5 types of DNS attacks and how to detect them
Domain Name System (or DNS) is used to translate domain names into IP addresses. These addresses are used by computers to communicate with each other. It is part of almost all computer networks. Because DNS communicates with other networks, it can be difficult to secure as it was intended to be an open protocol. A malicious adversary might find DNS attractive for malware downloads, network reconnaissance, and communication with command and control servers. It is important to monitor DNS traffic for threat protection.
Attack 1: Malware installation This is possible. This can be accomplished by hijacking DNS queries to send malicious IP addresses. You can also direct requests to phishing domains to achieve the goal of malware installation.
Indicators for compromise: Forward DNS lookups for typosquatting and domain names that sound or look similar (gooqle.com, for example); modifications Hosts File; DNS cache poisoning. Attack 2: Credential theft. An adversary could create a malicious domain that looks like a legitimate domain and then use it to launch phishing campaigns to steal credentials.
Indicators for compromise Forward DNS lookups for typosquatting and domain names that sound or look similar (gooqle.com, for example); modifications of hosts file; DNS cache poisoning. Attack 3: Command & Control communication. After an initial compromise, DNS communications are abused to communicate via C2 servers as part of lateral movements. It involves periodically querying DNS servers from computers in the target network to find domains controlled by the adversary. These messages may contain encoded messages that can be used to carry out unauthorized actions within the target network.
Indicators for compromise DNS beaconing queries for anomalous domains, low-to-live orphan DNS requests Attack 4: Network footprinting. DNS queries are used by adversaries to create a network map. Because attackers live off terrain, they need to create a map.
Indicators for compromise: High number of PTR queries and SOA queries. Forward DNS lookups for subdomains that are not present in the root domain. Attack 5: Data theft. Use DNS to transfer data; it may be done by tunneling Other protocols such as FTP and SSH are also available through DNS queries, responses, and requests. Multiple DNS queries are made by attackers from compromised computers to an adversary’s domain. You can also use DNS tunneling to execute commands or transfer malware into the target network.
Indicators for compromise: High number of subdomain lookups, large lookup sizes; long subdomains; unusual query types (TXT Records). Feeling overwhelmed? There is a ton of detail to absorb and process discipline to put it into practice for 24/7 threat detection and response. Allow us to do the heavy lifting with our SIEM co-managed. No matter if you use an on-premise DNS such as Microsoft DNS server Infoblox Cloud services or from OpenDNS We have you covered. Take a look at our ” Catch of the Day “To read real stories about our SOC that detected and stopped cyber-attacks, including DNS-based threats, click here