Domain Name Server (DNS) spoofing and DNS poisoning are closely related forms of cyber-attack. Typically, hackers misdirect a computer user to a website of their design by providing false address translation to the user’s computer. Hackers accomplish this by impersonating a valid Domain Name Server (spoofing) or by inserting false information into a legitimate domain server (poisoning). Usually, the user does not recognize the misdirection and may be vulnerable to the compromise of critical information such as bank login names and passwords. Many businesses would benefit from using third-party DNS services to protect from these attacks. In this paper, we explain the DNS system and alternatives to make it more secure.
What Are IP Addresses and Domain Name Servers?
The inventors of the Internet required each computer to have a unique address. They used Domain Name Servers as a structured method of assigning easy-to-remember plain-language names and abbreviations to help us remember complex Internet Protocol (IP) addresses. Internet Protocol Version 4 addresses are 32-bit numbers using a special notation with periods between each octet that look like this: 18.104.22.168.
The 32-bit IP address space provided slightly less than 4.3 billion unique addresses. As populated countries such as China and India moved online, we began to run short of addresses. Scientists developed a new address standard called IPV6 with a much larger 128-bit address space. The standard provides 340 trillion-trillion-trillion unique IP addresses. This large pool of addresses is believed to be more than enough for all present and anticipated uses. However, the resulting addresses are huge numbers that most people find incomprehensible and nearly impossible to memorize!
IPV4 addresses were easy to remember because of their small size, and popular addresses could be memorized. Some addresses were easier to memorize because had repeating numbers like Google’s name server IPV4 address: 22.214.171.124. However, consider Google’s 128 Bit IPV6 name server address 2001:4860:4860:0:0:0:0:8888. Even after using the IPV6 special shorthand notation, it defies easy memorization. The entire purpose of the DNS system is to reduce such human-unfriendly computer addresses as the one above into something shorter and easy to remember, like “google.com.” or “mydnsserver.com.” However, this translation system was designed with security flaws that made it possible for hackers to misdirect computer users.
Why DNS Spoofing is a Serious Problem
By experience, most of us have learned the information we gather on the web is only as accurate as the source. For example, the Washington Post (washingtonpost.com) can be more reliable than other news sources founded with different journalistic aims. If we compared content from the Washington Post to content on Buzzfeed.com, considered by most to be an online tabloid, we are likely to conclude the Washington Post has higher standards of journalism. They spend much more time and effort authenticating the information provided to their target audience (government leaders, politicians, and the citizens of northern Virginia and southern Maryland). However, websites such as Buzzfeed cater to consumers of online gossip and often care more about being the first to report something than being accurate or truthful.
We determine the value of online information from the reputation and quality of the source. DNS spoofing and misdirection can cause consumers to get bad information or unintentionally disclose private information. Consider if the address to your bank’s website took you to a Russian hacker’s look-alike website instead of your bank’s website? Most of us assume that whenever we type in a bank’s user-friendly internet name, for instance, wellsfargo.com, and hit enter on our keyboard, we will arrive automatically at our bank’s website.
However, if someone maliciously inserted false address information into the DNS server used by our computer to convert “wellsfargo.com” into that indecipherable IPV4 or IPV6 address, we might find ourselves looking at a clever counterfeit of the Wells Fargo website hosted anywhere in the world. Hackers create perfect replicas of bank home and login pages to harvest legitimate usernames and passwords. They then use these credentials to steal money by executing fraudulent wire transfers to overseas banks.
How often does this happen and what is the financial impact of fraudulent wire transactions? In March 2016, FBI special agent Vicki D. Anderson warned, “From October 2013 through February 2016; law enforcement received reports from 17,642 victims. This amounted to more than $2.3 billion in losses. The overwhelming majority of victims are located in the United States. Since January 2015, we have seen a 270 percent increase in identified victims and exposed loss. In many cases, law enforcement cannot recover funds sent overseas and may not identify the perpetrator; therefore, education and prevention are stressed.” Para 7-8 (Anderson, 2016)
At the root of the present problem were defects in the original architecture of the Domain Name System, which was not designed for security, but high availability and resilience. Today, when cybercriminals can find such rich rewards in bank fraud, they increasingly find creative ways to exploit security weaknesses in the DNS system. Directing US consumers towards fraudulent websites to steal banking credentials has become a big business for criminal hacking elements.
Training Solutions to DNS Spoofing
One of the first protections against spoofing is the Secure Socket Layer protocol (SSL) used to secure communications across the internet. In most cases, when an observant user lands on a phony banking website, they could notice they were no longer on a secure https connection if they had the training to look for the visual cues in the browser bar. The absence of the green lock symbol in the address line when visiting a banking or shopping website is cause for immediate concern. Browsers use this symbol to designate a secure communications channel protected from eavesdropping and interception confirming a valid SSL certificate issued by a legitimate authority.
Unfortunately, most victims of DNS spoofing lack the awareness to recognize an unsecured HTTP connection. Few understand how to examine an SSL certificate to verify its origin and authenticity. With just minimal training, most people can reliably learn to recognize a counterfeit certificate or recognize one intended to sound like a legitimate certificate for fraudulent purposes. For example, “itunes-techsupport.com,” has nothing to do with the “itunes.com” website or the Apple Corporation. Shady companies sometimes buy look-alike domain names to offer technical services counting on uninformed consumers to assume they are associated with well-known companies. PeriCertum partners with leading training developers such as Proofpoint to provide businesses with formal training programs to help employees recognize attacks and deceptions such as the ones discussed above.
Training alone is not a complete solution because of problems with the day-to-day management of public key certificates widely used on the web. Writer Jai Vijayan with the online security journal DARKReading (www.darkreading.com) wrote that researchers from “Stanford University, Northeastern University, University of Maryland, Duke University, and Akamai Technologies” collaborated on a study finding that a “disturbingly large 8 percent of public key certificates served by websites have been previously revoked” (Vijayan, 2015)Para 3-4. The researchers frequently found certificate revocation lists left without timely updates. As a result, users often have no way of knowing a certificate is no longer valid for use. Because of this flaw, users cannot have complete certainty that the green lock symbol on their browser always proves their connection is to a legitimate website. One of the solutions to help protect against expired certificates is to use a web filtering proxy that incorporates IP address and website reputation information. Lists of known bad or suspected websites are checked against user browser activity to prevent users from visiting problematic websites or IP addresses with sketchy reputation data.
DNS Security as a Technical Solution for DNS Spoofing
As discussed above, training users is an incomplete solution to the problem. The fact that digital certificate revocation lists are incomplete requires internet authorities to develop and promote technical solutions to protect DNS systems against both spoofing and poisoning. Recently the Internet Engineering Task Force (IETF) published several Request for Comment (RFC) papers documenting methods of securing DNS servers using public key certificates. Many vendors are now offering secure DNS service following these standards to enhance security. A chain of trust, back to a trusted third-party DNS root zone, can authenticate DNS records. This allows DNS clients to reject any DNS information not originating from a trusted server, making it much harder to spoof or poison a DNS system. Cloud-based DNS services using newer DNS security extensions provide security unavailable to the many legacy DNS server systems deployed by Internet Service Providers and corporate networks.
For Better Cybersecurity Train Users and Deploy DNS Security Solutions
Training users is part of the solution. Training must be progressive and tracked to ensure corporate security officers can promote user education, security awareness, and foster safe user behaviors. PeriCertum offers training programs designed to integrate with your Active Directory infrastructure and automatically track employee training. HR reporting functions ensure new employees receive required training during and after the onboarding process. However, the internet remains a dangerous place for even a well-trained and sophisticated user. Training users is important, but not enough. Most companies can further improve cybersecurity through deploying enhanced DNS cloud services to automatically screen for malicious URLs and check IP address reputation to avoid known malicious sources. For the near future, internet users must maintain a degree of paranoia whenever they access internet resources. Employers should look for both training and technical solutions to protect their digital assets and intellectual property. PeriCertum is available to provide recommendations and guidance on the best solutions available to assess and improve your company’s security posture. Contact us to learn how we can assist you in selecting the best solutions to protect your digital property.
Anderson, V. D. (2016, March 29). FBI Warns of Rise in Schemes Targeting Businesses and Online Fraud of Financial Officers and Individuals. Retrieved from Federal Bureau of Investigation (FBI): https://www.fbi.gov/contact-us/field-offices/cleveland/news/press-releases/fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial-officers-and-individuals
Anoufriev, A. (2016, June 20). Secure DNS Management: Best Practices. Retrieved from ThousandEyes: https://blog.thousandeyes.com/secure-dns-management-best-practices/
Chandramouli, R., & Rose, S. (2013, September). Secure Domain Name System (DNS) Deployment Guide. Retrieved from National Institute of Standards and Technology: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf
Langston, M. (2017, February 6). Six Best Practices for Securing a Robust Domanin Name System (DNS) Infrastructure. Retrieved from Software Engineering Institute: https://insights.sei.cmu.edu/sei_blog/2017/02/six-best-practices-for-securing-a-robust-domain-name-system-dns-infrastructure.html
Taylor, L., & Periman, W. (2000, August 10). Split DNS Can Add Security and Speed to a Website. Retrieved from Relevant Technologies: http://www.relevanttechnologies.com/splitdns_081000.asp
Vijayan, J. (2015, October 28). Digital Certificate Security Fail. Retrieved from DARKReading: http://www.darkreading.com/risk/digital-certificate-security-fail/d/d-id/1322887