Unprotected DNS infrastructures leaving operators open to abuse, sometimes from other operators

Mobile operators are currently leaving themselves open to attacks via their DNS infrastructure, and have no means to detect fraudulent abuse of the DNS infrastructure, according to one security specialist. Some operators are even being attack by other mobile operators.

Cloudmark has just launched a new product line, Cloudmark Security Platform for DNS, designed to enable anyone who operates a DNS infrastructure – mobile operators, carriers, cloud service providers – to protect themselves against a growing number of threats that come via the DNS.

The Platform adds to Cloudmark’s existing capabilities in scanning and analysing email and mobile messaging traffic to detect spam, scams and malicious content or malware. It draws on Cloudmark’s same combination of in-line analysis at the application layer (L7) with access to understanding of behavioural markers.

DNS security platform

Cloudmark’s Security Platform, now with added DNS

The DNS is the “plumbing” of the internet – performing translation from domain names to IP addresses – and is often the target of denial of service attacks, as hackers flood DNS servers rendering them unable to process legitimate requests.

But a new breed of attacks via the DNS is leaving operators exposed to revenue loss, and to the requirement to invest in additional DNS infrastructure.

Neil Cook, CTO, Cloudmark, told TMN, “DNS is completely critical to internet infrastructure, yet really from a security perspective it has been neglected and we are starting to see in the last year or so an increasing number of attacks on the DNS.” According to Cloudmark, a good number of outages in recent years have been as a result of DNS attacks, even if they have not been publicly names as such.

Although there are some understood threats, such as cache poisoning, that have been addressed with DNS Sec, a security feature for DNS that has been rolled out over the last couple of years, Cook said that “all the other ways that the DNS can be abused are, from a security perspective, almost completely unprotected”.

Why is this?

“Nobody looking at DNS traffic for two reasons. First, they don’t have solutions to do that so nobody is looking at DNS traffic to see if it is malicious, and second even with DNS Sec the volume of traffic means you can hide in the noise, especially if nobody is looking at that traffic. That’s where we come in with a solution that looks at the application layer to understand what’s happening in the DNS stream, at content and behaviour of IP addresses and domains, how they are being used, so that operators can detect threats against infrastructure itself and attacks that try subvert the infrastructure.”

One active threat that Cloudmark has detected on one customer’s network is the use of something called DNS Tunelling to avoid charges for roaming interconnect. DNS Tunelling is an exploit that uses the DNS itself to transport data, creating a generic tunnel that can be used to exfiltrate data from a company, say, in event of a data breach. Cloudmark says that it has detected mobile devices belonging to inbound roamers that are equipped with a DNS Tunnelling client that sends user data via the DNS protocol. As DNS traffic is nearly always labelled free of charge, this data traffic bypasses charging and interconnect systems, so the “home” operator avoids having to pay the visited operator for its customers’ roaming usage. Cook said that this practice is not uncommon in operators from “less regulated” countries that have a large expat population living in another country.

A further issues is that DNS Tunnelling is “incredibly impactful” on the infrastructure, being much more capacity intensive than legitimate look up requests.

“We’ve had operators ask why they are having to increase DNS capacity by 3-4x – and it’s because even a small amount of DNS tunnelling leads to a massive increase on capex in terms of infrastructure.”

Cook said that traditional approaches to spotting threats have involved offline processing of data that often only identifies a threat once the event is over. An active, in-line approach can, in the case of the roaming fraud, actually stop the behaviour at the time, and also block any further users associated with the domain being abused.

For more on the topic of DNS security, and the benefits of an active, L7 approach, see this whitepaper written on behalf of Cloudmark by Heavy Reading.

More on Cloudmark Security Platform for DNS.