Google is officially buying threat intelligence and incident response company Mandiant in an all-cash deal approximately valued at $5.4 billion, the two technology firms announced Tuesday.
Mandiant is expected to be folded into Google Cloud upon the closure of the acquisition, which is slated to happen later this year, adding to the latter’s growing portfolio of security offerings such as BeyondCorp Enterprise, VirusTotal, Chronicle, and the Cybersecurity Action Team.
“Today, organizations are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative,” Google said in a statement.
“To address these risks, enterprises need to be able to detect and respond to adversaries quickly; analyze and automate threat intelligence to scale threat detection across organizations; orchestrate and automate remediation; validate their protection against known threats; and visualize their IT environment in order to identify and simulate new threats.”
Mandiant became a standalone entity again in June 2021 when FireEye, which acquired the company in 2013, sold its products business and the FireEye brand for $1.2 billion to a consortium led by private-equity firm Symphony Technology Group.
Symphony, which also acquired McAfee Enterprise for $4 billion in March 2021, combined the two businesses to launch Trellix earlier this year.
The cybersecurity firm is best known for uncovering and investigating the supply chain compromise of SolarWinds, a devastatingcyber attack that affected thousands of its downstream customers and went unnoticed for months until its discovery in December 2020.
“The acquisition will complement Google Cloud’s existing strengths in security,” Mandiant said, stating the deal will “deliver an end-to-end security operations suite with even greater capabilities as well as advisory services helping customers address critical security challenges and stay protected at every stage of the security lifecycle.”
In December 2011, Cisco Umbrella – then going by the name OpenDNS – became the first public DNS resolver to announce support for DNS encryption. Now, a decade later, we’re proud to announce that we’ve added support for DNS over HTTPS (DoH) directly to our core Umbrella resolvers. In addition, we’ve also added support for Discovery of Designated Resolvers (DDR). These moves allow us to provide our customers with the low-latency and high availability DNS service they expect while also enhancing their security and privacy.
In this blog, we unpack what this latest DNS over HTTPS update means for Cisco Umbrella customers and discuss how they can configure DoH in their network. For more information on the DNS security offered by Cisco Umbrella, register for our on-demand demo of Cisco Umbrella today!
Our History With DNS Encryption
More than a decade ago, we became the first public resolver to announce support for DNSCrypt: a made-for-DNS solution to securing one of the most fundamental parts of internet communication. To this day, Cisco Umbrella continues to be at the forefront of DNS encryption, using DNSCrypt in the default configurations of our endpoint clients and DNS forwarders.
While we still believe that DNSCrypt has a critical place in our infrastructure, the lack of an Internet Engineering Task Force (IETF) standard for DNSCrypt has prevented widespread adoption. Recently, developments in encrypted DNS have focused on two different encryption protocols: DNS over HTTPS (DoH) and DNS over TLS (DoT).
Using DNS over HTTPS (DoH) With Cisco Umbrella
Unlike DNSCrypt, DoH is an IETF standard for performing DNS queries over a secure, encrypted channel. While it serves a similar purpose to our long-time friend DNSCrypt, its status as an IETF standard makes DNS over HTTPS more common amongst major browsers and operating systems.
Cisco Umbrella first announced support for DoH in May 2020. At that time, we wanted to support our users looking to take advantage of browser-based DNS initiatives. To keep our ability to adapt quickly, we launched DNS over HTTPS support using a set of dedicated resolvers (‘doh.umbrella.com’ and ‘doh.opendns.com’) with their own anycast IPs (146.112.41.5 and 146.112.41.2).
Since that release, the popularity of DoH has picked up steam. Apple added support in September 2020, and Microsoft recently announced that upcoming versions of Windows will support this form of DNS encryption. We’ve seen the result of this popularity on the Cisco Umbrella network, which has prompted our team to add support for DNS over HTTPS directly to Umbrella core resolvers.
Enabling DoH on Cisco Umbrella
Because we support DNS over HTTPS with our core resolvers, Cisco Umbrella customers will continue to experience the low-latency and high availability DNS service for which Umbrella is known. In addition, users can now configure DoH for Cisco Umbrella and OpenDNS on our well-known anycast addresses:
Additionally, we’ve moved the dedicated DNS over HTTPS hostnames and IPs onto the same core resolvers. This means they will provide the same service as our well-known IPs. And since we’ll continue to support those hostnames and IPs into the future, our existing users need not make any changes.
Using DNS over TLS (DoT) With Cisco Umbrella
While adding support for DNS over HTTPS directly to our core resolvers enabled our users to take advantage of DNS encryption better, it also provides an additional benefit. We can now handle TLS connections and support DNS over TLS natively in the core resolvers. We’re thrilled to announce that, as of January 28, 2022, support for DoT is live on all Umbrella resolvers globally.
Like DoH, DoT is an IETF standard for performing DNS queries over a secure, encrypted channel. Unlike DoH, however, DoT uses a dedicated port (TCP/853) for its connections. Clients that support DoT will check if their DNS server supports DoT. If it doesn’t, clients will fall back to regular unencrypted DNS (sometimes called Do53). Thus, configuration for DoT is typically just a matter of enabling it in a supported client.
Discovery of Designated Resolvers (DDR)
With all of these new methods for DNS encryption, clients need an automated means to discover what encryption methods their chosen DNS resolver supports. Tasked with this goal, the Adaptive DNS Discovery (ADD) working group at the IETF has proposed a standard called Discovery of Designated Resolvers (DDR).
The basics of DDR are simple. When a DNS client first finds out its DNS server, it will send a DNS query for a special use domain name, ‘_dns.resolver.arpa’, using a special DNS query type (type 64, or ‘SVCB’). The DNS server will respond with the different types of encryption it supports, and any configuration information the client needs. The client can pick the kind of encryption it prefers, verify that all the information is secure, and then start encrypting DNS.
Cisco Umbrella is very proud to be the first public resolver to announce support for DDR. We developed it in close collaboration with Microsoft to ensure that encrypted resolver selection works smoothly end to end. We look forward to DDR support being added to more clients and operating systems in the future.
Our DNS over HTTPS and DNS over TLS services are now discoverable via DDR, and any supported client can start using it now.
Enhance Your DNS Security Today
Just as with our decade of support for DNSCrypt, Cisco Umbrella views encryption of DNS queries in transit as a core component of DNS security, along with the use of DNSSEC for securing the data in the queries itself. We’ve been pleased to see the industry and client begin to add direct support for DNS encryption, and we can’t wait to see standards like DoH, DoT, and DDR take off and become more widely adopted.
If you want to learn more about the DNS security that Cisco Umbrella provides, view our on-demand demo today!
Microsoft this week revealed that it had fended off a record number of distributed denial-of-service (DDoS) attacks aimed at its customers in 2021, three of which surpassed 2.4 terabit per second (Tbps).
One of the DDoS attacks took place in November, targeting an unnamed Azure customer in Asia and lasted a total of 15 minutes. It hit a peak throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), making it the largest attack ever reported in history.
“This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan,” Alethea Toh, product manager of Azure Networking, said.
DDoS attacks occur when several compromised devices are employed as a conduit to overwhelm a targeted server, service, or network with a flood of internet traffic with the goal of overloading the systems and disrupting its regular services.
Then in December, Microsoft said it blocked two more attacks that surpassed 2.5 Tbps, both of which were aimed at customers in Asia. The first of the attacks was a 3.25 Tbps UDP attack, while the other intrusion was a 2.55 Tbps UDP flood that lingered for just a little over five minutes.
The report comes more than three months after the tech giant disclosed it acted to blunt a 2.4 Tbps DDoS attack in August 2021 targeting a European customer. Other previous record-breaking attacks include a 2.5 Tbps DDoS attack absorbed by Google in September 2017 and a volumetric strike aimed at Amazon Web Services in February 2020.
Microsoft said it observed a rise in attacks that lasted longer than an hour in the second half of 2021, whereas the proportion of short-lived attacks that were 30 minutes or less dropped from 74% to 57%. That said, the longer duration assaults are experienced as a sequence of multiple short, repeated burst attacks.
The company also said it mitigated an average of 1,955 attacks per day, with a maximum of 4,296 attacks recorded in a single day on August 10, 2021. For the entirety of H2 2021, no fewer than 359,713 unique attacks against its infrastructure were blocked, a 43% increase from the first half of 2021.
The gaming industry emerged as the hardest hit sector, followed by financial institutions, media, internet service providers (ISPs), retail, and supply chain entities. Most of the targeted organizations were located in the U.S., India, East Asia (Hong Kong), Brazil, the U.K., South Korea, Japan, Australia, and the U.A.E.
“We saw a sharp uptick in attacks in India, from just 2% of all attacks in the first half of 2021 to taking the second position at 23% of all attacks in the second half of 2021,” Toh said. “Another driving factor may be that the acceleration of digital transformation, for example, the ‘Digital India‘ initiative, has increased the region’s overall exposure to cyber risks.”
They’re not interested in peace on earth, a hippopotamus or their two front teeth. You won’t find them decking the halls, dashing through the snow or even up on the housetop. But that doesn’t mean cybercriminals aren’t out in force this time of year — and they’re relying on you being too wrapped up in your holiday preparations to see them coming.
They’re successful far too often: The last quarter of 2020 saw by far the most ransomware, with attacks in November reaching an all-time high in an already record-breaking year. If 2021 follows suit, this could be the worst holiday season for ransomware SonicWall has ever recorded — but fortunately, there are many things you can do to minimize your risk:
It’s the Most Wander-ful Time of the Year: Travel Tips
Roughly 63% of American adults plan to travel for the holidays this year — a nearly 40% jump over last year, and within 5% of 2019 levels. While it’s easy to become preoccupied by traffic jams, flight delays and severe weather, don’t forget that attackers love to leverage this sort of chaos. Follow these five travel best practices to keep cybercriminals grounded this holiday season.
1. Free Wi-Fi =/= Risk-Free Wi-Fi
When you stop for a coffee during your layover, or stumble into a greasy spoon on hour nine of your road trip back home, you might be tempted to log on to the free Wi-Fi. But unless your organization has implemented zero-trust security, beware. Try bringing a novel and coloring books to keep everyone occupied on the road, and if you must connect, use a VPN to access employer networks and avoid logging in to your bank, email or other sensitive accounts. Because some devices may try to connect to these networks automatically, you may need to disable auto-connect to fully protect against man-in-the-middle and other attacks.
2. Put Your Devices on Lockdown
Due to border restrictions finally beginning to ease in countries such as Canada, Australia, India and South Korea, and the United States, international travel is expected to be robust. In the U.S., roughly 2 million travelers are expected to pass through airports each day over the Christmas holiday. In crowds like this, it’s easy for a device to be misplaced, left behind or stolen. To limit potential damage from smartphones, laptops, tablets, etc. falling into the wrong hands, ensure they’re protected with facial recognition, fingerprint ID or a PIN. (This doesn’t just protect against data theft, it can also help combat regular theft: One study found that locked devices were three times more likely to be returned to their owners.)
3. Don’t Let Criminals Track You
Nearly 43% of Americans and 42% of Brits feel more comfortable traveling this year — but this doesn’t mean they should be comfortable with everyone knowing they’re traveling. Any location data you share on social media can be tempting to those wanting to break into homes or hotel rooms — whether to steal and exfiltrate data, or steal gaming consoles, jewelry, medications or even gifts under the tree.
4. Use Only Your Own Cords/Power Adapters
In our mobile-dependent society, it’s no surprise that cybercriminals have learned how to install malware in airport kiosks, USB charging stations and more. And while that “forgotten” iPhone charge cable might look tempting when your device is running on empty, even those can harbor malware. If you can’t find a secure charging area, ensure your device is powered off before plugging it in.
‘Tis the Season for Giving: Online Safety Tips
Even if you’re not traveling this year, chances are you’re buying gifts. While supply-chain challenges, pandemic considerations and more have made for a unique holiday shopping season, it’s important to put safety first when shopping online. Here are six things to look out for:
1. Holiday Phishing Emails
Perhaps you’ve received an invite to the Jones’ holiday party, a gift card or coupon, or an email from HR with details of an unexpected holiday bonus. If there’s an attachment, exercise extreme caution: It may harbor malware.
2. Spoofed Websites
Unfortunately for your wallet, emails boasting huge discounts at popular retailers are likely bogus. Walmart isn’t offering 70% off, and nobody is selling PlayStations for $100, not even during the holidays. If you enter your info into one of these lookalike retail (or charity) sites, the only thing you’re likely to get is your credentials stolen.
3. Fake Shipping Invoices
You’ve finished your shopping, and your gifts are on their way! But now FedEx is emailing to say your packages may not arrive in time and referring you to updated tracking information. Or your retailer is sending you a shipping label for returns, or verifying your gifts are being sent … to a completely different address. Look closely before you click: These emails usually aren’t from who they say they are.
4. Counterfeit Apps
Is that really the Target app or just a lookalike? Better double-check before you download and enter your payment information. Apple’s App Store and Google Play have safeguards in place to stop counterfeit apps, but some still occasionally get through.
5. Gift Card Scams
These originally took the form of “You’ve won a free gift card! Click here to claim!” In recent years, however, they’ve become more targeted, and may appear to offer gift cards as a bonus from your employer or a holiday gift from a friend. The easiest way to avoid being scammed? If you weren’t expecting a gift card from someone, ask them about it.
6. Santa’s Little Helpers
There are many services designed to send your child a letter from Santa for a small fee. But many times, these so-called “Santas” are really cybercriminals attempting to get you to click on a link and enter your payment information. A recent variation has scammers offering kits designed to take the stress and mess out of your elf’s holiday shenanigans (just move your elf and call it good!)
While the holiday season offers more than its share of scams, many can be put on ice with a little extra due diligence. Keep these holiday best practices in mind, and have a safe and happy holiday!
Interactive livestreaming platform Twitch acknowledged a “breach” after an anonymous poster on the 4chan messaging board leaked its source code, an unreleased Steam competitor from Amazon Game Studios, details of creator payouts, proprietary software development kits, and other internal tools.
The Amazon-owned service said it’s “working with urgency to understand the extent of this,” adding the data was exposed “due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.”
“At this time, we have no indication that login credentials have been exposed,” Twitch noted in a post published late Wednesday. “Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.”
The forum user claimed the hack is designed to “foster more disruption and competition in the online video streaming space” because “their community is a disgusting toxic cesspool.” The development was first reported by Video Games Chronicle, which said Twitch was internally “aware” of the leak on October 4. The leak has also been labeled as “part one,” suggesting that there could be more on the way.
The massive trove, which comes in the form of a 125GB Torrent, allegedly includes —
The entirety of Twitch’s source code with commit history “going back to its early beginnings”
Proprietary software development kits and internal AWS services used by Twitch
An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios
Information on other Twitch properties like IGDB and CurseForge
The leak of internal source code poses a serious security risk in that it allows interested parties to search for vulnerabilities in the source code. While the data doesn’t include password related details, users are advised to change their credentials as a precautionary measure and turn on two-factor authentication for additional security.
In line with this memorandum, the Department of Homeland Security (DHS) is instructed to lead the development of preliminary cross-sector control system cybersecurity performance goals and sector-specific performance goals within one year of the memorandum.
Upon review, CISA and NIST have determined nine categories of recommended cybersecurity practices, using the categories as the foundation for preliminary control systems cybersecurity performance goals.
The nine categories are:
Risk Management and Cybersecurity Governance, which aims to “identify and document cybersecurity control systems using established recommended practices”.
Architecture and Design, which has the objective of integrating cybersecurity and resilience into system architecture in line with established best practices.
Configuration and Change Management. This category aims to documents and control hardware and software inventory, system settings, configurations, and network traffic flows during the control system hardware and software lifecycles.
Physical Security, which aims to limit physical access to systems, facilities, equipment, and other infrastructure assets to authorized users.
System and Data Integrity, Availability, and Confidentiality. This category aims to protect the control system and its data against corruption, compromise, or loss.
Continuous Monitoring and Vulnerability Management, which aims to implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.
Training and Awareness aims to train personnel to have the fundamental knowledge and skills needed to determine control systems cybersecurity risks.
Incident Response and Recovery. This category aims to implement and test control system response and recovery plans with clearly defined roles and responsibilities.
Supply Chain Risk Management, which aims to identify risks associated with control system hardware, software, and manage services.
CISA explained that the nine categories’ goals outlined above are “foundational activities for effective risk management”, representing high-level cybersecurity best practices. The agency also said that these are not an exhaustive guide to all facets of an effective cybersecurity program.
As cyber threats and risks become more and more sophisticated and difficult to mitigate, it is important for critical infrastructure owners to future-proof their enterprises, minimizing operational risks and disturbances.
Apart from practices identified by CISA and NIST, owners and users should understand various practical countermeasures that should be considered during their planning and design phases.
It’s been a few days now since Facebook, Instagram, and WhatsApp went AWOL and experienced one of the most extended and rough downtime periods in their existence.
When that happened, we reported our bird’s-eye view of the event and posted the blog Understanding How Facebook Disappeared from the Internet where we tried to explain what we saw and how DNS and BGP, two of the technologies at the center of the outage, played a role in the event.
In the meantime, more information has surfaced, and Facebook has published a blog post giving more details of what happened internally.
As we said before, these events are a gentle reminder that the Internet is a vast network of networks, and we, as industry players and end-users, are part of it and should work together.
In the aftermath of an event of this size, we don’t waste much time debating how peers handled the situation. We do, however, ask ourselves the more important questions: “How did this affect us?” and “What if this had happened to us?” Asking and answering these questions whenever something like this happens is a great and healthy exercise that helps us improve our own resilience.
Today, we’re going to show you how the Facebook and affiliate sites downtime affected us, and what we can see in our data.
1.1.1.1
1.1.1.1 is a fast and privacy-centric public DNS resolver operated by Cloudflare, used by millions of users, browsers, and devices worldwide. Let’s look at our telemetry and see what we find.
First, the obvious. If we look at the response rate, there was a massive spike in the number of SERVFAIL codes. SERVFAILs can happen for several reasons; we have an excellent blog called Unwrap the SERVFAIL that you should read if you’re curious.
In this case, we started serving SERVFAIL responses to all facebook.com and whatsapp.com DNS queries because our resolver couldn’t access the upstream Facebook authoritative servers. About 60x times more than the average on a typical day.
If we look at all the queries, not specific to Facebook or WhatsApp domains, and we split them by IPv4 and IPv6 clients, we can see that our load increased too.
As explained before, this is due to a snowball effect associated with applications and users retrying after the errors and generating even more traffic. In this case, 1.1.1.1 had to handle more than the expected rate for A and AAAA queries.
Here’s another fun one.
DNS vs. DoT and DoH. Typically, DNS queries and responses are sent in plaintext over UDP (or TCP sometimes), and that’s been the case for decades now. Naturally, this poses security and privacy risks to end-users as it allows in-transit attacks or traffic snooping.
With DNS over TLS (DoT) and DNS over HTTPS, clients can talk DNS using well-known, well-supported encryption and authentication protocols.
Our learning center has a good article on “DNS over TLS vs. DNS over HTTPS” that you can read. Browsers like Chrome, Firefox, and Edge have supported DoH for some time now, WAP uses DoH too, and you can even configure your operating system to use the new protocols.
When Facebook went offline, we saw the number of DoT+DoH SERVFAILs responses grow by over x300 vs. the average rate.
So, we got hammered with lots of requests and errors, causing traffic spikes to our 1.1.1.1 resolver and causing an unexpected load in the edge network and systems. How did we perform during this stressful period?
Quite well. 1.1.1.1 kept its cool and continued serving the vast majority of requests around the famous 10ms mark. An insignificant fraction of p95 and p99 percentiles saw increased response times, probably due to timeouts trying to reach Facebook’s nameservers.
Another interesting perspective is the distribution of the ratio between SERVFAIL and good DNS answers, by country. In theory, the higher this ratio is, the more the country uses Facebook. Here’s the map with the countries that suffered the most:
Here’s the top twelve country list, ordered by those that apparently use Facebook, WhatsApp and Instagram the most:
Country
SERVFAIL/Good Answers ratio
Turkey
7.34
Grenada
4.84
Congo
4.44
Lesotho
3.94
Nicaragua
3.57
South Sudan
3.47
Syrian Arab Republic
3.41
Serbia
3.25
Turkmenistan
3.23
United Arab Emirates
3.17
Togo
3.14
French Guiana
3.00
Impact on other sites
When Facebook, Instagram, and WhatsApp aren’t around, the world turns to other places to look for information on what’s going on, other forms of entertainment or other applications to communicate with their friends and family. Our data shows us those shifts. While Facebook was going down, other services and platforms were going up.
To get an idea of the changing traffic patterns we look at DNS queries as an indicator of increased traffic to specific sites or types of site.
Here are a few examples.
Other social media platforms saw a slight increase in use, compared to normal.
Traffic to messaging platforms like Telegram, Signal, Discord and Slack got a little push too.
Nothing like a little gaming time when Instagram is down, we guess, when looking at traffic to sites like Steam, Xbox, Minecraft and others.
And yes, people want to know what’s going on and fall back on news sites like CNN, New York Times, The Guardian, Wall Street Journal, Washington Post, Huffington Post, BBC, and others:
Attacks
One could speculate that the Internet was under attack from malicious hackers. Our Firewall doesn’t agree; nothing out of the ordinary stands out.
Network Error Logs
Network Error Logging, NEL for short, is an experimental technology supported in Chrome. A website can issue a Report-To header and ask the browser to send reports about network problems, like bad requests or DNS issues, to a specific endpoint.
Cloudflare uses NEL data to quickly help triage end-user connectivity issues when end-users reach our network. You can learn more about this feature in our help center.
If Facebook is down and their DNS isn’t responding, Chrome will start reporting NEL events every time one of the pages in our zones fails to load Facebook comments, posts, ads, or authentication buttons. This chart shows it clearly.
WARP
Cloudflare announced WARP in 2019, and called it “A VPN for People Who Don’t Know What V.P.N. Stands For” and offered it for free to its customers. Today WARP is used by millions of people worldwide to securely and privately access the Internet on their desktop and mobile devices. Here’s what we saw during the outage by looking at traffic volume between WARP and Facebook’s network:
You can see how the steep drop in Facebook ASN traffic coincides with the start of the incident and how it compares to the same period the day before.
Our own traffic
People tend to think of Facebook as a place to visit. We log in, and we access Facebook, we post. It turns out that Facebook likes to visit us too, quite a lot. Like Google and other platforms, Facebook uses an army of crawlers to constantly check websites for data and updates. Those robots gather information about websites content, such as its titles, descriptions, thumbnail images, and metadata. You can learn more about this on the “The Facebook Crawler” page and the Open Graph website.
Here’s what we see when traffic is coming from the Facebook ASN, supposedly from crawlers, to our CDN sites:
The robots went silent.
What about the traffic coming to our CDN sites from Facebook User-Agents? The gap is indisputable.
We see about 30% of a typical request rate hitting us. But it’s not zero; why is that?
We’ll let you know a little secret. Never trust User-Agent information; it’s broken. User-Agent spoofing is everywhere. Browsers, apps, and other clients deliberately change the User-Agent string when they fetch pages from the Internet to hide, obtain access to certain features, or bypass paywalls (because pay-walled sites want sites like Facebook to index their content, so that then they get more traffic from links).
Fortunately, there are newer, and privacy-centric standards emerging like User-Agent Client Hints.
Core Web Vitals
Core Web Vitals are the subset of Web Vitals, an initiative by Google to provide a unified interface to measure real-world quality signals when a user visits a web page. Such signals include Largest Contentful Paint (LCP), First Input Delay (FID), and Cumulative Layout Shift (CLS).
We use Core Web Vitals with our privacy-centric Web Analytics product and collect anonymized data on how end-users experience the websites that enable this feature.
One of the metrics we can calculate using these signals is the page load time. Our theory is that if a page includes scripts coming from external sites (for example, Facebook “like” buttons, comments, ads), and they are unreachable, its total load time gets affected.
We used a list of about 400 domains that we know embed Facebook scripts in their pages and looked at the data.
Now let’s look at the Largest Contentful Paint. LCP marks the point in the page load timeline when the page’s main content has likely loaded. The faster the LCP is, the better the end-user experience.
Again, the page load experience got visibly degraded.
The outcome seems clear. The sites that use Facebook scripts in their pages took 1.5x more time to load their pages during the outage, with some of them taking more than 2x the usual time. Facebook’s outage dragged the performance of some other sites down.
Conclusion
When Facebook, Instagram, and WhatsApp went down, the Web felt it. Some websites got slower or lost traffic, other services and platforms got unexpected load, and people lost the ability to communicate or do business normally.
From the above topic, we can guess that today, we are going to discuss the top 10 DNS attacks and how to mitigate them. DNS stands for Domain Name System which remains under constant attacks, and thus we can assume there is no end in sight because the threats are growing increasingly nowadays.
DNS generally uses UDP fundamentally and in some cases, uses TCP as well. When it uses the UDP protocol, which is connectionless and can be tricked easily.
Thus DNS protocol is remarkably popular as a DDoS tool, and DNS, recognized as the internet’s phonebook, which is a component of the global internet foundation that transmutes between well-known names and the number that a computer needed to enter a website and send an email.
DNS has long been the target of attackers looking to take all custom of corporate and secret data, hence, the warnings in the past year indicate a worsening of the condition.
As per the IDC’s research, the average costs correlated with a DNS mugging rose by 49% associated with a year earlier. However, in the U.S., the average price of a DNS attack trims out at more than $1.27 million.
Approximately half of the respondents (48%) state that wasting more than $500,000 to a DNS attack, and about 10% say that they lost more than $5 million on each break. In extension, the preponderance of U.S. companies says that it needed more than one day to determine a DNS attack.
Shockingly, as per the information both in-house and cloud applications were destroyed, the 100% growth of threats in the in-house application interlude, frothingly it is now the most widespread destruction experienced that IDC composed.
Thus the “DNS attacks are running away from real brute-force to more complicated attacks running from the internal network. Thus the complicated attack will push the organizations to use intelligent mitigation tools so that they can easily cope with insider threats.”
Therefore we have provided the top 10 DNS attacks and the proper solutions to fix them, so that it will be easy for the organizations to recognize the attacks and can quickly solve it.
FamousDNS Attacks Type:
DNSCache PoisoningAttack
Distributed Reflection Denial of Service (DRDoS)
DNS Hijacking
Phantom Domain Attack
TCP SYN Floods
Random Subdomain Attack
DNS Tunneling
DNS Flood Attack
Domain Hijacking
Botnet-based Attacks
DNSCache PoisoningAttack
At first, we have the cache poisoning, it’s one of the frequent attacks, and its main aim is to take the web users towards the scam websites, as for example, a user accesses gmail.com through the web browser to consult their mailbox.
Moreover, the DNS is becoming poisoned, and it’s not the gmail.com page which is exposed but a scam page determined by the criminal, in order, for example, to reclaim the email box accesses. Thus the users accessing the correct domain name will not see that the website they’re entering is not the right one but a scam one.
Cache poisoning
Basically, it generates an excellent possibility for cybercriminals to use phishing techniques to steal information, both identification information or credit card information from ingenuous victims. The attack can be devastating, depending on several factors, the attacker’s purpose, and the DNS poisoning impact.
DNS Attack Mitigation –Cache poisoning
As per the information, there are several forms to solve or to prevent this attack. For beginners, the IT teams should configure DNS servers to rely as small as possible on trust relations with other DNS servers. Performing so will make it more difficult for attackers to practice their DNS servers to debased their targets’ servers. There is another method to prevent cache poisoning attacks, as IT teams should also configure their DNS name servers to:-
To restrict recursive queries.
To store only data associated with the requested domain.
To restrict query responses to only given information about the demanded domain.
Not only this, but there are also some cache poisoning tools accessible to help organizations for preventing cache poisoning outbreaks. And the most famous cache poisoning prevention tool is the DNSSEC (Domain Name System Security Extension), a tool that is produced by the Internet Engineering Task Force, which provides reliable DNS data authentication.
Distributed Reflection Denial of Service (DRDoS)
Distributed reflective denial of service (DRDoS) attacks concentrate on bringing down the availability of an asset within an authoritative volume of UDP acknowledgments. In some instances, the attacker would transfer a DNS, NTP, etc.
They demand a parodied source IP, with the purpose of a more extensive acknowledgment being transferred to the host who indeed continues at the address that was forged.
DRDoS Attack
UDP is the protocol of different choices for this variety of attacks, as it does not build a connection state. For example, suppose a spoofed source of IP in the SYN package of a TCP connection would cause immediate termination just because the SYN/ACK will go away.
This practice makes reflection potential and possible, meanwhile, regulating these attacks at the proper scale, the idea of shared reflection becomes clear; hence, various endpoints transmitting spoofed UDP offers, generating acknowledgments that will be concentrated upon a target.
Once these response packs begin to appear, the goal experiences a loss of availability.
How to Prevent?
Usually, organizations should commence on preparing for DDoS attacks in advance, it is exceedingly harder to answer after an attack because it is already underway.
Moreover, DDoS attacks can’t be stopped, therefore some steps can be taken to make it more troublesome for an attacker to perform a network unresponsive. The following steps will help you to scatter organizational assets to bypass performing a single deep target to an attacker.
First, locate servers in different data centers.
Assure that your data centers are located on various networks.
Make sure that data centers have several paths.
Make sure that the data centers, or the networks that the data centers are related to, have no essential security holes or single points of failure.
An organization that relies on servers and Internet port, for them, it is essential to make sure that devices are geographically scattered and not located in a particular data center.
Moreover, if the resources are already geographically dispersed, then it’s essential to inspect each data station is having more than one channel to the internet and assure that not all data stations are attached to the corresponding internet provider.
DNS Hijacking
DNS hijacking is a method in which an individual can divert to the doubtful DNS (Domain Name System). However, it may be achieved by using malicious software or unauthorized alteration of a server.
DNS Hijacking
Meanwhile, the individual has the authority of the DNS; they can guide others who obtain it to a web page that seems identical but carries extra content like advertisements. They can also guide users to pages carrying malware or a third-party search engine as well.
How to Prevent?
A DNS name server is a compassionate foundation that needs necessary protection measures because it can be hijacked and used by several hackers to raise DDoS attacks on others, thus, here we have mentioned some prevention of DNS hijacking.
See for resolvers on your network.
Critically restrict access to a name server.
Utilize measures against cache poisoning.
Instantly patch known vulnerabilities.
Separate the authoritative name server from the resolver.
Restrain zone alterations.
Phantom domain attack
Phantom domain attacks are kind of comparable to casual subdomain attacks. Thus in this kind of attack, the attackers attack your DNS resolver and overpower it to use up supplies to determine that’s what we name “phantom” domains, as these phantom domains will never respond to the queries.
Phantom Domain Attack
The main motive of this attack is to let the DNS resolver server await for the answer for a long time, ultimately leading to failure or deteriorated DNS performance problems.
How to Prevent?
To identify phantom domain attacks, you can analyze your log messages. Moreover, you can also follow the steps that we have mentioned below to mitigate this attack.
First, increase the number of recursive clients.
Use a proper sequence of the following parameters to gain optimum results.
Restrict recursive queries per server and Restrict recursive inquiries per zone.
Empower to hold down for non-responsive servers and Check recursive queries per zone.
When you allow any of the options, the failure values are set at an excellent level for overall operations. However, you should keep the default charges while using these commands, moreover, it guarantees that you know the consequences if you want to replace the default values.
TCP SYN Floods
An SYN Flood is a simple form of Denial-of-Service (DDoS) attack that can target any operation related to the internet and thus implementing Transmission Control Protocol (TCP) services.
An SYN wave is a type of TCP State-Exhaustion attack that endeavors to utilize the connection element tables present in common infrastructure elements, for example, load balancers, firewalls, Intrusion Prevention Systems (IPS), and the utilization servers themselves.
TCP SYN Flooding Attack
Hence, This type of attack can bring down even high-capacity devices fitted to managing millions of links. Moreover, a TCP SYN flood attack occurs when the attacker overflows the system with SYN questions to destroy the target and make it incapable of reacting to new real connection offers.
Thus it encourages all of the target server’s information ports into a half-open state.
How to Prevent?
So, the firewalls and IPS devices, while important to network security, are not sufficient to protect a network from complex DDoS attacks.
Nowadays, the more sophisticated attack methodologies demand a multi-faceted program that allows users to look beyond both internet foundation and network availability.
Thus there are some capabilities that you can count for more powerful DDoS security and faster mitigation of TCP SYN flood attacks.
At first, provide proper support to both inline and out-of-band deployment to assure that there is not only one single point of collapse on the network.
Extensive network distinctness with the capacity to see and examine traffic from various parts of the network.
Different sources of threat intelligence, including statistical exception detection, customizable entrance alerts, and fingerprints of known threats that assure fast and reliable detection.
Extensible to handle attacks of all sizes, extending from low-end to high-end and high-end to low-end.
Random Subdomain Attack
This is not the most prevalent type of DNS attack, but it can happen from time to time on several networks. Hence, the random subdomain attacks can often be identified as DoS attacks, as their creation adheres to the same goal as simple DoS.
Incase, spoilers send a lot of DNS inquiries against a healthy and active domain name. However, the questions will not target the primary domain name, but it will harm a lot of non-existing subdomains.
Random Subdomain Attack
Basically, the main motive of this attack is to build a DoS that will immerse the authorized DNS server that receives the primary domain name, and finally let the interruption of all DNS record lookups.
Thus It’s an attack that’s hard to identify, as the queries will come from infected users who don’t even understand they’re sending certain types of questions, from what are eventually legitimate computers.
How to Prevent?
Thus we have provided you a simple method for preventing the random subdomain attack only in a 30-minute.
In the beginning, you have to learn the techniques to mitigate the attacks that generate extreme traffic on resolvers and web resources that are connected with the victim the names that can be taken down.
Next, Hear about modern capabilities like Response Rate Limiting for preserving DNS experts that provoke attacks.
DNS tunneling
This is a cyber attack that is used to carry encoded data from different applications inside DNS acknowledgments and queries.
DNS Tunneling
Meanwhile, this system wasn’t formerly created to attack multitudes, but to bypass interface controls, now it is mostly used to achieve remote attacks.
To implement DNS tunneling, attackers demand to gain entrance to a settled system, as well as access to an internal DNS server, a domain name, and a DNS authoritative server.
How to Prevent?
To configure the firewall to identify and block DNS tunneling by designing an application rule that uses some protocol object, we have mentioned three steps to mitigate these types of attacks.
Create an access rule.
Create a protocol object.
Create an application rule.
DNS Flood Attack
This is one of the most primary types of DNS attacks, and in this Distributed Denial of Service (DDoS), the intruder will hit your DNS servers.
The main motive of this kind of DNS flood is to completely overload your server so that it cannot maintain serving DNS requests because all the treated DNS zones influence the purpose of resource records.
DNS Flood Attack
Thus this kind of attack is relieved easily as the source usually comes from one single IP. However, it can get complicated when it becomes a DDoS where a hundred or thousand gatherings are involved.
While a lot of questions will be immediately identified as malicious bugs and a lot of legitimate requests will be made to mislead defense devices, hence, this makes the mitigation method a little bit difficult sometimes.
How to Prevent?
Domain Name System (DNS) has developed a target of the Distributed Denial of Service (DDoS) attacks. When a DNS is below a DDoS flood attack, all the domain data under that DNS enhances unreachable, thus ultimately creating the unavailability of those appropriate domain names.
Hence, for this type of attack, we have introduced a method that includes the periodic stale content update and manages a list of the most commonly queried domain names of several DNS servers. Hence our simulation outcomes show that our method can work more than 70% of the total cache replies during a massive DNS Flood attack.
Domain Hijacking
This type of attack involves settings in your DNS servers and domain registrar that can manage your traffic away from the actual servers to new destinations.
Domain hijacking is usually affected by a lot of determinants related to exploiting a vulnerability in the domain name registrar’s system, but can also be performed at the DNS level when attackers take command of your DNS records.
Hence when the attacker hijacked your domain name, it will be used to originate malicious movements such as installing up a fake page of repayment systems like PayPal, Visa, or bank systems. Attackers will produce an identical copy of the real website that reads critical personal knowledge, such as email addresses, usernames, and passwords.
How to Prevent?
Thus you can simply mitigate the domain hijacking by practicing a few steps that we have mentioned below.
Upgrade your DNS in the application foundation.
Use DNSSEC.
Secure access.
Client lock.
Botnet-based Attacks
If we talk about the botnet, then let me clarify that it is a number of Internet-connected devices, and it can be practiced to implement a distributed denial-of-service attack (DDoS attack), which steal data, transmit spam, and enables the attacker to obtain access to the device and its connection.
Botnet-based Attacks
Moreover, botnets are diverse and evolving threats, hence, all these attacks are bound to develop in parallel with our growing dependence on digital devices, the internet, and new future technologies.
The botnets can be counted as attacks, as well as programs for future attacks, with this as the foundational prospect, this study explores how a botnet described and organized, how it is created, and used.
How to Prevent?
This is one of the frequent DNS attacks which have been faced by the victims every day, thus to mitigate these type of attacks, we have mentioned below few steps so that it will be helpful for you.
At first, understand your vulnerabilities properly.
Next, secure the IoT devices.
Identify both your mitigation myths from facts.
Discover, classify and control.
Conclusion
As you see, DNS service is essential for preserving your companies’ websites and online assistance working day-to-day. Thus if you’re looking for methods to evade these kinds of DNS attacks, then this post will be helpful for you. So, what do you think about this? Simply share all your views and thoughts in the comment section below. And if you liked this post then simply do not forget to share this post with your friends and family.
The massive state-sponsored espionage campaign that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought.
News of Microsoft’s compromise was first reported by Reuters, which also said the company’s own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter.
The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers.
In a statement to The Hacker News via email, the company said —
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Characterizing the hack as “a moment of reckoning,” Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers. 44% of the victims are in the information technology sector, including software firms, IT services, and equipment providers.
CISA Issues New Advisory
The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) published a fresh advisory, stating the “APT actor [behind the compromises] has demonstrated patience, operational security, and complex tradecraft in these intrusions.”
“This threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” it added.
But in a twist, the agency also said it identified additional initial infection vectors, other than the SolarWinds Orion platform, that have been leveraged by the adversary to mount the attacks, including a previously stolen key to circumvent Duo’s multi-factor authentication (MFA) to access the mailbox of a user via Outlook Web App (OWA) service.
Digital forensics firm Volexity, which tracks the actor under the moniker Dark Halo, said the MFA bypass was one of the three incidents between late 2019 and 2020 aimed at a US-based think tank.
The entire intrusion campaign came to light earlier this week when FireEye disclosed it had detected a breach that also pilfered its Red Team penetration testing tools.
Since then, a number of agencies have been found to be attacked, including the US departments of Treasury, Commerce, Homeland Security, and Energy, the National Nuclear Security Administration (NNSA), and several state department networks.
While many details continue to remain unclear, the revelation about new modes of attack raises more questions about the level of access the attackers were able to gain across government and corporate systems worldwide.
Microsoft, FireEye, and GoDaddy Create a Killswitch
Over the last few days, Microsoft, FireEye, and GoDaddy seized control over one of the main GoDaddy domains — avsvmcloud[.]com — that was used by the hackers to communicate with the compromised systems, reconfiguring it to create a killswitch that would prevent the SUNBURST malware from continuing to operate on victims’ networks.
For its part, SolarWinds has not yet disclosed how exactly the attacker managed to gain extensive access to its systems to be able to insert malware into the company’s legitimate software updates.
Recent evidence, however, points to a compromise of its build and software release system. An estimated 18,000 Orion customers are said to have downloaded the updates containing the back door.
Symantec, which earlier uncovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, has now confirmed the deployment of a separate second-stage payload called Teardrop that’s used to install the Cobalt Strike Beacon against select targets of interest.
The hacks are believed to be the work of APT29, a Russian threat group also known as Cozy Bear, which has been linked to a series of breaches of critical US infrastructure over the past year.
The latest slew of intrusions has also led CISA, the US Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) to issue a joint statement, stating the agencies are gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.
Calling for stronger steps to hold nation-states accountable for cyberattacks, Smith said the attacks represent “an act of recklessness that created a serious technological vulnerability for the United States and the world.”
“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency,” he added.
One of the many features of an Active Directory Password Policy is the maximum password age. Traditional Active Directory environments have long using password aging as a means to bolster password security. Native password aging in the default Active Directory Password Policy is relatively limited in configuration settings.
Let’s take a look at a few best practices that have changed in regards to password aging. What controls can you enforce in regards to password aging using the default Active Directory Password Policy? Are there better tools that organizations can use regarding controlling the maximum password age for Active Directory user accounts?
What password aging best practices have changed?
Password aging for Active Directory user accounts has long been a controversial topic in security best practices.
While many organizations still apply more traditional password aging rules, noted security organizations have provided updated password aging guidance. Microsoft has said that they are dropping the password-expiration policies from the Security baseline for Windows 10 v1903 and Windows Server v1903. The National Institute of Standards and Technology (NIST) has long offered a cybersecurity framework and security best practice recommendations.
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” NIST helps to explain the guidance change in their FAQ page covering the Digital Identity Guidelines.
It states: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”
With the new guidance from the above organizations and many others, security experts acknowledge that password aging, at least in itself, is not necessarily a good strategy to prevent the compromise of passwords in the environment.
The recent changes in password aging guidance also apply to traditional Microsoft Active Directory Password Policies.
Active Directory Password Policy Password Aging
The capabilities of the password change policies in default Active Directory Password Policies are limited. You can configure the maximum password age, and that is all. By default, Active Directory includes the following Password Policy settings:
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Minimum password length audit
Password must meet complexity requirements
Store passwords using reversible encryption
When you double click the maximum password age, you can configure the maximum number of days a user can use the same password.
When you look at the explanation given for the password age, you will see the following in the Group Policy setting:
“This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.”
Defining the maximum password age with Active Directory Password Policy
With the default policy setting, you really can either turn the policy on or off and then set the number of days before the user password expires. What if you had further options to control the maximum password age and set different values based on the password complexity?
Specops Length Based Password Policy
As mentioned, recent guidance from many cybersecurity best practice authorities recommends against forced password changes and details the reasons for this change. However, many organizations may still leverage password aging as a part of their overall password security strategy to protect against user passwords falling into the wrong hands. What if IT admins had features in addition to what is provided by Active Directory?
Specops Password Policy provides many additional features when compared to the default Active Directory Password Policy settings, including password expiration. One of the options contained in the Specops Password Policy is called “Length based password aging.
Using this setting, organizations can define different “levels” of password expiration based on the user password’s length. It allows much more granularity in how organizations configure password aging in an Active Directory environment compared to using the default Active Directory Password Policy configuration settings.
It also allows targeting the weakest passwords in the environment and forcing these to age out the quickest. You will note in the screenshot. The length-based password aging in Specops Password Policy is highly configurable.
It includes the following settings:
Number of expiration levels – Enter how many expiration levels there will be. An expiration level determines how many extra days the user will have until their password expires and they are required to change it. This depends on how long the user’s password is. To increase the number of levels, move the slider to the right. The maximum number of expiration levels that can exist is 5.
Characters per level – The number of additional characters per level that define the extra days in password expiration
Extra days per level – How many additional expiration days each level is worth.
Disable expiration for the last level – Passwords that meet the requirements for the final expiration level in the list will not expire.
Configuring the Length based password policy in Specops Password Policy
Specops allows easily notifying end-users when their password is close to expiring. It will inform end-users at login or by way of sending an email notification. You can configure the days before expiration value for each of these settings.
Configuring password expiration notifications in Specops Password Policy
Organizations define the minimum and maximum password length configurations in the Password Rules area of the Specops Password Policy configuration. If you change the minimum and maximum password length configuration, the password length values in each level of the length-based password expiration will change as well.
Configuring the minimum and maximum password length
Combined with other Specops Password Policy features, such as breached password protection, the length-based password expiration strengthens enterprise password policies for both on-premises and remote workers.
Wrapping Up
Password aging has long been a feature of Active Directory Password Policies in most enterprise environments. However, as attackers get better at compromising passwords, new security best practice guidance is no longer recommending organizations make use of standard password aging.
Specops Password Policy provides compelling password aging capabilities that allow extending password aging features compared to default Active Directory Password Policies. By adding expiration levels, Specops Password Policy allows effectively targeting weak passwords in the environment by quickly aging these passwords out. End-users can use strong passwords much longer.
Organizations can even decide never to expire specific passwords that meet the defined password length. Using Specops Password Policy features, including length-based password expiration, helps to ensure more robust password security in the environment. Click here to learn more.
