What is DNSSEC?

DNSSEC is a security extension that uses a combination of public and private keys to sign data and verify the authoritative server.

DNSSEC is a cryptographic solution for domain authentication. 

With it, even if a recursive server was poisoned by hackers, it won’t send the visitors to a shady website where their personal data and bank information can be stolen. The DNSSEC must be applied at each step, from the root zone to the domain. The root zone will have a key for the .com and the .com will have for the EXAMPLE.com. DNSSEC is a chain of trust that needs to be verified on each point.

How DNS Works and the Role of DNSSEC

We have already talked about how DNS works. Briefly explained, it is a system that facilitates our lives by translating domain names to their IP addresses. This way, visitors don’t need to remember IP addresses and just write the name of the domain. In the DNS, users’ requests go through different recursive servers until it reaches the root zone where the IP addresses are stored.

However, when DNS was created, security wasn’t a major concern. This left DNS vulnerable to attacks such as DNS spoofing (or cache poisoning), where a hacker manipulates DNS records to redirect users to malicious sites. DNSSEC was developed to secure the DNS without completely rebuilding its core architecture.

The Importance of DNS Security

The DNS Security should not be neglected. Especially when we think about how many people connect their devices and use them on unsecured public Wi-Fi networks. Their DNS traffic could go to a poisoned DNS resolver that has modified DNS records. A modified DNS record could lead to a similar or exactly the same looking site that is there to get the person’s personal data, including bank data. The victim won’t even notice there was a problem until it is too late and all thanks to the weak DNS security that a non-DNSSEC solution offers by default. 

When you apply DNSSEC for your domain, all those users who are using public Wi-Fi networks or private ones will be safe from such scams. Their web browser will recognize the DNS record that is not signed correctly with DNSSEC, and it will drop it. 

The DNSSEC is proof of original and non-manipulated DNS records that secures DNS and fixes its flaws. It is cryptographically protected and secure.

How does DNSSEC work?

DNSSEC works by adding digital signatures to DNS records using public-key cryptography. Here’s a simplified breakdown of how it works:

1. Public and Private Keys: DNSSEC uses a pair of cryptographic keys – one public and one private. The private key is used to generate digital signatures for DNS data, and the public key is used by DNS resolvers to verify that the signatures are valid.
2. Signing DNS Records: When DNSSEC is enabled for a domain, its DNS records are digitally signed using the domain’s private key. This means that if anyone tries to tamper with the records, the signature will no longer match, and the change can be detected.
3. Chain of Trust: DNSSEC uses a hierarchical trust model. On top of this trust is the DNS root zone, which is managed by trusted organizations. Each level of the DNS hierarchy (from the root to TLDs like .com, down to individual domains) is responsible for signing the records at the next level down. For example, if you own a domain like “example.com”, your domain’s signatures are verified by the “.com” zone, which in turn is verified by the root zone.
4. Resolvers and Validation: When a DNS resolver queries a DNSSEC-enabled domain, it not only receives the usual DNS data (such as the IP address) but also the associated digital signatures. The resolver then uses the public key associated with the domain to verify the signature. If the signature is valid, the resolver can be confident that the DNS data hasn’t been modified.

Key Components of DNSSEC

There are a few critical terms and components to understand when discussing DNSSEC:

1. DNS Record Types: DNSSEC adds several new DNS records to achieve signature validation.
   • RRSIG: The digital signature associated with a particular set of DNS records.
   • DNSKEY: This record contains the public key used to verify RRSIGs.
   • DS Record: A delegation signer record that authenticates the connection between a domain’s DNS zone and its parent zone. It contains a hash of the DNSKEY record, which allows resolvers to verify the authenticity of DNS responses and ensure the integrity of the domain’s DNS data.
   • NSEC/NSEC3: It is a pointer to the next secure record name in the zone.
2. Resource Record sets (RRsets): They gather the same type of DNS records, such as A, AAAA, and MX. The RRsets help to reduce the complication of verifying single records.
3. Zone-Signing Keys (ZSK): These keys are used by the DNS zone operator to sign individual DNS records (RRsets) within the zone. The private ZSK signs the RRsets and saves them in the form of RRSIG records. The public ZSK is published in the form of DNSKEY to validate these signatures.
4. Key-Signing Keys (KSK): The KSK is used to sign the DNSKEY record, which includes the public ZSK. The private KSK signs both the KSK and the ZSK, ensuring trust in the zone’s cryptographic keys.

What does DNSSEC mean for the end users?

Enabling DNSSEC will guarantee that the users will access the right website, not a fake copy. It doesn’t remove the need of a SSL certificate for data encryption and further protection of users’ data, but it secures the otherwise unsecured DNS.

Who Needs DNSSEC?

The simple answer is anyone with a domain name! However, some types of websites benefit the most from this solution:

• eCommerce Sites: Protecting customers’ financial information and preventing phishing attacks is critical. DNSSEC ensures that users connect to the correct server and are not misled by a fake site.
• Financial Institutions: Online banking services are frequent targets of DNS attacks, especially due to the sensitive nature of their transactions. Implementing DNSSEC is crucial to protecting both customers and the institution from fraudulent activities.
• Healthcare Organizations: With the rise of online health services and medical records, healthcare websites need to ensure the privacy and accuracy of patient data. DNSSEC adds a layer of protection essential for safeguarding personal health information.
• Enterprises: Large corporations often have multiple domains, subdomains, and services hosted online. DNSSEC prevents DNS hijacking that could damage the company’s reputation and customer trust.

Even if you run a small blog or a simple business website, this service ensures your domain won’t be exploited for malicious purposes. It’s a valuable tool for maintaining the security and integrity of any online property.

ClouDNS and DNSSEC

ClouDNS offers DNSSEC both for Primary and Secondary DNS for each of our paid DNS plans. The DNSSEC is compatible with non-DNSSEC resolvers too. This means that if you enable it, The DNS will continue to function without problems even if the resolver(s) doesn’t support DNSSEC. Having a secure DNS is easy.

Benefits

Some of the key benefits include the following:

• Improved Security: It ensures the authenticity and integrity of DNS responses by digitally signing DNS data, protecting against attacks like DNS spoofing and cache poisoning.
• Data Integrity: It guarantees that the DNS data has not been tampered with during transmission, ensuring reliable communication.
• Trust Establishment: DNSSEC creates a chain of trust from the root DNS servers down to individual domains, enhancing overall trust in internet services.
• Prevents Redirection: It helps prevent users from being unknowingly redirected to malicious websites by ensuring the validity of DNS responses.

Cons of DNSSEC

As you could guess, there are some negatives with it too. Apply it correctly will create more records. Furthermore, it will increase the size of the DNS responses.
Still we recommend the use of DNSSEC. It is not hard to apply, it will provide an extra security and save you many problems with your clients.

Conclusion

DNSSEC plays a vital role in keeping the internet secure. As cyber threats like DNS spoofing, man-in-the-middle attacks, and cache poisoning are becoming common, protecting your DNS is essential. By using this service, you protect the integrity of your domain and ensure that your users can always reach your legitimate website. No matter the size of your online presence, whether it’s a personal blog or a large company, DNSSEC offers an important layer of protection that helps keep your domain secure and trustworthy.

The post DNSSEC, the DNS Security extension appeared first on ClouDNS Blog.

What is a R.U.D.Y. attack?

R.U.D.Y., short for “R U Dead Yet,” is a slow-rate DoS attack that targets web servers and applications. Unlike traditional DoS attacks that overwhelm servers with rapid, high-volume requests, a R.U.D.Y. attack employs a stealthier approach. This attack targets the application layer (Layer 7) of the OSI model, specifically exploiting HTTP POST requests to cause disruption. It works by sending HTTP POST requests with an abnormally long content-length header value, transmitting the data in exceedingly slow chunks. This tactic keeps the server connection open for extended periods, eventually exhausting server resources and causing legitimate user requests to be delayed or denied.

How does it work?

To understand the mechanics of a R.U.D.Y. attack, let’s break it down step-by-step:

1. Initiation: The attacker identifies a target web server that accepts HTTP POST requests.
2. Connection Establishment: The attacker establishes a connection to the server.
3. Sending Headers: The attacker sends an HTTP POST request with an exaggerated content-length header, indicating that a large amount of data will follow. Here is an example:
   POST /submit HTTP/1.1
   Host: targetserver.com
   Content-Length: 100000
4. Slow Data Transmission: Instead of sending the data all at once, the attacker sends the data in very small chunks, with long intervals between each chunk. This slow data transfer ties up server resources. The attacker ensures that each chunk is sent within the timeout limit set by the server, preventing the connection from being dropped.
5. Resource Exhaustion: As more connections are opened and held, the server’s resources are gradually consumed, leading to performance degradation and potential denial of service to legitimate users.

Technical Details

• HTTP POST Request: This method is used to send data to the server, typically for form submissions. The R.U.D.Y. attack exploits this by sending data extremely slowly, maintaining the connection just below the server’s timeout threshold.
• Connection Timeout: Web servers have a timeout setting to drop idle connections. The R U Dead Yet attack aims to stay just within this timeout window, keeping the connection alive indefinitely.
• Application Layer Attack: As a Layer 7 attack, R.U.D.Y. specifically targets the application layer, making it more challenging to detect and mitigate compared to lower-layer attacks like SYN floods or ICMP attacks.

Why is the R U Dead Yet attack effective?

The effectiveness of the R.U.D.Y. attack lies in its simplicity and the difficulty of detection. Traditional DoS defenses, which focus on high traffic volumes and rapid request rates, may not recognize the slow and steady nature of a R.U.D.Y. attack. Additionally, since the attack mimics legitimate user behavior by sending properly formatted HTTP requests, it can bypass many security measures.

Suggested article: HTTP vs HTTPS – All you need to know!

The impact of a R.U.D.Y. attack

The impact of a R U Dead Yet attack can be severe, especially for web servers and applications that rely heavily on maintaining numerous concurrent connections. Some of the consequences include:

• Server Overload: As server resources are consumed by the slow connections, legitimate users experience delays or are unable to connect.
• Increased Latency: The server’s response times become significantly slower, degrading the user experience.
• Potential Downtime: In extreme cases, the server may become completely unresponsive, leading to downtime and potential revenue loss for businesses.
• Resource Depletion: The server’s CPU, memory, and network bandwidth can be exhausted, impacting overall performance and availability.

Defending against R.U.D.Y. attacks

Preventing and mitigating R.U.D.Y. attacks require a multi-faceted approach. Here are some strategies to consider:

1. DDoS Protection Services – Utilizing services that provide distributed denial-of-service (DDoS) protection can help absorb and mitigate the effects of such attacks. ClouDNS DDoS Protection service uses advanced filtering techniques to ensure that malicious traffic is effectively removed before reaching the target server, maintaining the integrity and performance of your online services.
2. Timeout Configuration: Configure server timeouts to limit the duration a connection can remain open without transmitting data. This can help close slow connections before they consume excessive resources.
3. Rate Limiting: Implement rate limiting to control the number of requests a single IP address can make in a given timeframe. This can help identify and block malicious users.
4. Behavioral Analysis: Use security tools that analyze traffic patterns and detect anomalies indicative of slow-rate attacks. Solutions like Web Application Firewalls (WAFs) can be configured to recognize and block suspicious activity.
5. Connection Throttling: Throttle connections based on the rate of data transmission. If data is being sent too slowly, the connection can be terminated.
6. Load Balancing: Distribute traffic across multiple servers to ensure no single server becomes a bottleneck. Load balancers can also help detect and mitigate attack patterns.
7. Regular Monitoring: Implement Monitoring service that will check server performance and traffic for signs of abnormal behavior. Early detection is crucial for mitigating the impact of an attack.

Conclusion

The R.U.D.Y. attack is a sophisticated and stealthy threat that highlights the need for robust and adaptive security measures in today’s digital landscape. By understanding the mechanics of this attack and implementing effective defenses, organizations can better protect their web servers and ensure the availability and performance of their online services. Stay vigilant, keep your defenses up-to-date, and be prepared to counter the evolving tactics of cyber adversaries.

The post R.U.D.Y. (R U Dead Yet) Attack Explained appeared first on ClouDNS Blog.

What is a DDoS amplification attack?

These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum protocol mechanism. This means that one of the sides in the communication can send large amounts to the other without restrictions. Without any confirmation, it doesn’t matter if the second side receives the data. 

Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.

The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.

In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.

Understanding Memcached

Memcached is a widely-used, open-source caching system that enhances the performance of dynamic web applications by reducing database load. It achieves this by storing data in memory, allowing for rapid retrieval and minimizing the need for repeated database queries. By caching frequently accessed objects such as database query results and session data, Memcached helps applications run more efficiently and respond faster to user requests. Its straightforward design and robust performance have made it a staple in optimizing large-scale web applications. However, without proper configuration and security measures, Memcached can become vulnerable to exploitation, emphasizing the need for diligent management.

Memcached DDoS amplification attack explanation

A Memcached DDoS amplification attack is a malicious exploit where attackers leverage vulnerable Memcached servers to generate overwhelming traffic towards a target. By sending small requests to multiple servers, the attackers receive significantly larger responses, resulting in an amplification effect. This massive traffic surge can cripple the target’s network infrastructure, disrupting service. To mitigate such attacks, organizations should secure their Memcached servers, implement access controls, and utilize robust DDoS mitigation solutions to protect against this highly impactful cyber attack.

How does it work? Step-by step 

1. Identifying vulnerable servers: Attackers scan the internet to locate Memcached servers that are accessible and have User Datagram Protocol traffic enabled. UDP is preferred due to its connectionless nature, making it easier to spoof source IP addresses.

By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database on GitHub.For some reason in the communication settings of the defined a fixed payload of 1400 bytes for the UDP packets.

The basic UDP request sent to Memcached is with size 15 bytes, and the server responds with 1400 bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90 Gbps.

2. Spoofing the source IP address: Using various techniques, attackers disguise their own IP address and make it appear as if the attack traffic originates from the targeted victim’s IP address. This ensures that the amplified response traffic is directed towards the victim.

Suggested article: What is DNS Spoofing (DNS poisoning)?

3. Sending small forged requests: Attackers send lightweight and innocuous-looking requests to the vulnerable Memcached servers. These requests typically have a small size, often around 15 bytes, which minimizes the effort required to send them.

4. Amplification of response traffic: Exploiting the Memcached servers’ behavior, which responds to small requests with much larger responses, the attackers achieve an amplification factor that can reach staggering levels. This means that for each small request sent, the server responds with a significantly larger volume of data, often in the range of hundreds or thousands of times larger.

5. Overwhelming the target: The amplified response traffic, generated by the Memcached servers, floods the victim’s network infrastructure with an immense volume of data. This flood of traffic can quickly exhaust the victim’s network bandwidth, computing resources, and cause service disruptions or complete downtime.

How big can it be?

In the realm of cybersecurity, we have witnessed an unprecedented magnification factor, reaching an astonishing 51,200 times the original request size! Picture this: a mere 15-byte request has the potential to unleash a colossal 750 kB response. This mind-boggling amplification factor poses an immense security risk, particularly for web properties ill-equipped to handle the overwhelming deluge of attack traffic. With its significant amplification potential and susceptible servers, Memcached becomes a prime target for malicious actors intent on launching devastating DDoS attacks against a wide array of targets.

Furthermore, according to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to a Distributed Denial of Service attack that caused intermittent unavailability of their service for a few minutes. The attack exploited a vulnerability in Мemcached, resulting in a volumetric attack that peaked at 1.35Tbps. GitHub successfully mitigated the attack by diverting traffic to Akamai and implementing access control measures, and they are working on improving their automated intervention and expanding their edge network to enhance resilience against future attacks.

How to protect from Memcached DDoS amplification attacks?

Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.

Тo protect your website, online service, etc you can also implement DDoS protection software. ClouDNS DDoS Protected DNS service can help identify and filter out malicious traffic, thereby minimizing the impact of amplification attacks.

Other way to protect from Memcached DDoS amplification attacks is by regularly monitoring the traffic. We provide robust monitoring solutions which enable the timely detection of abnormal traffic patterns, facilitating early response and mitigation.

Furthermore, with enough network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.

The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.

DDoS Protected DNS

Ways to secure a Memcached server

The system administrators of Memcached servers can protect them in one of the following ways:

• Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the Memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
• Disable UDP support, if you are not using it. You can do this with the option -U 0
• Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
• Instead of exposing your Memcached server directly to the internet, you can use a caching proxy server
• Restrict access to the Memcached server using access control lists (ACLs) to allow only trusted IP addresses.

Conclusion

By exploiting vulnerable Memcached servers, attackers can unleash a massive flood of traffic, causing widespread disruptions. To defend against these attacks, organizations must secure their Memcached servers, implement strict access controls, and utilize effective DDoS mitigation solutions.

The post DDoS amplification attacks by Memcached appeared first on ClouDNS Blog.

What is a DNS flood attack?

A DNS flood attack is a type of Distributed Denial of Service (DDoS) attack. It targets the DNS server, which is crucial for translating domain names (like www.example.com) into IP addresses that computers use to communicate. The attack floods the DNS server with an overwhelming number of requests, causing legitimate traffic to be delayed or completely blocked, effectively taking the service offline.

How does a DNS flood attack work?

Imagine a small post office suddenly receiving millions of letters, most with incorrect return addresses. A DNS flood attack operates similarly. Attackers leverage a network of compromised devices, known as a botnet, to send a deluge of DNS requests to a target server. These requests are often disguised with fake IP addresses, adding confusion and preventing easy filtering. The server, inundated by this tsunami of requests, struggles to respond, leading to legitimate requests being ignored or delayed – effectively disrupting normal web services. 

Let’s break down the process into steps:

1. Volume of traffic: The attacker sends a massive amount of DNS requests to the target server, often using a network of compromised computers (botnets).
2. Spoofing IP addresses: These requests often have fake return addresses, making it hard for the server to distinguish between legitimate and illegitimate traffic.
3. Server overload: The DNS server becomes overwhelmed, trying to process each request, leading to slowed down services or a total shutdown.
4. Secondary effects: The attack can also impact other services that rely on the DNS server, creating a ripple effect of disruption.

Why is it dangerous?

The danger of DNS flood attack cannot be overstated. They are more than just an inconvenience; they pose a significant threat to online operations. Firstly, they can cause major disruptions to essential services, crippling websites and online platforms. This disruption can have a cascading effect, impacting not only the targeted site but also any service that relies on it. The financial implications are equally severe, especially for businesses that depend on online transactions or services. Beyond the immediate financial losses, these attacks can inflict long-term damage to a company’s reputation, shaking customer confidence and trust. Moreover, while the focus is on mitigating the attack, other security vulnerabilities might be overlooked, leaving the door open for further exploits.

How to recognize a DNS flood attack?

Identifying a DNS flood attack primarily involves monitoring for an abnormal surge in DNS traffic. This is where tools like ClouDNS Free DNS tool come into play. This innovative tool enables users to inspect DNS records for specific hosts and analyze the speed and volume of DNS queries. Users can conduct a thorough audit of their DNS traffic, a crucial step in early detection. The tool’s user-friendly interface and comprehensive functionality, including compatibility with major DNS resolvers like Cloudflare, make it an invaluable resource in a cybersecurity toolkit.

DNS flood attack mitigation

To defend against DNS flood attacks, consider the following strategies:

DNSSEC (Domain Name System Security Extensions):

DNSSEC adds an extra layer of security by verifying the authenticity of DNS responses. This helps ensure that the data hasn’t been altered, making it harder for attackers to exploit the DNS system.

DDoS Protection Service:

DDoS Protection services specialize in distinguishing and mitigating abnormal traffic patterns characteristic of DDoS attacks. They can redirect malicious traffic, keeping your DNS server operational.

DNS Monitoring:

Regularly monitoring DNS traffic for unusual patterns helps in early detection of potential attacks, allowing for swift action before significant disruption occurs.

Enabling DNS Caching:

DNS caching reduces the load on servers by storing responses locally. During an attack, cached data can still be served, maintaining service availability for some users.

Secondary DNS:

A Secondary DNS provides redundancy. If your primary server is overwhelmed, the secondary server can maintain service availability, minimizing downtime.

DoT (DNS over TLS) and DoH (DNS over HTTPS):

Implementing DoT and DoH encrypts DNS queries, enhancing security. They help differentiate legitimate traffic from malicious queries, as most attack traffic doesn’t use these secure channels.

Conclusion

In summary, effectively mitigating DNS flood attacks involves a blend of strategic defenses and proactive monitoring. By adopting a range of protective measures and staying vigilant, organizations can safeguard their online presence against these disruptive threats. Remember, a robust defense is essential in maintaining the integrity and reliability of your digital services in today’s interconnected world.

The post DNS flood attack explained in details appeared first on ClouDNS Blog.