Common attacks and precautions of DNS

Common attacks and precautions of DNS

Transfer from: http://www.williamlong.info/archives/3813.html Date: 2015-7-10

With the gradual popularization of the network, network security has become a de facto focus on the Internet, which is related to the further development and popularization of the Internet, and even the survival of the Internet. It is gratifying that our Internet experts did not disappoint the vast number of Internet users, network security technology has also been emerging, so that the vast number of netizens and enterprises have more confidence, the following on the network security of the main technology to provide a brief introduction, hope to be netizens and enterprises in the network security provides a network security program reference.

How DNS Works

DNS is divided into the role of client and Server,client, which is to ask the server a domain name, and the server must answer the real IP address of this domain name. The local DNS will first check its own database. If your library does not have one, the DNS queries that are set up on that DNS will be answered, and the answers will be saved and answers to the customer.

Depending on the authorization zone (zone), the DNS server records the names that belong to the domain, including the secondary domain name and host name under the domain.

In each name server has a cache cache, the main purpose of this cache cache is the name server queried name and relative IP address in the cache cache, so the next time there is another client to the secondary server to query the same name, The server does not need to go to the other host to look for, and directly from the buffer to find the name of the record data, passed back to the client, speed up the client to the name of the query. For example:

When a DNS client queries a specified DNS server for a host name on the Internet, the DNS server will look for the name specified by the user in the repository. If not, the server will first query the cache in its own cache if there is a record, and if the name record is found, The corresponding IP address is passed back directly from the DNS server to the client, and if the name server is not found in the data record and the cache cache is not available, the server will first be queried for the name of the other name server. For example:

The DNS client queries the specified DNS server for a host name on the Internet, and when the DNS server does not find the name specified by the user in the data record, it turns to the cache cache of the server to find out if the data is available, and when the cache buffer is not found, To the closest name server to ask to help find the name of the IP address, on another server also has the same action query, when the query will reply to the original query server, the DNS server after receiving the results of another DNS server query, First, the queried host name and corresponding IP address are recorded in the cache cache, and finally the results of the query to reply to the client

Common DNS attacks include the following:

1) Domain name hijacking

By using hackers to control the domain name management password and domain name management mailbox, and then point the NS record of the domain name to a DNS server that hackers can control, and then by adding the corresponding domain name record on the DNS server, so that the Netizen access to the domain name, the hacker points to the content.

This is clearly the responsibility of the DNS service provider and the user is helpless.

2) Cache poisoning

Using the control DNS cache server, users who were originally prepared to visit a site were unknowingly taken to other sites that the hacker pointed to. It can be implemented in many ways, such as by exploiting the vulnerability of the ISP's DNS cache server to change the response of the user accessing the domain name in the ISP, or by exploiting the vulnerability on the user's authoritative domain name server. If the user authoritative domain name server can also be used as a cache server, hackers can implement cache poisoning, the wrong domain name record into the cache, so that all users who use the cache server to get the wrong DNS resolution results.

The recent discovery of a major flaw in DNS is this way. Only so is the "significant" flaw, which is reported to be due to the design implementation of the protocol itself, almost all of the DNS software has this problem.

3) DDoS attacks

An attack against the DNS server software itself, usually using a vulnerability in the BIND software program, causing a DNS server crash or denial of service, the other target is not a DNS server, but the use of a DNS server as an intermediate "attack amplifier" to attack other Internet hosts, Causes the host to be attacked for denial of service.

4) DNS Spoofing

DNS spoofing is a deceptive behavior of an attacker impersonating a domain name server.

Principle: If you can impersonate a domain name server, and then set the IP address of the attacker's IP address, so that users can only see the Internet access the attacker's home page, not the user wants to get the homepage of the site, this is the basic principle of DNS spoofing. DNS spoofing is not really "black off" the other side of the site, but an imposter, bluff.

The vast majority of DNS servers present on the Internet are built with BIND, and the version of BIND used primarily for bind 4.9.5+P1 previous versions and bind 8.2.2-p5. One common feature of these bind is that bind caches ( Cache) All the results that have been queried, this problem causes the following several problems to exist.

DNS Spoofing

If a record already exists in the DNS cache before the DNS cache is not yet available, the DNS server will return the records directly in the cache once a customer query is made

Several precautionary measures to prevent DNS from being attacked

DNS amplification attacks on the Internet (DNS amplification attacks) have grown sharply. This attack is a large number of variants of a packet that can generate a lot of spurious traffic against a target. What is the number of such false communications? Up to several gigabytes per second, enough to prevent anyone from entering the Internet.

Very similar to the old-fashioned "Smurf attacks" attack, the DNS amplification attack uses spoofed packets against innocent third parties to amplify the traffic, which is designed to deplete the victim's full bandwidth. However, the "Smurf attacks" attack is the purpose of sending packets to a network broadcast address to amplify the traffic. The DNS amplification attack does not include broadcast addresses. Instead, this attack sends small and deceptive inquiry information to a series of innocent third-party DNS servers on the Internet. These DNS servers will then send back a large number of replies to the server on the surface, causing the traffic to enlarge and eventually overwhelm the attack target. Because DNS is based on stateless UDP packets, it is commonplace to take this kind of spoofing.

This attack mainly relies on DNS implementation of about 60 bytes of query, reply up to 512 bytes, so that the traffic amplification 8.5 times times. This is good for attackers, but still not reaching the level at which the attackers want to get overwhelmed. Recently, attackers have used some newer techniques to increase the current number of DNS amplification attacks several times.

Many DNS servers currently support EDNS. Edns is a set of DNS expansion mechanisms that are introduced in RFC 2671. Some options allow DNS to reply to more than 512 bytes and still use UDP if the caller indicates that it can handle such a large DNS query. Attackers have used this method to generate a lot of traffic. By sending a 60-byte query to get a record of about 4,000 bytes, an attacker could amplify the traffic by 66 times times. Some attacks of this nature have generated many gigabytes of traffic per second, and attacks on some targets exceed 10GB of traffic per second.

To achieve this, an attacker would first find several third-party DNS servers that perform circular queries on behalf of someone on the Internet (most DNS servers have this setting). Because of the support for circular queries, an attacker could send a query to a DNS server that then sends the query (in a circular manner) to a DNS server chosen by the attacker. Next, the attacker sends a DNS record query to these servers, which is controlled by the attacker on their own DNS server. Because these servers are set up to be circular queries, these third-party servers send these requests back to attackers. An attacker stores a 4,000-byte text on the DNS server for this kind of DNS amplification attack.

Now, as attackers have added a large number of records to the cache of third-party DNS servers, attackers then send DNS query information to those servers (with the EDNS option to enable a large number of replies). And take deception to let those DNS servers think that this query information from the attacker would like to attack the IP address issued. These third-party DNS servers then responded with this 4,000-byte text record, flooding the victim with a large number of UDP packets. Attackers issue millions of small and deceptive query information to third-party DNS servers that will overwhelm the victim with a large number of DNS reply packets.

How do you defend against this massive attack? First, make sure you have enough bandwidth to withstand small-scale flooding attacks. A single T1 line is not enough for important internet connections, because any malicious scripting teenager can consume your bandwidth. If your connection is not performing important tasks, a T1 line will suffice. Otherwise, you'll need more bandwidth to withstand small-scale flooding attacks. However, almost no one can afford a few gigabytes per second of DNS amplification attacks.

Therefore, make sure you have an emergency phone number handy to get in touch with your ISP at any time. This way, once this attack occurs, you can immediately contact your ISP and let them filter out the attack upstream. To identify this attack, you will want to see a large amount of traffic that contains DNS replies (source UDP port 53), especially to see those ports that have a large number of DNS records. Some ISPs have deployed sensors across their network to detect various types of early, large amounts of traffic. This way, your ISP is likely to discover and avoid such attacks before you find them. You have to ask if your ISP has this capability.

Finally, to help prevent malicious people from using your DNS server as a proxy for this kind of DNS amplification attack, you want to make sure that your DNS servers that you can access from outside are performing circular queries only for your own network, not for any address on the Internet. Most primary DNS servers have the ability to limit circular queries, so they only accept queries from certain networks, such as your own network. By preventing the use of circular queries to load large, harmful DNS records, you can prevent your DNS servers from becoming part of this problem.

Conclusion: Cyber attacks are becoming more and more rampant, which poses a great threat to network security. For any hacker's malicious attacks, there are ways to defend, as long as the understanding of their attacks, with a wealth of network knowledge, you can resist the hackers crazy attacks. Some novice network friends do not have to worry, because the market has launched a number of network security programs, as well as a variety of firewalls, I believe in the near future, the network will be a secure information transmission media. In particular, it should be emphasized that cybersecurity education should be placed at the forefront of the entire security system at all times, and that efforts should be made to improve the security awareness and basic prevention techniques of all network users. This is of great importance to improve the security of the whole network.

Reprint: http://www.williamlong.info/archives/3813.html

Common attacks and precautions of DNS