Home / Blog / Use and Abuse of DNS

Use and Abuse of DNS

Posted on 10/02/2014, by Antonio López (INCIBE)
Abuse of DNS

Domain Name Service (DNS) is one of the most extensively used protocols in Internet communications. It is thanks to DNS that we can use names instead of Internet Protocol (IP) addresses. This gives us a much simpler way to identify and remember other machines or devices connected to the net. On the other hand, its universal presence and its characteristics make it especially attractive for other, illegitimate, purposes. These include denial of service attacks through DNS amplification, site hijacking, phishing, and so on. This article summarized some of the other uses and abuses that are made of this crucial protocol.

Fast flux or the Gift of Being Everywhere.

The technique known as fast flux is an evasion mechanism that is widely used by malware and botnets. The computers making up a botnet (bots or zombies) are usually connected to servers or command and control (C&C) centres or other bots, with the aim of receiving orders, configurations, or both, as also of sending information. Command and control centres attempt to hide their location and IP so as to avoid being found and neutralized. For this purpose, they constantly change IP address.

The fast flux technique involves registering a domain name, whose associated IP is very frequently altered on the name servers that keep a record of it. Additionally, these register entries are assigned a lifespan (TTL, time-to-live) that is very low (or zero), so as to avoid their being stored in the cache of DNS clients.

The outcome is that two consecutive requests return different IP addresses. This makes it harder to locate the server, which would be easy to do if it had a fixed IP. Fast flux of the IP is often combined with a rotation of the servers for domain name owners (name servers, NS), making it even more difficult to track down the command and control centres (double fast flux). Nevertheless, fast flux can also be used legitimately with the aim of spreading loads or multiplexing the resources associated with a domain so as to increase its availability.

Fast flux of IP

Illustration 1. Fast flux of IP

Passive DNS.

Passive DNS has appeared on the scene as a mechanism for detecting unusual behaviours, which include domain hijacking and fast flux. It involves monitoring and storing DNS queries in a database and then comparing the successive requests made to see if there are unexpected differences from what was stored in the database earlier. Changes in the domain owner or the associated IPs over a brief period of time could be an indication that something odd is happening

 

Sink-Holing.

Sink-holing of domains is a defensive strategy aimed at preventing domains with a malicious content from being visited. To do this, the domain must first be identified, then the registrar for it found, and requested to allow its use. Thereupon, a controlled or invalid IP can be assigned to the domain. In that way, victims will never actually reach the malicious site or control centre if a botnet is involved.

Domain Generation Algorithm (DGA)

Once again, the bad guys have looked for ways to outwit the good guys. This malware takes counter-measures against sink-holing by generating a huge number of domains, using an algorithm. For example, in the case of Conficker, one of the commonest threats, as many as 50,000 domain names can be generated in a single day by the most recent version. The attacker periodically registers a set of domains from among those generated by the algorithm so as to remain accessible to victims. It is true that the frequency and number of connections between victim and control centre goes down, but on the other hand, sink-holing of domains is made much harder. This is because all of the domain names generated by the algorithm would have to be registered, or else the registrar would have to be requested to check on all of them.

Distributed Denial of Service (DDoS).

This is one of the most widespread and frequently found illegitimate uses of DNS, which causes damage through denial of service attacks. As explained in a previous article on DNS, open resolvers and service denial through DNS amplification, the characteristics of the DNS protocol DNS and its base in the transport layer User Datagram Protocol (UDP) allow falsification or spoofing of IP addresses. This means sending packets with a fake IP to a server, with the server responding to this IP, as no kind of check is made as to origin. The result of "reflecting" responses to the victim IP combines with the amplification factor, as certain DNS queries manage to generate a response from the server that is much bigger than the packet sent. By combining these two features, amplification and reflection, an attacker using a good number of public DNS servers can carry out a denial of service attack against a victim IP, by sending a great volume of traffic to it. This and other aspects of DNS security are described in detail in the guide to DNS service security published by INTECO.

A Traffic Peak during a DDoS Attack

Illustration 2. A Traffic Peak during a DDoS Attack

 

Typo-Squatting, Cyber-Squatting and Others

Although not reaching the level of sophistication of the previous techniques, strategies based on taking advantage of human errors are frequently found, and can be just as effective as the former. Among them is typo-squatting, which consists of registering domains with names very similar to the name it is intended to hijack. These names are carefully chosen so that they coincide with the outcome of writing the original name with a typing error, for instance www.goole.com instead of www.google.com. Anybody making this typing mistake is directed towards a site that mimics the original and tries to obtain passwords, steal data, install unwanted software, or infect the visitor’s machine.

Typo-Squatting a Domain

Illustration 3. Typo-Squatting a Domain

 

Cyber-squatting is another opportunistic way of taking advantage of the names register, primarily with an eye to extortion. It is based on registering domain names that refer to people, companies, brand-names and similar items, the intention being to get any parties harmed by this to buy back the domain name for a high price. It was very frequent some years ago, but nowadays is less usual, thanks to standards and legal procedures that make it difficult to register a domain name that conflicts with intellectual or other rights. ICANN (Internet Corporation for Assigned Names and Numbers) co-ordinates the management of domains and IPs, and through its section for domain name dispute resolution policy it has established a route for the protection of the rights of brand owners.