along with setting the Time to Live value to 24 hours. This meant that any ISP that cached the bad information would continue to deliver the wrong address for the next day. Among others, a large Dutch electronic retailer had to take down a bunch of servers that were delivering malware due to the breach but thousands of domains were affected.
This past June, the popular business social network LinkedIn was offline for at least a half a day due to a DNS issue. The company claims that this was not due to criminal behavior but internal human error. Somehow the main home page was redirected to a domain parking page which indicated the name was up for sale.
Also in June, DNSimple detected a DNS Amplification Attack on their network. This is where an attacker attempts to use additional servers to 'amplify' the attack - small queries that turn into huge responses. Instead of allowing the bounce, DNSimple tried to absorb the attack by blocking some IP addresses but ultimately at some point, all the name servers were no longer responding. All hands to respond. In their incident report, they noted that their current DNS server implementation allowed ANY queries on UDP to pass through and attempted to respond to them, albeit with the TC (truncation) bit set. In addition, the overhead created by their ALIAS resolution system was also a factor, especially with ALIAS records pointing to other records within DNSimple. With some adjustments they hope to mitigate this from happening again.
There were a few others of note, In June, Network Solutions had its DNS servers hijacked and reconfigured to a malicious website after it botched efforts to thwart a DDoS attack. The Spamhaus Project was nailed by a DNS DDoS attack. And last week, a reported vulnerability in the BIND DNS software could give an attacker the ability to easily and reliably control queried name servers.
We rely on DNS for almost every interaction we have with web applications. It helps us find our favorite e-tailer, social network, travel, news, gaming or entertainment site along with potentially finding our work related resources when we are mobile. For organizations, it helps direct and bring people to your content. Without it, our letter managed mind would have to start remembering a bunch of numbers. Imagine how much you'd use the internet if you had to remember dozens of number combinations to do anything. I bet the growth, the internet of everything, would come to a screeching halt.
- BIND Vulnerability Enables DNS Cache Poisoning Attack
- DNS impairment redirects thousands of websites to malware
- How Spamhaus’ attackers turned DNS into a weapon of mass destruction
- LinkedIn hit by outage from 'DNS issue'
- Incident Report: DNS Outage due to DDoS Attack
- DDoS Attack Behind Latest Network Solutions Outage
- How whitehats stopped the DDoS attack that knocked Spamhaus offline
- The Domino Effect of LinkedIn’s DNS Outage
- RSA2013: BIG-IP DNS Services (video)
- F5 DNS Express: DNS Die Another Day (video)
- F5 DNS Series (videos)
|Connect with Peter:||Connect with F5:|