Stopping a Corporate IT Infrastructure in a Single Blow - are you safe?

A corporate computer infrastructure is a large system, and one that is fairly resilient and made to last. After all, there are backup links, redundant servers, replication technologies all over the
place. And yet, there is a way to temporarily incapacitate an entire corporate windows infrastructure with a properly delivered blow, simply because it relies fully on an often ignored service - DNS.

NOTE: This particular post has NOTHING to do with the recent DNS vulnerability craze. The vulnerability just adds another vector of attack, but an attack can be performed even without this vulnerability.

Back to the topic at hand, let's review how many services DEPEND on DNS:

  • E-mail service - relies on DNS to deliver e-mail destined for other domains - no DNS, no email sent to anywhere
  • Corporate applicatons - rely on DNS to resolve application and database server names - no DNS, no core apps
  • Active Directory - is entirely dependent on DNS, to look-up Global Catalog, register srv records, lookup active directory records. If the DNS is down, even the domain controllers will stop proper operation. - no DNS, big problems in logon and management of windows Active Directory
  • Network Access Control (NAC) - depends on DNS to discover it's policy and update servers - no DNS, big problems in element authentication
Also, DNS has the following characteristics that make it even more vulnerable
  • DNS servers need to be open to all corporate users - All clients need to communicate to the DNS servers, to perform lookups for their services
  • DNS servers IP must be known so they can be used - no hiding behind names, DNS servers are published to all clients as IP addresses
  • DNS server works with minimal or no maintenance - when was the last time you checked your DNS servers? When was the last time you checked your client's computers to see how DNS is assigned (DHCP, Manual, hard coded)
Attack scenario
An attacker can insert a bot into corporate client computers, by apple dropping, sending a malicious mails or hiding in games. The bot can be set-up to receive a remote command or just be a logic bomb, to start a DoS attack on corporate servers.

EFFECT: A proper attack will slow down the DNS response to a pace where 90% of all queries will result in a timeout. As a bonus, the links will clog-up with bogus traffic, thus preventing corporate applications on the client computers from any communication.

A good time for this attack is start of business hours, because even IPS systems have a trend that expects a lot of DNS traffic then, and will not react properly. This also goes for IT teams

Naturally, this attack is not straight-forward nor easy to do. It requires
  • coordination and social engineering to collect information
  • access or trick to install the bots on corporate clients
  • a properly programmed bot to bypass detection by antivirus
However, just because this is not easy, does not mean that it's impossible. This attack can be used as to diminish a corporation's reputation by creating difficulties in operation, or as a diversion, so the majority of system admins will be focusing on recovering basic communication, while a more sinister attack is in progress.

Controls and Countermeasures
While there is no single foolproof defence, the following controls will mitigate such an attack.
  • Have at least 1 cold backup DNS server - this can be a virtual machine, but offline, and with unpublished IP address. If all other DNS servers are under attack, this computer should be brought up and assigned as DNS to most critical clients, to achieve minimal operation.
  • Have dedicated DNS servers for server infrasructure - these DNS servers should not be accessible by other corporate clients, thus even if a bot attacks the client accessible DNS servers, the server infrastructure will continue operation.
  • Set-up DNS through DHCP for ALL client computers - in case of an attack, it is much easier to reconfigure a DHCP server and ask everybody to reboot.
  • Have an IPS system on the entry/egress point of traffic from clients to servers - the IPS can be of great assisstance in analysis of an attack, and should be configured to send alerts upon breach of trend.
  • Do not allow DNS traffic from the internet - Internal DNS servers are for internal use. If you have web and e-mail service, outsource a minimal DNS serves hosting to an ISP provider for these public addressess. This way the attackers from the internet cannot harm your network - your exposure is reduced.

Related posts
Check Your DNS Zone Transfer Status
DHCP Security - The most overlooked service on the network

Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web