Maksim Kabakou - Fotolia

Security Think Tank: Add risk of DNS attack to business continuity plan

What are the main security risks associated with DNS and how are these best mitigated?

With the domain name system (DNS) providing translation, or routing, there are obvious reasons why it could be targeted.

Specific DNS attacks include: re-routing traffic to another website to steal credentials or deploy malware; capturing traffic to steal personal or private data; injecting adverts, popups or redirects for financial gain; and redirecting corporate websites to activist or protest sites. Controlling DNS determines what people see and where their data goes.

The security risks around DNS have been well documented since the popular uptake of the internet in the 1990s. The best known is DNS cache poisoning, where vulnerabilities in a DNS server are exploited to divert traffic. Mitigations, such as the use of domain name system security extensions (DNSSEC), a suite of extensions that enables DNS responses to be validated, have been developed. But due to the distributed nature of DNS and the internet in general, it needs to be broadly adopted to be effective.

Other low-tech activities that can result in users being redirected or have data stolen include typosquatting (URL hijacking) or compromising domain registrar details, for which there are well-developed mitigations.

The above focuses on the core infosec principles of confidentiality and integrity – risks that many individuals associate with the internet and about which they are most concerned. The attack on US DNS provider Dyn highlighted the importance of the third principle: availability. Organisations use DNS hosting providers because they can offer a higher degree of resilience and security than is practicable for an organisation to operate itself.

The attack on Dyn DNS was unprecedented in its scale, and believed to be the biggest distributed denial of service (DDoS) recorded. Dyn’s DNS servers were flooded with over 1Tbps of data, double the volume of data previously used in DDoS attacks. DDoS attacks are not new, and Dyn, like other reputed DNS providers, has advanced mitigation strategies in place. These strategies paid off, as some services remained available – although this is small consolation to the users and organisations affected.

To perform an effective DDoS, an attacker needs to have the ability to overwhelm the target. This can be achieved by using up all available bandwidth, which is unlikely in the case of a large DNS provider, or overloading the server. Each request requires processing, and if sufficient requests are submitted, the servers cannot cope with the workload. This requires a large volume of data to be generated, preferably from as many different sources as possible, and using different protocols to make it harder to isolate and block the offending traffic.

The Mirai botnet uses a large number, estimated at over 100,000 of compromised internet of things (IoT) devices to generate traffic. IoT device security has a reputation for being poor, and the nature of the devices can make them hard or impossible to update. With constant internet connectivity, these devices can easily be compromised, and many owners will not bother to update the devices. The end result is that if sufficient servers have no capacity to perform the translation and routing, the resource is effectively unavailable.

As we rely more on internet services to work, research, collaborate and unwind, losing access to these services has a material impact on our lives. When an attack is focused on a large DNS provider, it affects all clients of that service. The attack vector is not new, but the ability to scale an attack makes this a risk organisations should plan for.

Mitigation options are relatively limited. Firstly, moving away from a leading provider is not necessarily a good idea. While they are vulnerable to these blanket attacks, their ability to respond is better than an individual organisation would achieve. Their scale is also protection against a focused attack against a single organisational target.

Secondly, a backup solution, such as another provider that can be used for failover, needs to be in place. One of the various techniques for achieving failover will work if another solution to failover to is not available and configured. Finally, organisational business continuity plans must cater for the risk of DNS attacks.

The attack on Dyn highlights how compromised IoT devices can affect individuals and organisations, albeit in a manner that the public would not expect. It remains to be seen if this is enough for device manufacturers and consumers to take action.

Alex Ayers is co-founder and consulting director at Turnkey Consulting.

Read more on IT risk management