Nation-state DNS exploits risk destabilising the Internet

As credential theft and DDoS pummel DNS, CSOs urged to consider the finer points of their strategy

Credit: ID 140154449 © |

A recent spate of damaging DNS-level attacks was promulgated with “terrifying” ease by cybercriminals who leveraged compromised access credentials rather than even having to hack the DNS servers themselves, a DNS expert has warned.

One of the interesting things about attacks such as DNSpionage and Sea Turtle, Infoblox executive vice president of engineering, chief DNS architect and senior fellow Cricket Liu recently told CSO Australia, was that “they were actually quite sophisticated attacks inasmuch as they had lots of different options to get the compromised credentials.”

“Once they had that access,” he continued, “they stood up those servers as men in the middle and could sit there over an extended period and snoop web and mail traffic – which is kind of terrifying.”

DNSpionage was blamed on Iranian state hackers and researchers from Cisco’s Talos concluded “with high confidence” that the Sea Turtle campaign was being run by an “advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems”. This echoes independent research from FireEye and raises the ongoing spectre of high-level manipulation of a service that is fundamental to the operation of the Internet.

Some of the early architects of DNS believe more could have been done early on to avoid the current situation. Yet many of those architectural decisions were made decades ago, when the botnet-driven 1.2Tbps distributed denial of service (DDoS) attacks that took out DNS hosting provider Dyn in late 2016 were still the stuff of fantasy.

“The original DNS had just two security features,” Liu said. “I don’t think anyone foresaw that a DDoS attack could be large enough to take out a big, first-tier hosting provider like Dyn. If you had levelled the same volume of traffic at pretty much any other organisation on the Internet, it would have taken them out too.”

Liu – who has been working with DNS for around 30 years and has authored numerous books on the subject – has watched the system be upgraded repeatedly over the years to counter new threats and exploits, with new technologies like DNS Security Extensions (DNSSEC) and Response Rate Limiting (RRL) tightening controls in response to specific threats.

These technologies “were designed to make it more difficult to use somebody’s DNS servers as an amplifier in a DDoS attack against someone else,” Liu explained.

Yet end-user consumers also had a role to play in minimising their exposure to DNS exploits, he advised, urging them to “not just use any old DNS server”.

“The average user probably doesn’t think about DNS, but maybe they do need to actually take into account the possibility that the DNS server they are using has been compromised,” he said. “They should be intelligent consumers of DNS and choose according to the reliability of a provider and the security that they provide.”

IBM, for example, has built an alternative DNS service called Quad9 that proactively blocks IP addresses known to be associated with malware attacks, DDoS botnets, and the like.

Cisco, CloudFlare, Google and other providers have each positioned their respective DNS services around different levels of policy controls, categorisation of Web sites, speed, and so on.

“You have to identify what features you’re after from your recursive DNS service,” Liu noted, “and decide how good the provider is at actually supporting that functionality.”

More customers understand the importance of DNS than they used to, thanks to “a general realisation amongst IT professionals, and even in higher level management, that DNS really is a very important service,” Liu said. “I’m glad not to have to explain to people that DNS is important anymore.”

Yet keeping it secure remains an ongoing effort, with constant scrutiny of open-source libraries turning up new potential vulnerabilities that must be patched.

Despite the collaboration and common interests across the security and Internet communities, there is no one point where infrastructure providers will be able to declare DNS fully secure.

“We have to gird ourselves for the long haul,” Liu explained. “I don’t think there is any magic bullet; we’re in a constant arms race with the bad guys who dream up these attacks, and then we dream up new mechanisms for addressing those attacks.”

“We can’t give up on DNS; it’s a critical service, and without it the Internet just doesn’t work.”

Tags DDoS attacksDNS serverscybercriminals

Show Comments