Advice to IT managers includes 'hardening' those DNS addresses
CA Technologies' vice president for security in Asia Pacific & Japan, Vic Mankotia (pic) said DNS server attacks were gathering momentum.
"To secure a DNS server, companies need to understand how others might exploit it," said Mankotia. "The most common threats are Denial of Service (DoS) attacks, tampering with DNS records, and information gathering. DoS attacks are probably the most common threat because they’re remarkably easy to pull off, thanks to the large number of incorrectly configured DNS servers on the Internet. DNS servers are often the launching points for DoS attacks, wherein an attacker uses a DNS server that allows recursion to pummel another server with packets. This kind of attack starves the target server of resources and prevents legitimate users from accessing it. DNS tampering, which takes several forms, is less common but still a threat."
"One common method of DNS tampering is cache poisoning, in which an attacker injects fake records into a DNS server’s cache," he said. "Other methods of modifying DNS records include forged packets, man-in-the-middle attacks, and rogue DNS servers. In addition to modifying records, attackers use DNS servers for information gathering through DNS server mining, zone transfers, and DNS packet interception. Properly configured DNS servers can greatly limit your exposure to all these tactics."
Security certification body EC-Council Academy's managing director Wilson Wong (pic) said the DNS Spoof attack on MYNIC was a common 14-year old attack that "targets host DNS servers and reroutes addresses to alternate sites. This is a common problem and can be corrected by redirecting DNS addresses to back-up sites, and using an OpenDNS system to 'harden' those server addresses."
Wong said, "Based on what we have seen with this classification of DNS hacking, the common solution for organisations would include (at the minimum) the following steps:
1) Make sure they have a secure DNS routing process (which relies on a UNIX backbone and now a Windows backbone);
2) Work with their upstream providers to ensure there are additional 4th and 5th-level back-up DNS servers, since the first thing to do in a denial of service is to re-resolve the server address at the next back-up level. Some organisations have five and six back-ups.
3) Ensure they are working with a third-party (example - Condition Zebra) service provider to review and evaluate operational policies and controls and configuration settings.
4) Run a web application security assessment in real-time, to maintain a level of web application configuration integrity to keep server attacks at bay."
Sign up for Computerworld eNewsletters.