Like many of the foundational systems that support the modern internet, DNS was introduced years before the advent of the World Wide Web, and its original design focused on simplicity, reliability, and speed. Little consideration for network security was incorporated into its original specification.
As a result, and owing to its critical role in internet operations, DNS has been exploited by malicious entities for several decades. That's despite security improvements over the years.
In this article, we look at some of the highest-profile DNS-related security incidents, some historical and some more recent.
Common Types of DNS Attacks
First, let’s review some of the most common types of DNS attacks:
- DNS hijacking: Attackers gain access to and control of a DNS server and alter its records to send traffic to malicious websites.
- DNS cache poisoning (a.k.a. DNS spoofing): DNS cache poisoning involves attackers updating DNS records in a DNS server’s memory, sometimes by compromising a domain-name registrar’s system and using it to spread bad DNS information to DNS servers.
- DNS tunneling: This attack exploits a DNS “feature” in which queries and responses can include a payload of arbitrary data (including software code) that bypasses normal security restrictions. Although there are some legitimate uses for DNS tunneling, it’s also common for hackers to use it to send malware or exfiltrate sensitive data with vulnerable target systems.
- DNS flooding: This is a type of distributed denial-of-service (DDoS) attack in which hackers command a network of compromised computers and internet-of-things (IoT) devices to flood a DNS server with requests, overwhelming the server and preventing it from responding to legitimate queries.
- DNS amplification: Another type of DDoS attack, this one exploits the fact that a DNS request can be small in size (a few hundred bytes) but the response can be quite large. In this attack, the hackers send thousands of queries to a DNS server that appear to come from the target system. The DNS server responds by sending the target system the larger responses, overwhelming the target system’s resources.
History’s Biggest DNS Attacks
Without further ado, here is a subjective list of the biggest DNS-related attacks in history:
2002: DNS Root Server DDoS Attack
At the top of the DNS hierarchy are the root servers, 13 clusters of servers scattered across the globe. These servers do not serve detailed query responses; they direct queries to the appropriate DNS servers for each top-level domain (TLD)--the familiar .com, .org, .edu, and the myriad custom TLDs.
In 2002, those root servers came under coordinated attack. The attackers targeted all 13 root servers simultaneously, disabling nine of them for over an hour, using a network of compromised computers and other devices to flood the root servers with queries, effectively blinding large parts of the DNS backbone.
Fortunately, the damage was limited, with the remaining four servers experiencing only minor effects. Thanks to DNS caching and some good luck, the system’s built-in redundancy prevented a full-blown internet blackout.
That said, the incident served as a wake-up call for the DNS management community, exposing weaknesses in the system and spurring investment to develop and deploy additional security measures to keep the DNS ecosystem running in the face of large-scale attacks.
2006: Blue Security DDoS Attack
In an extreme example of the consequences of DNS attacks, a 2006 attack against anti-spam company Blue Security caused the firm to close its doors two weeks later.
Blue Security had an innovative and controversial approach to fighting spam: Identify the spammers and flood them with opt-out requests. Spammers did not take kindly to this method, and one was apparently able to bribe a Russian ISP staffer to disable Blue Security’s IP address at internet backbone routers, making the Blue Security website inaccessible outside of Israel.
Blue Security then made a fatal decision to redirect their domain name to their blog site, hosted by a third party, TypePad. In response, hackers launched a DNS DDoS attack against the Six Apart (a company that operated TypePad and Live Journal), rendering its blog sites inaccessible for several hours and affecting millions of bloggers.
Rather than expose their customers and innocent bystanders to the crossfire of a full-scale cyber war, Blue Security decided to cease its operations.The lesson: Hackers can be determined players and have powerful tools at their disposal. They can cause irreparable damage if sufficiently provoked, to the point of driving organizations out of business.
2008: ICANN Domain Hijacking
The Internet Corporation for Assigned Names and Numbers (ICANN) is the governing body that supports the DNS. In June 2008, ICANN fell victim to a DNS hijacking attack that redirected traffic intended for ICANN’s websites to a malicious site containing political propaganda. The incident was an embarrassment for ICANN because of its prominent role in the security and stability of the internet.
The hackers–an organization calling itself NetDevilz–were able to carry out this attack because they used social engineering to persuade a domain-name registrar to change the name servers associated with ICANN’s domains.By the time the changes were rolled back, some 20 minutes after the attack was detected, the damage was done: The changes had been propagated to DNS servers around the world and it was two days before the corrections were made throughout the DNS ecosystem.
The incident highlighted the importance of implementing security measures to guard against phishing and other social engineering attacks, especially for organizations such as domain-name registrars, which have a critical role in internet security.
But it also underscores something even more unsettling: even if the security of IT systems you control is perfect, some aspects outside your control can still hurt you. Security lapses by a third party–in this case, ICANN’s domain-name registrar–can still have major implications for you. Had ICANN not been on top of the situation, or if they were a higher-profile target, such as a bank, major retailer, or important government agency, the damage could have been much worse.
2013: New York Times and Twitter Hijacking
A more prominent example of DNS hijacking emerged in August 2013, when the domains of the New York Times,Twitter (now known as X), and other organizations were hijacked, sending their website visitors to malicious websites. Like the ICANN hijacking five years earlier, this attack, perpetrated by the “Syrian Electronic Army,” was carried out by compromising a domain-name registrar and changing the name servers associated with the targeted organizations.
Unlike the ICANN attack, this one had tangible impacts on the targeted organizations. Without its website, for example, the New York Times was unable to serve its paying subscribers with news stories and other services.
In this case, the attack was motivated by politics rather than financial gain, and no user data was compromised. But the potential was there for major damage to these sites’ operations, revenue streams, and reputations. It showed that determined attackers can and will disable high-profile websites and disrupt operations for an extended period.
The New York Times and X have the resources to recover from incidents like this one, but many smaller organizations don’t–they’re just one cyberattack away from shutting down for good.
2013: Spamhaus DNS Amplification Attack
Spamhaus is an organization dedicated to reducing spam by supplying internet service providers with “blocklists” of known spammers. Spammers and their cybercriminal fellow travelers are not fond of Spamhaus, and in 2013, the organization was hit with what was billed at the time as one of the largest DDoS attacks in history.
In this attack, the perpetrators sent numerous requests for a DNS zone file (approximately 3 KB for each response) to thousands of open DNS resolver machines around the world, resulting in up to 300 GB/s of traffic thrown at the Spamhaus website. The Spamhaus site was intermittently disabled over several days. During the periods the site was down, it was unable to send updated blocklists to clients–a serious blow to its operations and mission.
Although Spamhaus was the primary target, the extra internet traffic affected users around the world by slowing connections and increasing response delays. Although largely forgotten today, the Spamhaus incident was described at the time as the DDoS attack that “almost broke the internet.”
This was an early example of the DNS amplification attack type, and it exposed the risks posed by open DNS resolvers, which process these types of queries without question or filtering. Although various techniques have been developed to reduce the risks associated with open DNS resolvers, they remain an issue even today.
Spamhaus recovered and is still in operation today. Because of the nature of their business, they know they will be a constant target and have taken extra steps to protect themselves. But even if your mission does not involve annoying the hacker community, you can still be a target. Hackers are equal-opportunity criminals.
2016: Brazilian Bank Spoofing
Unlike most of the previous examples, which did little or no significant damage, the Brazilian bank DNS spoofing attack that started in October 2016 resulted in real money being stolen from real people and immense damage to a major (albeit still unnamed) Brazilian bank. This attack was remarkable not only for the extent of its damage but also for its sophistication and careful planning.
In this attack, according to security analysts at Kaspersky Labs, the hackers were able to penetrate and take complete control of the bank’s IT infrastructure, compromising its 36 domain names and redirecting bank customers to lookalike sites that stole their bank login credentials. To make the ruse even more convincing, the hackers had previously obtained SSL certificates in the bank’s name and used them to legitimize the HTTPS connections to the fake websites. Customers had no reason to believe they were visiting anything other than the bank’s legitimate, secure websites.
To add insult to injury, the fake websites distributed malware to customers. The malware harvested their bank login credentials as well as email account credentials, exposing them to further damage.
The takeover, which lasted about five hours before the bank’s IT teams were able to regain control, was so complete that even the bank’s email systems were disabled. The bank had no way of contacting its domain-name registrar or customers to inform them of the catastrophe. Those gut-wrenching hours must have seemed an eternity of helplessness.
The extent of the damage to the bank and its customers remains unknown, but it is likely that it was extensive.To this day, the organization has not identified itself as the target of this crime. This fact suggests that the bank was large enough to recover and make its customers whole. A smaller organization might not have fared so well.
This attack exposed a serious weakness in the IT security of banks and other financial institutions. When thousands or millions of customers trust you with billions of dollars of their money, or their sensitive personal data, it is critical to be extra vigilant regarding IT security in general and DNS security in particular. Simple measures that domain-name registrars provide, such as registry locking and multi-factor authentication, could have mitigated or prevented the damage done in this case.
Protecting Against DNS Attacks
More recently, the adoption of security measures such as DNS Security Extensions (DNSSEC), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT) by ISPs, software providers, and others have reduced the frequency of high-profile DNS-related cyberattacks such as those described above.
But these attacks have not gone away, and in the endless cybersecurity cat-and-mouse game, the hackers are always thinking one step ahead. Hackers as a group are a highly skilled, innovative bunch whose efforts show increasing sophistication. When you consider that many hacker teams are funded by governments, it’s clear that cyberattacks in general and DNS-related attacks in particular will continue to increase in size, scope, and impact.
How can you protect yourself? One way is to take control of the way your organization’s IT infrastructure interacts with DNS. The Control D solution provides access to DNS resolvers that enable fine-grained control over resolution behavior, such as content filtering and redirection to proxies in multiple different countries according to rules you specify. By insulating your organization from exposure to “plain vanilla” DNS and its vulnerabilities, you increase your privacy and reduce your attack surface.
To learn more about how Control D can protect you from DNS-related cyberattacks, contact Control D today.