The General Data Protection Regulation (GDPR) comes into force in just over a year. And with fines of up to 4% of global revenue for non-compliance, any attack should be taken seriously. And that includes "DNS Exfiltration" (DNSX) or “DNS tunnelling” attacks.
The Domain Name System, or DNS, is the system in the internet that helps to send users to the websites they want to go to. However, while many firms are efficient at protecting their internal systems by using firewalls, anti-malware and access controls, rather fewer consider the dangers of DNS corruption.
This lack of knowledge about DNS means that malicious attacks are easily executed. And such attacks can result in thousands of personal records being stolen in minutes.
There are several ways that the DNS can be used to cause trouble. “DDoS” attacks are designed to stop target websites operating efficiently by sending large quantities of traffic to them. “Cache poisoning” attacks involve corrupting data in DNS servers so that they send people to the wrong website (usually a malicious one). And then there is DNSX.
How do DNSX attacks work? Simply put, the DNS system acts as a messaging service that uses queries and responses. If I want to find www.teiss.co.uk, my computer asks the DNS to look for it; the DNS then hunts around for the website www.teiss.co.uk; when it thinks it has found the right website the DNS asks www.teiss.co.uk to confirm its identity; www.teiss.co.uk then sends a message back saying “yup, you’ve found me”.
Unfortunately hackers can insert code into the DNS’s query and this code can be used to tell the website to send data to the hacker’s computer when it responds to the DNS’s query. The amount of data that can be transferred using this method is limited compared to other methods. But not that limited. In fact, according to a recent report from IDC, “Dealing with DNS-Based Data Breaches to Avoid GDPR Non-Compliance”, DNS tunnelling can be used to “exfiltrate” (steal) 18,000 credit card numbers per minute.
It’s a problem. But like most hacking techniques there are a number of things you can do to defend yourself. The first stage of defending against a DNS attack is to detect them by analysing DNS traffic patterns and looking for suspicious requests.
Once an attack has been discovered there are a number of tactics that can be employed. These include the creation of blacklists of suspicious sources. This technique can be time consuming however, as well as potentially reducing efficiency when sources are wrongly blacklisted. So an alternative approach is to examine the DNS traffic closely looking for instance at the size and frequency of requests. In addition immediate responses should be triggered when an attack is discovered that puts suspicious clients into quarantine and blocks any attempts to steal data.
None of this is easy although there are tools that can automate tasks. But whatever solution is employed, first of all it is necessary to acknowledge DNS tunnelling as a potentially serious threat and one that the more commonly used defences such as firewalls and anti-malware cannot defend against.
Some technical details about the precise nature of DNSX attacks and how to defend against them are available in this IDC Technology Spotlight report (registration required) which was sponsored by EfficientIP.