Attackers Growing a Soft Spot for DNS Infrastructure

Recent attacks on DNS servers

• Over a dozen ISPs across Europe, including EDP, FDN, Bouygues Télécom, SFR, K-net, Delta, Caiway, Online.nl, Signet, FreedomNet, and Tweak.nl. reported DDoS attacks that impacted their DNS infrastructure.
• More than 400 domains controlled by the U.K. government were found on DNS-based blacklists, impacting email communications. Typically, domains on an automated IP blacklist indicate issues in the email infrastructure such as the server sending spam or being exploited at some point.
• In the last few weeks of August, hackers have launched DDoS attacks against some of the largest financial organizations, targeting their DNS servers, backend infrastructure, and API endpoints. The list of victims includes the New Zealand Exchange (NZX), MoneyGram, Worldpay, PayPal, YesBank India, Braintree, and Venmo.
• Attackers were seen abusing Google DNS over HTTPS to download malware. While Google DNS helped in resolving a suspicious domain, the response returned through Google DNS carried the malicious payload in an encoded form.

Multiple ways to launch DNS attacks

• Cybercriminals target routers and reconfigure their DNS settings, directing victims to malicious websites instead of the pages they intend to visit.
• One of the techniques involves the use of botnets to target servers with massive volumes of DNS requests, flooding the servers with malicious requests, and blocking the legitimate ones.
• Attackers often abuse DNS to invade a private network, avoiding the same-origin policy—a mechanism that allows a webpage to access data from another page only if they both have similar hostnames, port numbers, and identifying numbers.

DNS providers must be in the saddle