Authoritative DNS takeovers
The second type of DNS attack happens when attackers take over one or more authoritative DNS servers for a domain. In his post, von Wallenstein noted that authoritative DNS hosting is the type of service that his firm provides to Twitter. However, Dyn Inc. wasn't targeted by the SEA, so their services to Twitter were not impacted by Tuesday's incident.
If an attacker were to compromise an authoritative DNS, von Wallenstein explains, the effect would be global. While that wasn't what the SEA did during their most recent attack, it's been done before.
In 2009, Twitter suffered a separate attack by the Iranian Cyber Army. The group altered DNS records and redirected traffic to propaganda hosted on servers they controlled. The ability to alter DNS settings came after the Iranian Cyber Army compromised a Twitter staffer's email account, and then used that account to authorize DNS changes. During that incident Dyn Inc. was the registrar contacted in order to process the change request.
Defense against these types of attacks often include strong passwords, and IP-based ACLs (acceptable client lists). Further, a solid training program that deals with social engineering will also be effective.
"I think the first step is recognizing the importance of authoritative DNS in our Internet connectivity trust model," Brenton said.
All the time and resources in the world can be placed into securing a webserver, but if an attacker can attack the authoritative server and point the DNS records at a different IP address, "to the rest of the world its still going to look like you've been owned," Brenton added.
"In fact it's worse because that one attack will also permit them to redirect your email or any other service you are offering. So hosting your authoritative server with a trusted authority is the simplest way to resolve this problem."
Compromised domain registration
The third type of DNS attack is also the most problematic to undo. It happens when an attacker compromises the registration of the domain itself, and then uses that access to alter the DNS servers assigned to it.
This is also what the SEA did when they went after Twitter and the New York Times. They gained access to MelbourneIT, the registrar responsible for the domains targeted, and changed the authoritative DNS servers to their own.
"At this time, those authoritative nameservers answered all queries for the affected domains. What makes this attack so dangerous is what's called the TTL (time to live). Changes of this nature are globally cached on recursive DNS servers for typically 86,400 seconds, or a full day. Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed," von Wallenstein wrote.
Again, Brenton's advice for authoritative DNS will apply here as well. It's also possible to host authoritative servers within the organization, allowing for complete control.
"If you are going to run your own authoritative servers, make sure you follow the best security practices that have been identified by SANS and the Center for Internet Security," Brenton advised.
Read more about data protection in CSOonline's Data Protection section.