Thursday, 17 April 2008

Testing the security of the DNS Infrastructure - Has the security of the DNS Infrastructure Improved? (Continued)

The threats of an insecure DNS
The threats are many, we do not plan to cover all of them in this document and they are as limitless as one’s imagination. We will briefly cover a few in the following sections.
The threats mentioned below have been broken down into the categories of those against Confidentiality, Availability and Integrity.

Threats to Confidentiality
Eavesdropping Attacks
If you run any other software on the DNS server, and the DNS is compromised in such a manner that allows the attacker operating system level access to the server hosting the DNS, any data traversing the server that runs the DNS will be able to be intercepted and captured by the attacker.

For example, if your DNS server was also a mail relay for your organisation, the attacker could read all mail messages entering or exiting your domain. If there was a lack of adherence within your organisation to obeying your security policy, and sensitive information was being regularly transmitted via email, the attacker could collect a lot of valuable information from this attack.

General Traffic Sniffing
If the DNS was poorly located in such a way that all traffic entering or exiting your organisation had to pass it, the compromised server could be used to eavesdrop on all inbound and outbound traffic, such as:

  • E-Commerce transactions,
  • Remote access sessions, and
  • File transfers.
Trust Relationship Exploit
If the security of your organisation had been poorly configured to allow the DNS to access other servers within your organisation, or even in your bastion zones, it could be used as a springboard by a successful attacker from which to launch attacks against other more valuable information assets.

Threats to Integrity
The following are examples of what could happen in the event of a compromise of integrity of your DNS.

Mail Redirection
If an attacker can alter the address of your primary mail exchanger (MX) record, they can effectively:
  • Deny your ability to receive mail,
  • Receive all of your mail and reply to it making it look like it came from your organisation and bring your organisation into disrepute by sending obscene or inaccurate replies,
  • Publicising sensitive mail messages on newsgroups or other media thereby causing loss of trust from your customers/shareholders,
Web Redirection
In this scenario, if an attacker can alter your DNS records, they could redirect your customers to:
  • Your competitors site,
  • A bogus site containing anti-social content,
  • A site that looks like your site but contains inaccurate content,
  • A site that states your site has gone out of business,
  • Redirect users and capture their credentials (eg Internet banking)
  • E-Commerce Redirection

In this scenario, if an attacker can alter your DNS records, they could redirect your customers to another site:

  • which takes their orders, accepts the payment but doesn’t provide the goods, or
    proxies all traffic back to your real e-commerce server to capture customer details and credit card information.
In this scenario, an attacker places their address into your DNS so it appears as they are one of your systems, and then commits acts against other hosts on the Internet pretending to be from your domain.

This is as simple as removing one of your IP Addresses and inserting theirs in the DNS configuration files. When their address resolves in someone’s log files, it will appear to look like a server from your domain. They commit the attacks on others and then change it back to normal and when the person suffering the attack goes hunting for the attacker, it looks like you did it.
This type of attack could cause very bad publicity for your organisation and subsequent loss of customers/shareholders.

Threats to Availability
Your DNS is probably the most critical part of your organisation, without it:
  • People cannot determine where to send mail to you, and
  • People cannot determine how to get to any of the services you provide.
In this attack, the attacker simply redirects the address of any of your servers to a non-functioning address thereby making your site inaccessible.

Another twist on this attack could be used to direct all of your web and mail traffic to a server within your domain, on another DMZ, which was not running a mail relay or web server. This would have the added effect of causing additional load on your security enforcing devices such as packet filters and firewalls as the traffic bounced in towards the server not running the services and out again as it got rejected resulting in twice the traffic levels normally experienced by your organisation.

In this attack the attacker removes entries from your DNS servers thereby making those hosts inaccessible.

DNS is Critical
In summary DNS is arguably the most important service on any Internet based network (Verisign, 2003). The domain naming service is more crucial than even the web server or mail. Without DNS, the Internet stops (McCahill et al. 1995), no mail, no web no e-commerce (RFC1862).

No comments: