?
RICHARD MEEUS,
SECURITY,
TECHNOLOGY
AND STRATEGY
DIRECTOR,
AKAMAI
T
he Domain Name
Service (DNS) has
been around for
so long that it is
almost taken for
granted. However,
without it, much, if
not all, of the world’s Internet experience
would be dead in the water. DNS servers against, for example, your
web server. This involves swamping
your site with unwanted traffic that
needs to be handled by your Internet
connections, routers and firewalls that
ultimately are overwhelmed and forcing
you offline – not just your websites, but
any other associated Internet traffic,
from emails to VPNs.
It’s ubiquitousness means that it can be
easily leveraged for malicious intent if
not checked and protected. But DNS is not just restricted to being
utilised for large, headline grabbing
DDOS attacks.
The infamous DDOS attack against
a major DNS provider in 2016 that
forced many organisations completely
or partially offline highlighted how
vulnerable and integral, in equal measure,
DNS is to how the world operates online. It is also leveraged for data exfiltration,
being used as a carrier to piggyback
data from within compromised networks
to Command and Control servers
located on the other side of the planet.
Not only is DNS frequently the target,
it is also the delivery vector for many
types of attacks. As DNS uses UDP
(connectionless) it is an easy and
effective way to bounce and amplify
attack traffic off many Internet-based
www.intelligentciso.com
|
Issue 16
As DNS is often unchecked, especially
leaving an organisation, this is a simple
but effective way to syphon off critical
data without being detected.
Lastly there is the integrity of the DNS
itself. Consumers blindly query these
editor’s question
As DNS is often
unchecked,
especially leaving an
organisation, this is a
simple but effective
way to syphon off
critical data without
being detected.
servers for the IP address for their
favourite sites and assume that the
answer is going to be correct.
Man-in-the-middle attacks – where the
DNS request is intercepted between the
client and the DNS server, and supplying
false IP addresses and routing traffic
to rogue and malicious sites – is an
example of an attack where the DNS’
integrity can be compromised.
Features such as DNSSEC allow the
user to receive a digitally signed record
from the DNS server ensuring them that
the data is valid.
DNS is key to the interaction with the
Internet and unless your records are
resilient, redundant and secured there
will always be a risk of compromise.
In addition, just as many organisations
check traffic entering their network,
they should equally apply the same
level of integrity to DNS queries leaving
their network.
29