Currently, attacks on the Domain Name System (DNS) have become a serious issue in the digital development of organizations, with thousands of websites becoming victims of such attacks every year. Recent studies indicate that in 2023, losses related to DNS attacks for enterprises increased by 49% year-on-year. These losses affect not only the financial aspects of enterprises but also cause damage to internal systems and cloud applications.
To protect networks from such attacks, it is essential to understand the different types of DNS attacks and find corresponding mitigation methods. This article details the ten most dangerous types of DNS attacks and their mechanisms, providing corresponding preventive recommendations.
1. DNS Cache Poisoning Attack
DNS cache poisoning refers to misleading users to visit fraudulent websites when accessing legitimate sites. For example, when users need to visit gmail.com to check emails, an attacker might use DNS poisoning to display a fraudulent website instead of the gmail.com page, thereby gaining access to the victim’s email account.
Attack Mechanism
• DNS cache allows DNS resolvers to temporarily store the mapping of domain names to IP addresses.
• Attackers use DNS cache poisoning to send false DNS responses to DNS resolvers or target devices, pretending to be real DNS servers.
• Attackers attempt to insert fake DNS records into the target device’s DNS cache.
• DNS messages have a transaction ID to match responses with related requests.
Protection Recommendations
• Regularly update and patch systems.
• Use trusted DNS servers.
• Implement DNSSEC (DNS Security Extensions).
• Monitor DNS traffic.
• Configure firewalls and intrusion detection/prevention systems.
• Encrypt DNS traffic.
2. Distributed Reflection Denial of Service (DRDoS)
Distributed Reflection Denial of Service (DRDoS) attacks involve sending a large number of UDP acknowledgment messages to make the target unavailable. In some cases, attackers may also modify DNS, NTP, and other records. To associate the actual operations with spoofed addresses, attackers need to use forged source IP addresses. When these forged acknowledgment messages start appearing, the target system becomes difficult to access. When these attacks are controlled at an appropriate scale, collective reflection becomes apparent, where multiple endpoints broadcast forged UDP requests, and the generated acknowledgment messages point to a single target.
Attack Mechanism
• DDoS attacks leverage network protocol characteristics to generate a large response from a small request.
• Attack traffic is not sent directly from the attacker to the victim but is sent to vulnerable servers or devices on the internet, which respond with more traffic.
• Attackers initiate DDoS attacks via botnets.
Protection Recommendations
• Place servers in different data centers.
• Ensure data centers are on different networks.
• Ensure data centers have multiple accessible paths.
• Ensure data centers or networks associated with data centers have no severe security vulnerabilities or single points of failure.
3. DNS Tunneling Attack
This type of attack uses DNS acknowledgment and query channels to transfer encoded data from multiple applications. Although it has not been widely used, researchers have found that attackers are now focusing on this technique because it can bypass interface protection measures, and attackers need physical access to the target system, domain, and DNS authoritative servers to conduct DNS tunneling attacks.
Attack Mechanism
• DNS tunneling requires hiding information that does not belong to DNS queries or answers.
• DNS tunneling exploits the DNS protocol, which is primarily used for domain name resolution, for unintended purposes.
• DNS tunneling can establish secret communication paths within regular DNS traffic.
• Through DNS tunneling, private data can be extracted from infected networks or systems.
Protection Recommendations
• Create access rules.
• Create protocol objects.
• Create application rules.
4. TCP SYN Flood Attack
A TCP SYN flood attack is a dangerous denial-of-service (DDoS) attack that can disrupt any service using the Transmission Control Protocol (TCP) for internet communication. Common infrastructure components such as load balancers, firewalls, intrusion prevention systems (IPS), and utilization servers can be affected by SYN flood attacks, even high-capacity devices designed to handle millions of connections can be crippled by such attacks.
Attack Mechanism
• The TCP process involves three steps: SYN, SYN-ACK, and ACK.
• Attackers send a large number of SYN (synchronize) packets to the target server, indicating a desire to establish new connections.
• The target server allocates system resources such as RAM and connection status details for each incoming SYN packet.
• Attackers often spoof the original IP addresses in SYN packets to increase detection and prevention difficulty.
• Excessive half-open connections place undue stress on the target system’s memory, CPU, and connection status table.
Protection Recommendations
• Provide appropriate support for inline and offline deployments to ensure no single crash point on the network.
• View and inspect traffic from various parts of the network.
• Use various threat intelligence sources, including statistical anomaly detection, customizable ingress alerts, and known threat fingerprints, to ensure quick and reliable detection.
• Scale to handle attacks of various sizes, from low-end to high-end.
5. DNS Hijacking Attack
DNS hijacking attacks are also common in cybercrime. In DNS hijacking attacks, attackers manipulate domain name resolution services to redirect access to illegal servers under their control, also known as DNS poisoning or DNS redirection attacks. Besides hackers conducting phishing activities, this may also be done by reputable entities (e.g., ISPs) to collect information for statistics, advertising, and other purposes.
Attack Mechanism
• Attackers alter domain DNS records by unauthorized access to DNS servers or management interfaces.
• DNS hackers can lure users to fake websites that look similar to legitimate sites.
• Attackers can redirect users to malicious websites or exploit internal tools.
• In some DNS hijacking attacks, official DNS servers or ISP DNS resolvers are compromised by hackers.
Protection Recommendations
• Inspect resolvers on the network.
• Strictly limit access to name servers.
• Implement measures to prevent cache poisoning.
• Patch known vulnerabilities promptly.
• Separate authoritative name servers from resolvers.
• Restrict zone changes.
6. Phantom Domain Attack
Phantom domain attacks are similar to ordinary subdomain attacks, where attackers use “phantom” domain names that never respond to DNS queries, depleting DNS resolver resources through numerous queries. The goal of this attack is to force the DNS resolver to wait too long before giving up or providing poor responses, significantly affecting DNS performance.
Protection Recommendations
• Increase the number of recursive clients.
• Use parameters in the correct order for optimal results.
• Limit recursive queries per server and per zone.
• Enable suppression of non-responsive servers and check recursive queries per zone.
7. DNS Flood Attack
DNS flood attacks are a type of distributed denial-of-service (DDoS) attack aimed at overloading servers to prevent them from providing DNS services. While these attacks are easy to mitigate when coming from a single IP address, the situation becomes complex when involving hundreds or thousands of sources. Mitigation can be tricky, as many queries may quickly be identified as malicious errors, causing numerous legitimate requests to confuse defensive devices.
Attack Mechanism
• Attempt to disrupt DNS servers or systems by sending a large number of DNS requests at once.
• Both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) can be used for DNS flood attacks.
• Increase the amount of data sent by using insecure DNS resolvers or legitimate DNS servers.
Protection Recommendations
• Any domain information stored in DNS and targeted by distributed denial-of-service (DDoS) flood attacks will become inaccessible.
• Regularly update outdated information and track domains that receive the most queries among many DNS providers.
8. Random Subdomain Attack
The construction of random subdomain attacks is similar to simple denial-of-service (DoS) attacks, so they are generally regarded as DoS attacks. The goal is to create a denial-of-service (DoS) attack to overload the official DNS servers handling the main domain name, thereby blocking DNS record queries. These requests often come from infected users who are unaware they are sending specific types of queries, making such attacks difficult to identify and prevent.
Attack Mechanism
• Attackers create a large number of subdomains on existing domains through random subdomain attacks.
• As part of rapid turnover methods, attackers frequently change the IP addresses associated with subdomains.
• Attackers use Domain Generation Algorithms (DGA) to create a large number of seemingly random domain names or subdomains.
• Randomly created subdomains in these attacks may host malware or other harmful content.
Protection Recommendations
• Understand attack techniques that generate large traffic on resolvers and network resources related to victims.
• Understand modern features of DNS resolvers that protect against triggered attacks, such as response rate limiting.
9. Botnet Attack
A botnet is a group of infected internet-connected devices that can be used to launch coordinated denial-of-service attacks. During such attacks, infected devices can be used to steal information, send spam, and grant attackers full control over the infected devices and their network connections.
Attack Mechanism
• Many computers infected with software like bots or zombies form a botnet.
• Botnets are usually operated by a central command and control computer maintained by attackers.
• Attackers can simultaneously control many hacked devices via botnets to launch coordinated attacks from various locations.
• Distributed denial-of-service (DDoS) attacks are often carried out using botnets.
Protection Recommendations
• Understand vulnerabilities accurately.
• Protect IoT devices.
• Determine whether mitigation measures are truly feasible.
• Discover, categorize, and control vulnerabilities.
10. Domain Hijacking
Attack Mechanism
In this attack, attackers modify domain registrars and DNS servers to redirect user traffic elsewhere. If attackers gain control over DNS data, domain hijacking can also occur at the DNS level. When attackers control a user’s domain, they can use it to launch attacks, such as setting up fake pages for payment systems like PayPal, Visa, or banking systems.
• Domain hijacking refers to someone illegally taking over the domain ownership of a legitimate owner.
• If attackers control a domain, they can change its DNS settings.
• Attackers might add new subdomains or modify existing ones to make their malicious