The world of IT security has become more sophisticated and complex; as threats have grown exponentially, they have also become more blended, obscure, and harder to remediate. Today, most organisations have experienced some kind of attack, with many experiencing multiple attacks, and it is no longer a matter of if, but when, an attack will take place.
The growth of cybercrime-as-a-service, especially DDoS-as-a-service, has enabled criminals to purchase or rent tools and services that enable them to carry out attacks without having to develop expertise themselves. Combining such tools with attractive financial incentives and a wide collection of ready-made victims, it is easy to see why this is such a lucrative industry for criminals.
“Many DDoS attacks rely on ways to abuse DNS protocols, including traffic amplification, subdomain attacks, DNS floods and DNS recursion attacks. ”
Terry Young, Director of Service Provider Product Marketing, A10 Networks
Top attack techniques
The cost of a network, website or service being down or unavailable can be probative. The average cost of downtime across all industries has historically been about $5,600 per minute, but recent studies have shown this cost has grown to about $9,000 per minute. For higher risk industries such as finance, government, healthcare, manufacturing, media, retail, and transportation their average cost of downtime tends to be over $5 million per hour.
One of the most popular attack techniques involves the domain name system (DNS). The DNS protocol is essential to every internet-based service and is used to translate alphabetic domain names into a set of numerical internet protocol addresses. DNS is one of the key protocols that makes the internet work.
Why DNS is a favourite attack vector
Today, many organisations provision their own DNS infrastructure to ensure uninterrupted operations of their IT infrastructure and business applications. For example, in many organisations, work computers default to using the organisation’s own DNS servers. This helps internal users access internal websites while keeping such domain names confidential and secure. However, DNS still remains one of the favourite attack vectors for cyber criminals for two main reasons:
- It is an inherently insecure protocol, and easier to target.
- DNS is fundamental to the operations of the internet and applications, and therefore bringing it down can have a much greater impact compared to simply targeting individual applications or services.
As more organisations rely on online applications, DNS exploits have become more common. In a 2023 IDC study, 88% of organisations have experienced one or more DNS attacks on their network, with an average of seven per year and each successful attack costs the business, on average, $942,000.
Delving into DNS attack techniques
There are several different DNS-based attack techniques including: DNS tunneling, DNS phishing, DNS hijacking or credential attacks, DNS spoofing, and DNS malware. DNS attacks are also used as the basis for both DDoS and more advanced phishing attacks.
Many DDoS attacks rely on ways to abuse DNS protocols, including traffic amplification, subdomain attacks, DNS floods and DNS recursion attacks. DNS hijacking, for example, allows attackers to re-route queries from an organisation’s servers to destinations that they control, and it is often used to insert malware into endpoints. With DNS spoofing, malware is injected into DNS caches, or directly via DNS tunneling, so hackers can redirect DNS query traffic. DNS NXDomain flood attacks send spurious queries to nonexistent domain names with requests for invalid or non-existent records, tying up servers.
All of these types of attacks can have short- and long-term implications. In the immediate aftermath of an attack, an organisation may experience downtime or loss of productivity as a result of systems being taken offline. This can lead to revenue loss, reputational damage, and regulatory fines. Long-term impacts include damage to brand reputation, loss of customers, and decreased market share.
The challenge with multiple products to protect DNS
With the emergence of each new threat and the technology to counter it, organisations have traditionally responded by deploying a new security product to remediate the immediate threat at hand. Over time, this has led to the deployment of numerous security devices in the network, resulting in the following challenges:
- Increased complexity: With many security devices in the network, the task of deploying, managing, and troubleshooting has become increasingly complex. Each device has its own separate management interface and configuration commands that require specialised knowledge to deploy and troubleshoot.
- Increased cost: Upgrading DNS infrastructure to meet growing traffic needs requires upgrading most, if not all devices. This results in the need to purchase multiple different products, resulting in high purchase and licensing costs.
- Slow performance: Some of the newer DNS technologies, such as DNS over HTTPS (DoH) and DNS over TLS (DoT) require TLS decryption/encryption processing, which is highly CPU-intensive. However, DNS servers were not originally designed for such processing, therefore adding DoH/DoT can lead to a severe slowdown in overall performance.
- Unsuitable for hybrid cloud: All these problems are further compounded by the growing adoption of hybrid cloud. This is because many of the legacy security products that have been deployed in private data centres may either not be available or may not be optimally suited for such a deployment. This leads to adoption of cloud-specific offerings, adding to the complexity and cost of deployment.
Securing and simplifying your DNS infrastructure
DNS is a critical component of the internet infrastructure, and it is important that DNS is always up and running to ensure normal business operations. However, DNS is also susceptible to a range of attacks and unfortunately no single security method can prevent all the different types of attacks. Therefore, an all-encompassing approach is required, including DNS load-balancing, DNSSEC, DoH/DoT, and DNS caching to ensure DNS infrastructure is constantly available and performing optimally.
Only with a comprehensive set of DNS security solutions can organisations secure and simplify their DNS infrastructure without compromising on performance or the user experience.