DNS spoofing/cache poisoning: This is an attack where forged DNS data is introduced into a DNS resolver’s cache, resulting in the resolver returning an incorrect IP address for a domain. Instead of going to the correct website, traffic can be diverted to a malicious machine or anywhere else the attacker desires; often this will be a replica of the original site used for malicious purposes such as distributing malware or collecting login information.
DNS tunnelling: This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, or HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls.
DNS hijacking: In DNS hijacking the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver, rather than a resolver’s cache.
NXDOMAIN attack: This is a type of DNS flood attack where an attacker inundates a DNS server with requests, asking for records that don’t exist, in an attempt to cause a denial-of-service for legitimate traffic. This can be accomplished using sophisticated attack tools which can auto-generate unique subdomains for each request. NXDOMAIN attacks can also target a recursive resolver with the goal of filling the resolver’s cache with junk requests.
Phantom domain attack: A phantom domain attack has a similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of ‘phantom’ domain servers which either respond to requests very slowly or not at all. The resolver is then hit with a flood of requests to these domains and the resolver gets tied up waiting for responses, leading to slow performance and denial-of-service.
Random subdomain attack: In this case, the attacker sends DNS queries for several random, non-existent subdomains of one legitimate site. The goal is to create a denial-of-service for the domain’s authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect, the ISP serving the attacker may also be impacted, as their recursive resolver’s cache will be loaded with bad requests.
Domain lock-up attack: Bad actors orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver’s resources.
Botnet-based CPE attack: These attacks are carried out using CPE devices (Customer Premise Equipment, this is hardware given out by service providers for use by their customers, such as modems, routers, cable boxes, etc.) The attackers compromise the CPEs and the devices become part of a botnet, used to perform random subdomain attacks against one site or domain.
DNS obscurity | NOD identification | DNS authentication | Web isolation | X-site scripting prevention | Path obscurity | Audit & reporting | More…