Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
The popularity of Cloud services has increased immensely over the past few years. Transparency into how these services are architected and managed has played a big role in this growth story. Many of the CISOs I talk to about leveraging Cloud services want insight into the types of threats that Cloud services face, in order to feel comfortable with hosting their organization’s data and applications in the Cloud. In the latest volume of the Microsoft Security Intelligence Report, volume 15, we include details on a couple of threats that Cloud service providers and their customers should be aware of. But for organizations that have been running their own data centers and web properties, these threats will be familiar and come as no surprise; attacks on the global Domain Name System (DNS) infrastructure and Distributed Denial of Service (DDoS) attacks are something that proprietors of Internet-connected IT infrastructures and Cloud services, big and small, need to be aware of and plan for in order to manage the risk of interruption to their operations. These attacks have the potential to interrupt Internet services such as websites, portals, and Cloud services, and to infect Internet connected devices with malware.
Domain Name System (DNS) attacksAttacks on the global DNS are some of the most serious and potentially damaging attacks affecting the Internet today. If attackers are able to successfully compromise a registrar that manages DNS records, as has happened in the past, it has the potential to impact a broad number of organizations and individuals.
If attackers successfully compromise one of the name servers or registries that Internet users rely on for name resolution, they can potentially redirect DNS queries to a malicious name server. For example, a compromise of the authoritative name server for microsoft.com (or any other domain) could result in requests for www.microsoft.com being redirected to an IP address of the attacker’s choosing, which may serve malware or contain a maliciously altered version of the website (as seen in Figure 1). The potential for damage increases when attackers focus on domains higher in the DNS namespace hierarchy; a hypothetical compromise of one of the root name servers could conceivably put every domain on the Internet in jeopardy.
Figure 1: compromised registry can result in malicious responses being issued to DNS queries
Subsequently, country-code top-level domain (ccTLD) registries have become popular targets for attacks, especially in relatively small markets. A ccTLD is a top-level domain that is generally used or reserved for a country or region, such as .ca for Canada for example. Today there are more than 300 ccTLD name registries responsible for servicing hundreds of millions of domain names worldwide. Like many organizations, Microsoft maintains registered domains under a number of different ccTLDs for its regional subsidiaries, such as microsoft.ca for Microsoft Canada and microsoft.co.jp for Microsoft Japan.
Unfortunately, the name servers run by some ccTLD registrars are vulnerable to attack, which can negatively affect individuals, nonprofits, and government organizations as well small companies and large corporations such as Microsoft. Between May of 2012 and July of 2013, 17 ccTLDs that manage DNS records for Microsoft (and many other organizations) in specific countries and regions were compromised. Typically such compromises are perpetrated using a combination of Structured Query Language (SQL) injection exploits and social engineering.
If attackers are successful, when computer users attempt to reach a website using a URL that is resolved by a hijacked DNS server, their system is typically redirected to a server controlled by an attacker, unbeknownst to the user. The proprietors of the targeted website(s) usually have no control over the ccTLD and typically have no knowledge of the attack. Attacker operated servers typically host malicious content such as exploit kits, malware, phishing sites, or inappropriate content. The website that the user sees can look like the legitimate website they wanted to visit and typically does not provide any indication that it is malicious. Attackers use malicious IFrames (the size of a pixel) or malicious Jscript to expose the unsuspecting user’s system to a variety of exploits. If all the software on the user’s system has not been kept up-to-date with security updates, one or more of these exploits could allow attackers to successfully compromise the system and allow attackers to download malware onto the system. Attackers will then have remote access to the system and potentially control it remotely. The user’s system can then be used for a wide range of illicit activities without the user’s knowledge or consent, such as DDoS attacks, spam projects, hosting stolen and pirated content and software, stealing data and software keys from the compromised system, potentially stealing the compromised computer’s users’ identities, etc. I mentioned DDoS attacks; these attacks can target Cloud services and websites alike, potentially interrupting service to users. I will discuss DDoS attacks in depth in part two of this series. Compromised systems are also used to host malicious websites for attackers to use in attacks on other Internet users – a very effective way for attackers to increase the scale of their attacks and maintain their anonymity. This type of attack is very popular with some attackers because it can enable them to expose a large volume of Internet users and connected devices to drive-by download attacks and phishing attacks, increasing the odds that they can compromise large numbers of systems.
Microsoft believes that close collaboration in this effort between industry peers, partners, and industry groups such as ICANN can help increase awareness for ccTLDs and reduce the unfortunate impact of DNS records manipulation.
Guidance to Help Manage the RiskThis type of DNS hijacking diminishes public confidence in the victimized organizations and adversely affects their reputations. Security best practices, tools, training and awareness can help prevent these types of attacks. Below are some specific suggestions to help manage the risk of DNS attacks.
The next part of this series will cover Distributed Denial of service (DDoS) attacks.
Tim RainsDirectorTrustworthy Computing