1/23/2018 3 Common DNS Attacks and How to Fight Them

PRODUCTS CUSTOMERS PART

Follow us

DNS Attacks and How to Fight Them

14, 2016
Subscribe
Unless you were glued to the internet a few weeks ago,
you may have missed the massive outage that hit the
east coast on Oct. 21 Get weekly
security from
Many popular websites such as Twitter, Reddit, Net ix,
Etsy, and Spotify were inaccessible to thousands of First Nam
users.

Experts have since declared that the outage was the Email *
result of a huge attack on DNS services at Dyn, an
internet infrastructure company.

S attacks have sat on the backburner for many businesses and IT

SIGN
ut that may be changing.

Google, The New York Times, and several banks have fallen victim to
cks in recent years.

sure to come, what types should you watch out for? HIPAA re

NS Poisoning and Spoo ng

ultimately route users to the wrong
e, a user may enter “msn.com” into a
page chosen by the attacker loads

https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 1/8
1/23/2018 3 Common DNS Attacks and How to Fight Them

ng in the correct domain name, they

the website they are visiting is fake.

ct opportunity for attackers to use phishing techniques to minePRODUCTS CUSTOMERS PART

og in credentials or credit card information – from unsuspecting

evastating, depending on several factors, including the intention of

scope of DNS poisoning.

o this? By exploiting the DNS caching system.

S caching
PCI DSS r

throughout the Web to accelerate load times and reduce strain on

tshell, once a system queries a DNS server and receives a response,
tion in a local cache for faster reference.

ed across the web in a trickle-down fashion. The records at one DNS

ache records at another DNS server. That server is used to cache
working systems such as routers. Those records are used to create
hines.

ches

rs when one of these caches is compromised. Partner c

ache on a network router is compromised, then anyone using it can
fraudulent website. The false DNS records then trickle-down to the
user’s machine.

higher in the chain.

r DNS server can be compromised. This can poison the caches of

ned by internet service providers. The poison can trickle-down to
working systems and devices, potentially routing millions of people
by an attacker.
https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 2/8
1/23/2018 3 Common DNS Attacks and How to Fight Them

. In 2010, internet users across the U.S. were blocked from sites like
ube because a DNS server at a high-level ISP accidentally fetched
eat Firewall of China.
PRODUCTS CUSTOMERS PART

poison

g is very di cult to detect. It can last until the TTL, or time to live,
ed data or an administrator realizes and resolves the problem.

uration of the TTL, it could take days for the servers to resolve the

o prevent a DNS cache poisoning attack include regular program

ort TTL times, and regularly clearing the DNS caches of local
orking systems.

Attack #2: DNS Ampli cation for

DDoS
DNS ampli cation attacks are not threats against the DNS
systems. Instead, they exploit the open nature of DNS
services to strengthen the force of distributed denial of
service (DDoS) attacks.

DDoS attacks are no stranger to the spotlight, targeting

well-known sites such as BBC, Microsoft, Sony, and Krebs

plify

ly occur with a botnet. The attacker uses a network of malware-

to send large amounts of tra c to a target, such as a server. The
he target and slow or crash it.

s add more punch. Rather than sending tra c directly from a botnet
et sends requests to other systems. Those systems respond by
https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 3/8
1/23/2018
q y y p
3 Common DNS Attacks and How to Fight Them
y
r volumes of tra c to the victim.

ttacks are a perfect example. Attackers use a botnet to send

p requests to open DNS servers. The requests have a spoofed source
PRODUCTS CUSTOMERS PART
gured to maximize the amount of data returned by each DNS

er sends relatively small amounts of tra c from a botnet and

nally greater – or “ampli ed” – volumes of tra c from DNS servers.
is directed to a victim, causing the system to falter.

nd

e con gured to recognize and stop DDoS attacks as they occur by

ackets trying to ood systems on the network.

bat DDoS attacks is to host your client’s architecture on multiple

one server becomes overloaded, another server will still be

the IP addresses sending the tra c can be blocked. Additionally, an

er’s bandwidth can enable it to absorb an attack.

d solutions also exist that are designed exclusively to combat DDoS

NS Attacked by DDoS
e used against many di erent types of
es DNS servers.

ttack against a DNS server can cause

g the users who rely on the sever
e web (note: users will still likely be
es they’ve visited recently, assuming
ved in a local cache).

ed to Dyn’s DNS services, as described in the opening of this post. A

elmed the company’s systems, causing them to crash, which
https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 4/8
1/23/2018 3 Common DNS Attacks and How to Fight Them

s of people from accessing major websites.

nst these attacks depends on the role of your systems in the

PRODUCTS CUSTOMERS PART

u hosting a DNS server? In that case, there are steps you can take to
eeping it patched and allowing only local machines to access it.

ng to reach the DNS server being attacked? In this case, you will
onnecting.

d idea to con gure your systems to rely on more than one DNS
he primary server goes down, you have another as a fall back.

ogle’s free Public DNS servers: 8.8.8.8 and 8.8.4.4. Instructions are
v6 addresses.

gate Attacks

are a major network security risk and should be taken seriously.

ompanies both need to implement safeguards to prevent and
f such an attack should they ever fall victim to one.

ttacks, ICANN has started emphasizing these risks with DNSSEC, a

ed for preventing DNS server attacks.

orks by “signing” each DNS request with a certi ed signature to

This helps servers weed out fake requests.

o this technology is the fact that it has to be implemented at all

rotocol to work properly – which is slowly but surely coming along.

eveloping technology such as DNSSEC as well as staying up to date

tacks is a good way to stay ahead of the curve.

https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 5/8
1/23/2018 3 Common DNS Attacks and How to Fight Them

PRODUCTS CUSTOMERS PART

urces:
ypes, Targets, and Motivations

s of 2016

and why is it important?

Disrupts Internet Service Across Europe and US

NTON REPLY

2017

oisoning and DNS redirect the same thing. From reading blog i
that there is only a slight di erence between the two. ain't that the
condly, how do you prevent an attack in the event an email is in
hrough a DNS hijacked server?

REPLY

11, 2017
https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 6/8
 1/23/2018 3 Common DNS Attacks and How to Fight Them
, 0

vin - Thanks for reaching out. DNS poisoning and DNS redirecting
ery di erent in how they are executed. However, the results are
PRODUCTS CUSTOMERS PART
r, with victims being directed to websites controlled by the attacker.
ost you refer to makes this very clear. "First of all, DNS spoo ng and
poisoning (or DNS cache poisoning) are the same thing, but slightly
ent than DNS hijacking. In the latter, the hacker would either plant a
are or hack the router DNS settings. However, in DNS poisoning or
ng, the hackers compromise (poison) the cache of a DNS server."
our second question, we need more information to provide a clear
er. Hope that helps!

will not be published Required elds are marked *

ML tags and attributes: <a href="" title=""> <abbr title=""> <acronym

quote cite=""> <cite> <code> <del datetime=""> <em> <i> <q
> <strong>

https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 7/8
1/23/2018 3 Common DNS Attacks and How to Fight Them

PRODUCTS CUSTOMERS PART

https://www.calyptix.com/top-threats/3-common-dns-attacks-and-how-to-fight-them/ 8/8