Last week, Russian media was hit with news about massive DNS (Domain Name System) attacks on Yandex, the country’s biggest technology company and local giant of internet search – essentially, the Google of Russia. The network attacks exploited vulnerabilities in the block-list system of Roskomnadzor, Russia’s state censor, that the government uses to ban sites that don’t comply with laws and regulations. The hackers hijacked DNS servers and domain registrars to direct traffic away from legitimate Yandex websites to IP addresses that have been blacklisted.
Over the past five years, vulnerabilities in Roskomnadzor’s blocking system have been repeatedly exploited, with a large wave of attacks taking place in 2017. Because of this, some Russian internet providers use DPI (Deep Packet Inspection) technology to block access to banned sites. Large-scale DNS hacks, like the one that took place last week, can have significant impact on ISP customers. Customers of large operators may experience a slowdown in access to affected resources and customers of smaller provider can face full access denial.
Yandex IT teams fought the attack for several days and managed to prevent the blocking of its sites, but the attack did not go unnoticed by Yandex customers, who reported a significant slowdown in service access.
You might think that the exploited blacklisting system used by Yandex hackers is unique to Russia, but the truth is that any company around the world can fall victim to this type of attack. DNS hijacking is one of the most popular phishing techniques cybercriminals use today to steal data. They manage to replace the IP addresses of legitimate websites with the IP addresses of carefully crafted phishing sites which causes legitimate traffic to be unknowingly diverted. The unsuspecting users typed a correct domain address in their browsers, so they have no idea they are accessing a malicious site. Often these sites ask users to hand over personal credentials – just like what happened in a DNS hack on the largest banks in Brazil.
DNS itself is vulnerable, to apply security measures based on DNS is folly since it’s extremely easy to change it and bypass security measures. Despite this, many organizations still rely on DNS-based security solutions which lack robust enforcement like content inspection or real-time malware detection and, therefore, can’t provide comprehensive security. As IoT malware does not rely on DNS, such solutions are also unable to stop rapidly proliferating cyberattacks involving IoT devices – a trend that will only escalate in the future.
To be fully protected one should rely on a network-based approach which cannot be bypassed. Unlike DNS-based solutions, network-based security inspects all the requests coming from the end user including DNS and HTTP/S and can see the actual URL the user is trying to go to. It provides multi-layered real-time protection against modern cyberattacks, such as phishing, ransomware, IoT-based and DDoS attacks.
If you are worried about DNS attacks or other threats to your network, find out how Allot NetworkSecure can help you understand your network and keep it safe from malicious activity.