Securing your network and data from cyber attacks includes ensuring that any web or public traffic is secured and monitored. CyberGuard360’s DNS and Web Security systems protect inside your organization by protecting what and where your users and system can go and do online.
A secure Web gateway is a type of security solution that prevents unsecured traffic from entering an internal network of an organization. It is used by enterprises to protect their employees/users from accessing and being infected by malicious Web traffic, websites and virus/malware. CyberGuard360 employs a secure Web gateway to monitor and prevent malicious traffic and data from entering, or leaving, an organization’s network. It will secure an organization against threats originating from the Internet, websites and other web-enabled products or services. Features include virus & malware detection, malicious URL filtering, application level control and data loss prevention (DLP).
Web security wraps a protective layer over the organization as it reaches out, beyond the perimeter into the World Wide Web. Traffic in and out is scanned for malicious, unauthorized or suspicious traffic. Valid traffic is passed through without incident. Malicious traffic is prevented from making its way into the network.
Standard DNS queries, used by virtually everyone who surfs the web, create opportunities for DNS exploits such as man-in-the-middle attacks and DNS hijacking. These attacks redirect a website’s inbound traffic to a fake copy of the site, collecting sensitive user information and exposing businesses to major liability. To protect against these threats, CyberGuard360’s tools evaluate an organizations DNS traffic and, when authorized, employs Secure DNS.
While it may not seem like a significant threat, DNS attacks are easy ways for hackers to steal data and very common.
What are some common attacks involving DNS?
DNS spoofing/cache poisoning: This is an attack where forged DNS data is introduced into a DNS resolver’s cache, resulting in the resolver returning an incorrect IP address for a domain. Instead of going to the correct website, traffic can be diverted to a malicious machine or anywhere else the attacker desires; often this will be a replica of the original site used for malicious purposes such as distributing malware or collecting login information.
DNS tunnelling: This attack uses other protocols to tunnel through DNS queries and responses. Attackers can use SSH, TCP, or HTTP to pass malware or stolen information into DNS queries, undetected by most firewalls.
DNS hijacking: In DNS hijacking the attacker redirects queries to a different domain name server. This can be done either with malware or with the unauthorized modification of a DNS server. Although the result is similar to that of DNS spoofing, this is a fundamentally different attack because it targets the DNS record of the website on the nameserver, rather than a resolver’s cache.
NXDOMAIN attack: This is a type of DNS flood attack where an attacker inundates a DNS server with requests, asking for records that don’t exist, in an attempt to cause a denial-of-service for legitimate traffic. This can be accomplished using sophisticated attack tools which can auto-generate unique subdomains for each request. NXDOMAIN attacks can also target a recursive resolver with the goal of filling the resolver’s cache with junk requests.
Phantom domain attack: A phantom domain attack has a similar result to an NXDOMAIN attack on a DNS resolver. The attacker sets up a bunch of ‘phantom’ domain servers which either respond to requests very slowly or not at all. The resolver is then hit with a flood of requests to these domains and the resolver gets tied up waiting for responses, leading to slow performance and denial-of-service.
Random subdomain attack: In this case, the attacker sends DNS queries for several random, non-existent subdomains of one legitimate site. The goal is to create a denial-of-service for the domain’s authoritative nameserver, making it impossible to lookup the website from the nameserver. As a side effect, the ISP serving the attacker may also be impacted, as their recursive resolver’s cache will be loaded with bad requests.
Domain lock-up attack: Bad actors orchestrate this form of attack by setting up special domains and resolvers to create TCP connections with other legitimate resolvers. When the targeted resolvers send requests, these domains send back slow streams of random packets, tying up the resolver’s resources.
Botnet-based CPE attack: These attacks are carried out using CPE devices (Customer Premise Equipment, this is hardware given out by service providers for use by their customers, such as modems, routers, cable boxes, etc.) The attackers compromise the CPEs and the devices become part of a botnet, used to perform random subdomain attacks against one site or domain.
DNS obscurity | NOD identification | DNS authentication | Web isolation | X-site scripting prevention | Path obscurity | Audit & reporting | More…