DNS attacks victimized an estimated 500 organizations recently. Experts say those numbers will keep climbing until this new and fertile spamming ground is better secured. What can security managers do to prevent such attacks in the future?
Effects on business
"DNS cache poisoning allows the attacker to subvert control of the entire DNS system at the victim sites," SANS Internet Storm Center [ISC] Handler Kyle Haugsness said in an e-mail interview. "It allows the attacker to reroute any Internet-based application [HTTP, FTP, SMTP, DNS, POP3, IMAP, SSH, etc] that is based on DNS names instead of IP addresses. It could allow the attacker to steal usernames/passwords to various business-related extranet sites, reroute business e-mail, and at a minimum, cause a disruption in normal business activity that could result in serious productivity loss."
"Since almost everyone uses DNS names, this is a very successful attack that could have serious security implications," Haugsness added. "The spammers will probably start using this attack more frequently until organizations are protected against it."
In addition to the threats that directly impact businesses Haugsness noted, Thor Larholm, senior security researcher for PivX Solutions in Newport Beach, Calif., warned of threats to clients of those businesses.
"Aside from the obvious reports of fake bank sites and e-commerce sites which the user cannot distinguish and is used for identity theft, DNS
In a DNS poisoning attack, an attacker changes the IP address that a hostname resolves to and points it to a different IP address of his choosing. Changing the Web site lets the attacker install adware and spyware on a victim's machine.
"Enterprises may feel a false sense of security, due not only to perimeter security, but also to the notion that these attacks are a consumer phenomenon. But they -- and their sensitive customer and employee files -- are very much at risk," said Scott Olson, vice president of marketing for Mirage Networks in Austin, Texas. "And phishers are evolving their attacks. One example is the latest trend of targeting corporate e-mail systems, both to trick employees into providing sensitive personal data, as well as to open a door to enable the spread of worms and viruses that steal financial information, customer data and more."
According to the ISC, DNS attacks over the last month involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT 4.0/2000, spyware/adware, and a compromise of at least five Unix Web servers.
What steps can you take?
"We use a basic firewall configured to only allow certain connections from trusted sites/partners' VPNs," said Jeffrey Jarzabek, IT director at Matocha Associates in Oakbrook Terrace, Ill. "Any other connections and the firewall will drop the connection. All of our equipment is behind firewalls. We have not experienced any DNS hijacking relating to e-mail/spam that we know of."
PivX's Larholm recommends staying up to date with patches and "either disallowing anonymous recursive queries, implementing split-split DNS or using DNSSec for cryptographically signed DNS records."
Others think granular monitoring is the way to go. "Internal intrusion prevention systems and packet analyzers will help to protect from these kinds of attacks," said Dug Song, security architect for Arbor Networks in Lexington, Mass.
Experts anticipate that new technologies, like security extensions for DNS, may have a part to play in better security, but are a long way from being realized. In the meantime, piecemeal solutions may be an organization's best bet.
"Mass-mailer viruses, phishing, pharming -- they're just the means to the end of loading spyware, adware, Trojans and zombies onto users' machines, and ultimately lead to the identity theft of that user," Olson warned. "And while attack methodologies vary, there's a theme that connects them all: money, and lots of it."