Fabio Hashimoto, Technology Manager at PromonLogicalis, gives us the low down on ‘DNS Poisoning’, a hacking technique exploiting inherent vulnerabilities in the internet technologies that are now commonplace in enterprise systems.
First of all, what is DNS Poisoning?
DNS Poisoning or DNS Cache Poisoning is a hacking technique that attempts to exploit a known weakness in some Domain Name Server (DNS) technologies. You can read the technical details here, but in essence DNS servers convert internet addresses (www.example.com) into the numerical IP addresses that route internet traffic. A DNS Poisoning attack is, in essence, tricking the DNS Server into sending traffic in the wrong direction – by adding false content in the DNS cache.
What makes DNS Poisoning so attractive to hackers?
For one thing, DNS poisoning is a very powerful technique, since a single server deals with queries from hundreds of thousands of users – as a result, a successful DNS hack can reach many victims simultaneously.
On top of that, DNS poisoning is very hard to detect. First, because the attack is nothing more than a configuration change and does not involve installation of malware such as viruses or Trojans, it is essentially invisible to antivirus, intrusion prevention systems and other protection mechanisms. Second, the configuration change is essentially one data entry amongst hundreds or thousands of similar entries in dozens of different DNS servers – finding that one code change is like looking for a needle in a haystack.
What is the risk to the enterprise?
These days most enterprise IT systems make extensive use of internet technologies and so, like the internet itself, they rely heavily on DNS Servers to, essentially, direct traffic – both internally and externally. That means the risk is two-fold. A DNS attack on the enterprise can affect the business itself, or its customers.
For instance there is a risk of disruption to the normal operation of IT systems, access to applications and data, and the security of commercially sensitive information. Poorly constructed cloud solutions have the potential to heighten this risk – particularly if based on outdated, poorly managed DNS platforms. Customers: There is a risk that customers’ personal and financial information could be compromised and used to defraud – with obvious knock-on reputational risks for the enterprise itself.
In the case of a bank, for example, a hacker might successfully poison the DNS Cache of an Internet Service Provider and direct its subscribers to a phishing website designed to mimic the bank´s authentic website – the hacker might obtain passwords from several of the bank´s customers and perform fraudulent transactions.
It is important to note that an enterprise can also be a ‘customer’ of an existing DNS Cache service, such as one provided by an enterprise-grade Internet Service Provider – which would mean that all employees and enterprise systems would be simultaneously affected by the poisoning of the ISP´s DNS Cache.
How serious is the risk?
It is important to mention that the DNS mechanism was designed in the early days of the Internet (early 80s), and at that time concepts like cyber-security and hackers were non-existent. Even today, DNS Poisoning attacks remain rare but, since the DNS is a fundamental part of internet and now corporate IT infrastructure, it is a risk that is not going to go away, and neither are many of the features that make it so attractive to hackers and cyber terrorists. As with any security risk offering a vector for hackers, it is likely that the risk will grow over time, and the threat will evolve as more sophisticated DNS hacking techniques emerge.
If attacks are so hard to detect, how do you stop them?
The answer, for a long time, was ‘with difficulty’. However, in recent years we’ve seen much more co-ordinated attempts to develop technological solutions to exploitable DNS vulnerabilities.
Notable examples include the rise of new, more robust and secure DNS platforms and the increasing adoption of more secure communications standards, such as DNSSEC – though, at the enterprise level, DNSSEC readiness rather than all out adoption is still the right approach, at least until the underlying internet infrastructure catches up. Even the traditional cyber security vendors (such as IPS/IDS manufacturers) are looking into providing better support to DNS –oriented attacks and vulnerabilities.
Another important response has been the development of DNS service management practices – specialised teams to manage the infrastructure within companies based on specific processes, monitoring and management tools such as IPAM (IP Address Management). This is similar to desktop/endpoint management: keep systems up-to-date on patches, monitor and solve known vulnerabilities and non-compliance to standards.
One thing is clear, however. As the internet and internet technologies pervade further and further into enterprise IT, our response to DNS security risks must evolve if we are to protect corporations and consumers from the efforts of hackers. The evolution of more secure DNS platforms and techniques to protect against DNS attacks is well worth keeping an eye on.
We’ll be hearing more from Fabio in the future. In the meantime, look out for pieces covering topics such as Technology, Innovation and BYOD, Business Analytics and Video Collaboration – all coming soon…