Vulnerable DNS, already locked into a major network attack target

Source: Internet
Author: User
Keywords Attack server Target
Tags access address application application layer attack target blocking communication company
Absrtact: The face of the information security threat is quite extensive, by hacking, server or employee computer malware infection, confidential data stolen, but only several common ways, however, the current enterprise it in day-to-day operation of the work, more fear may also be

The threat of information security is quite extensive, hacking, server or employee computer malware infection, confidential data theft is only a few of the common ways, however, the current enterprise it in day-to-day operations, the more fear but also can often face the threat is distributed service blocking attacks (DDoS), Because once your external network, application server suffers from such attacks, it will not function properly.

It is recommended that the webmaster use the DNS service provided by domestic professional services, such as Dnsdun, to ensure the stability of the site analysis.

DDoS attacks are not a threat in recent years, but in the past targeted in addition to the paralysis of the target network infrastructure, in the application layer, most of the attacks on the Web server, the domain Name System (DNS) attacks on the proportion has also begun to significantly increase, and leaped to the second largest target.

With the features of DNS, hackers can launch huge traffic paralysis target network at low cost

It is not difficult to understand the attacking principle of DDoS, and it has been suggested that the most appropriate analogy is: when you want to paralyze a company's customer service hotline, just call a certain number of people to call the past mischief, there may be a chance to completely occupy each other's communication lines, And so that the customer service line is too busy to service to other normal users of the state of the call.

In general, the target of DDoS attack is mainly network infrastructure, the most common attack methods include: To use TCP online three-way communication mode of the vulnerability to launch TCP SYN flood attack, and the use of three-way to the handshake can be transmitted UDP packet flood attacks, There is also an ICMP flood attack that sends a large number of ICMP packets to the destination IP address with a spoofed source IP address, these are attacks on the third tier of the network, and in addition to the 7th tier of application services, hackers are often targeted at Web server access, to launch a large number of download behavior of the HTTP GET flood attack. In these ways, attackers can consume each other's network bandwidth or processor resources and paralyze the network services provided by the other.

This continues, but it is noteworthy that, starting in the third quarter of 2012, the use of DNS floods began to increase gradually, according to the DDoS protection products manufacturer Prolexic's annual DDoS attack report, the proportion of DNS attacks in the 4th quarter of last year reached the peak of history, Reached 9.58%. In a similar observation in the Global 2013 annual Infrastructure Security Report of Arbor NX, another DDoS protection manufacturer, they found that 10% of DDoS attacks were from UDP 53 ports. Furthermore, the communication port used by the DNS Network service is second only to the 80 ports (29%) used by the most frequently attacked HTTP Web services.

The 2013 annual report on global applications and network security presented by load balancing and network equipment merchant Radware echoed this trend, starting from 2012 to 2013, the proportion of DNS as an attack target gradually overtook SMTP, becoming the second largest aspect of application-level Dos/ddos attacks (The proportion of both in 2011 was only slightly elevated to 11% by 2013), and the lead was growing, rising to 21% in 2013, and the proportion of such attacks to the site was getting closer (27%) 9%,smtp.

In the Arbor NX for the application layer DDoS attack statistical analysis, also see DNS in a high proportion of 77%, won HTTPS (54%) to become the second largest target, and second only to HTTP (82%), as for SMTP only 25%, squeeze not the top three.

DDoS attacks against DNS network services can rise rapidly in a few years, with the use of specific DNS attacks, the most important is the use of amplification (amplification) or refraction (Reflection) generated by the huge amount of DDoS attacks, the most widely known. For example, the massive DDoS attack that rocked the world last March, generating up to 300Gbps of cyber-attack traffic, targeted the anti-spam organization Spamhaus, which was used to launch a refractive-blocking service attack (distributed Reflection denial of Service,drdos).

It is worth mentioning that this kind of amplification/refraction attack has a new appearance this year. Some people use the NTP Network School-time protocol to launch a DDoS amplification attack, resulting in network traffic up to 400Gbps, in a short period of nearly a year, unexpectedly broke the previous attack Spamhaus record.

DNS attacks kidnap large numbers of users online and Google is one of the victims

In the DNS this network service, in addition to the "Quantity" as the main mode of attack, there is the DNS authoritative server (authoritative DNS Servers), DNS server recursive query (recursive DNS Servers) attack way, and attempts to poison (DNS cache-poisoning attacks) in DNS cache data. In the attack mode of DNS fast removal, hackers attack is responsible for providing DNS fast service Relay server, intrusion inside the system, and forged a specific domain name of the IP address records, the result of the user connected to the attacker to set up a server to achieve the purpose of stealing secrets, which achieved a man-in-the-middle attack. In Arbor receptacle's report, a 20%-30% percentage of users said they had experienced DNS attacks in 2013 years.

What were the major security incidents of the past year related to these DNS attacks? At the end of August, The New York Times and Twitter were hit by a DNS attack by the Syrian Electronics Army (Syrian Electronic Army,sea), but they first hacked into a DNS service provider, Melbourne it──, a company called a domain registrar ( Registrars), and tampered with the NS record of the DNS server (this is a setting that resolves domain name resolution by a particular DNS server), changes the authoritative DNS server to the Syrian Electronic Army's DNS server, and then, The flow of access to both sites was directed to a malicious website set up by the Syrian Electronics Army.

In the early years, Twitter was also hit by a DNS attack by the Iranian Cyber Army (Iranian Cyber Army) in December 2009, which was able to redirect users to their controlled servers by tampering with DNS records to access network traffic to the site. That is, to attack the DNS authoritative server (authoritative DNS takeovers).

In January of this year, there were also large-scale events in the country that could not be accessed because DNS was hijacked. Local users are directed to the IP address of the U.S. dynamic Internet Technologies company when they connect to many Web sites with. com and. NET as domain names.

In early March, Google, the global network giant, also faced significant DNS attacks. They provided public DNS servers 8.8.8.8, and were subjected to DNS hijacking (DNS hijacking) for up to 22 minutes, when all network traffic using the DNS service was abducted and uploaded to Brazil and Venezuela.

At the end of March and early April, Google's DNS services were intercepted by Turkish network providers. The other side set up a DNS server to pretend to be Google DNS, hijack the local people's network online using fake Google DNS.

Overall, the DNS attacks will continue to occur in the future, and the frequency of encounters will be more and more frequent, and difficult to prevent and real-time response. Because most of the existing network access behavior, such as Web browsing, mobile device app operation, cloud services in the collaborative operation, behind all rely on DNS to query the IP address represented by different URLs, and then connect the back-end server to perform system operations.

Google software engineer Steven Carstensen says DNS is like a phone book or address book that allows you to find a contact number, and if someone secretly replaces the original copy with another phone book, and looks exactly the same, the contents are changed. You may not be able to communicate with your friends.

This shows that DNS is a very fragile network service and it seems to be less difficult to manipulate and hijack, and that no matter whether you are a web company with the top technical capabilities and talent of Twitter and Google, you can't survive the threat.

Global major DNS attack event book

In December 2009, Twitter was hijacked by hackers who tampered with DNS records of domain registrars, and the site was affected for 1 hours.

2010 China Baidu Web site was unable to access the situation, mainly because the DNS records have been tampered with, the station used domain name baidu.com in the United States domain name registrar, the Iranian network of illegal tampering, paralysis time of about 11 hours.

A large number of major Internet service providers in Brazil in 2011 had a massive DNS quick-take-off attack that affected up to 73 million computers, as well as 3, 4 million users.

The 2012 Go Daddy was attacked by DDoS, and the industry's DNS servers in the U.S. area were affected.

2013 The New York Times and Twitter because the DNS service provider Melbourne it by the Syrian Electronic Army invasion, the domain name records were tampered with, access to the site's traffic to the attacker to design the site.

In 2014, Google DNS was kidnapped by DNS, and some traffic was redirected to Brazil and Venezuela. Turkish network providers intercept traffic and set up servers to impersonate Google DNS to regulate freedom of speech.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.