This column is available in a weekly newsletter called IT Best Practices. Clickhere to subscribe。
The global Domain Name System (DNS) is ubiquitous across the Internet. It's absolutely fundamental to the way we work. It's a whole lot easier to bring up a browser and type www.Google.com rather than try to remember its more complex address of http://74.125.224.72/.
DNS是如此重要的是,我们倾向于将其视为互联网管道:它到处都是,它通过所有防火墙获得,当我们需要它时就在那里。不幸的是,DNS还具有稳定性不稳定的特征,这可能导致各种问题。
Just as metal thieves have figured out that copper plumbing in old houses has value as scrap, cyber attackers have learned the value in using DNS to attack infrastructures and steal data.
Most of us became acutely aware of how DNS could be abused as an attack tool in March 2013 when the anti-spam organization Spamhaus was hit with a massive 300Gbps DNS reflection (or DNS amplification) DDoS attack. According to CloudFlare, the security company called in to rescue Spamhaus from the attack, DNS reflection has become the source of the largest Layer 3 DDoS attacks they see, many of which exceed 100Gbps.
在博客文章中详细说明了斯宾布斯案,CloudFlare解释了DNS反射攻击如何工作:
DNS反射攻击的基本技术是向源IP地址发送大DNS区域文件的请求,欺骗是大量打开DNS解析器的预期受害者。然后,解析器响应请求,将大DNS区域发送到预期的受害者。攻击者的请求本身只是响应大小的一小部分,这意味着攻击者可以有效地放大他们自己控制的带宽资源大小的攻击。
在此攻击之后,建议世界过度的网络管理员锁定其开放的DNS解析器。有关如何进行的良好信息,可以找到this Infoblox blog post。
另一种称为资源耗材的攻击经常针对ISP及其DNS解析器基础架构。安全供应商CloudMark描述了此类攻击white paper:
为了执行此次攻击,攻击者必须首先注册域,并将预期目标的名称服务器指定为该域的权威服务器,或者使用其权威服务器已经是预期目标的现有域。
然后使用受损机器的僵尸网络,攻击者通过瓶装机的ISPS的递归名称服务器指导机器发送洪水。此外,攻击者可能会通过任何可以驻留在ISP网络中的任何已知开放的解析器的请求。每个请求都包含先前注册域的唯一,随机和不存在的子域(例如kbsruxixqf.www.500sf.com,adujqzutahyp.www.500sf.com)。
由于子域的唯一性,每个请求将触发针对目标名称服务器的递归查找。随着攻击的大小增长,击中预期目标名称服务器的请求量也会增长。最终目标的DNS基础架构将在负载下扣,从系统资源耗尽,网络饱和度或两者都有扣。
一旦ISP的DNS解析程序基础架构下降,提供商的订阅者基本上没有互联网访问。这强调了ISP需要在前提DDOS解决方案上部署ISP,以便抵御此类和其他类型的攻击。
Another kind of threat that abuses DNS is called DNS hijacking. This type of malicious attack overrides a computer's TCP/IP settings to point it to a rogue DNS server, thereby invalidating the default DNS settings. This kind of attack frequently involves home routers that are taken over by a hacker, so that your computer now is directed to a rogue DNS server that is owned and maintained by the hacker rather than going to your ISP's legitimate DNS resolver. When you type in the domain name of your desired websites, the rogue server translates those names to the IP addresses of malicious websites where you might be subjected to malware or unwanted advertising.
Home routers aren't the only devices affected by DNS hijacking. ARS Technica says thata Google DNS server was hijacked to Venezuelafor about 23 minutes in March of 2014, showing that even the most savvy Internet companies can be vulnerable to attack from time to time.
The folks at Cloudmark report that there is another kind of DNS abuse that should be of concern to service providers, enterprises and basically anyone who is running any kind of sensitive network security: unauthorized DNS tunneling, usually for the purpose of exfiltrating data. Cloudmark'swhite paper on DNS tunneling解释它是如何完成的:
DNS隧道使用DNS查询和响应来发送无法通过传统网络连接发送的数据。隧道由受限制网络中的客户端和充当权威DNS服务器的服务器组成。要将数据从客户端发送到服务器,客户端将在特定构造的DNS请求的主机名部分中的数据进行编码。要将数据从服务器发送到客户端,服务器将在DNS响应记录或CNAME响应的有效载荷中对数据进行编码到原始请求中。
根据所使用的隧道软件,客户端和服务器可以创建一个点对点虚拟网络接口,在那边,任何流量可以通过或将客户端的本地端口号映射到服务器上的特定地址和端口号。
因为DNS完全普遍存在,所以它通过防火墙,而且流量几乎从未检查过。一种想要从组织中抵抗数据的攻击者实际上可以在真正的DNS数据包内进行编码数据,以便难以检测。停止这种活动需要彻底的数据包分析,Cloudmark现在在其新的CloudMark安全平台上提供DNS。
DNS.may be absolutely fundamental to the way the Internet works, but it was never designed with security in mind. Security-minded organizations will need to plug those holes for themselves.