It would be any IT professional’s worst nightmare to have to dismiss the company\u2019s entire workforce due to a network-access issue. But in spite of dozens of quarterly reports from several vendors citing increased infrastructure-based attacks, many network teams continue to ignore the vulnerabilities in DNS infrastructure.<\/p>\n
Typically, a general-purpose Windows server handles DNS along with many other services, presenting a large attack surface and leaving the server wide open for attacks. Most firewalls have DNS port 53 open, making it a very accessible transport mechanism for attackers.<\/p>\n
But there is more at stake than employee downtime. Here are some of the things that are going on undetected in many of the networks we\u2019ve seen.<\/p>\n
A Perfect Launch Pad for Internal Malware-based DDoS Attacks<\/strong><\/p>\n We\u2019ve recently seen a case in which the internal DNS servers had experienced an unexplainable outage. It seemed as if attackers had targeted a known vulnerability on a DNS server. In another case, Infoblox DNS servers front-ending the Microsoft DNS layer detected a sudden rise in outbound queries to non-existent destinations, an increasingly common type of attack intended to exhaust the server. IT tracked the true source of the spoofed IPs and found that it was coming from malware on a couple of internal servers. Given the nature of DNS service, it is not hard for hackers to locate and target internal to cause intended behavior.<\/p>\n The Wild West of Malware Lurking in Your Network<\/strong><\/p>\n Perimeter security appliances are great, but they miss all the interesting action that happens within the internal network and inside the VLAN. While running DNS Firewall product trials on endpoints, we\u2019ve seen instances of old-school malware such as the conflicker worm popping up as well as the more sophisticated Cryptolocker and its variants found on laptops and unmanaged devices alike. In reality, there are a lot more surprises that our customers experience but for obvious reasons, they don\u2019t want to share them. As with Las Vegas, what happens inside the network, stays inside the network.<\/p>\n A Shortcut for Exfiltrating Data<\/strong><\/p>\n Data exfiltration attacks can take the form of the most dangerous low-and-slow exfiltration technique. With a QPS rate as low as 40 \u2013 50 malware can successfully gather, encrypt, fragment, and finally exfiltrate sensitive data. Basic security audits in most networks have flagged this as an open channel for malware exfiltration. While some had intrusion prevention systems (IPSs) and firewalls that were capable of blocking instances of these attempts, 90 percent of the time, they were not configured to inspect this specific traffic because of performance, false positives, and change management concerns. In fact, a lot of networks we\u2019ve seen allow DNS to be served by an external DNS server or by a misconfigured or rogue\u00a0DHCP and DNS servers.<\/p>\n So as you can see, there are worse things than your worst nightmare\u2014things like having your data held for ransom, or seeing your customer\u2019s private data stolen and exposed, and having the performance of your DNS servers crippled because they are acting as unwitting accomplices in a denial-of-service attack on someone else. It\u2019s time to recognize that DNS security is an important brick in the wall that surrounds your network, and to take the steps necessary to detect malware, pinpoint infected devices, and block outbound malware communications.<\/p>\n","protected":false},"excerpt":{"rendered":" It would be any IT professional’s worst nightmare to have to dismiss the company\u2019s entire workforce due to a network-access issue. But in spite of dozens of quarterly reports from several vendors citing increased infrastructure-based attacks, many network teams continue to ignore the vulnerabilities in DNS infrastructure. Typically, a general-purpose Windows server handles DNS along […]<\/p>\n","protected":false},"author":295,"featured_media":1924,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[16,32,49,59,36],"class_list":{"0":"post-1923","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-infoblox","9":"tag-malware","10":"tag-mitigate-threats","11":"tag-risk","12":"tag-threats","13":"entry"},"acf":[],"yoast_head":"\n