Skip to main content
Skip to main content
Microsoft Security

Threats in the Cloud – Part 1: DNS Attacks

  • Tim Rains

The popularity of Cloud services has increased immensely over the past few years. Transparency into how these services are architected and managed has played a big role in this growth story. Many of the CISOs I talk to about leveraging Cloud services want insight into the types of threats that Cloud services face, in order to feel comfortable with hosting their organization’s data and applications in the Cloud. In the latest volume of the Microsoft Security Intelligence Report, volume 15, we include details on a couple of threats that Cloud service providers and their customers should be aware of. But for organizations that have been running their own data centers and web properties, these threats will be familiar and come as no surprise; attacks on the global Domain Name System (DNS) infrastructure and Distributed Denial of Service (DDoS) attacks are something that proprietors of Internet-connected IT infrastructures and Cloud services, big and small, need to be aware of and plan for in order to manage the risk of interruption to their operations. These attacks have the potential to interrupt Internet services such as websites, portals, and Cloud services, and to infect Internet connected devices with malware.

Domain Name System (DNS) attacks
Attacks on the global DNS are some of the most serious and potentially damaging attacks affecting the Internet today. If attackers are able to successfully compromise a registrar that manages DNS records, as has happened in the past, it has the potential to impact a broad number of organizations and individuals.

If attackers successfully compromise one of the name servers or registries that Internet users rely on for name resolution, they can potentially redirect DNS queries to a malicious name server. For example, a compromise of the authoritative name server for (or any other domain) could result in requests for being redirected to an IP address of the attacker’s choosing, which may serve malware or contain a maliciously altered version of the website (as seen in Figure 1). The potential for damage increases when attackers focus on domains higher in the DNS namespace hierarchy; a hypothetical compromise of one of the root name servers could conceivably put every domain on the Internet in jeopardy.

Figure 1: compromised registry can result in malicious responses being issued to DNS queries


Subsequently, country-code top-level domain (ccTLD) registries have become popular targets for attacks, especially in relatively small markets. A ccTLD is a top-level domain that is generally used or reserved for a country or region, such as .ca for Canada for example. Today there are more than 300 ccTLD name registries responsible for servicing hundreds of millions of domain names worldwide. Like many organizations, Microsoft maintains registered domains under a number of different ccTLDs for its regional subsidiaries, such as for Microsoft Canada and for Microsoft Japan.

Unfortunately, the name servers run by some ccTLD registrars are vulnerable to attack, which can negatively affect individuals, nonprofits, and government organizations as well small companies and large corporations such as Microsoft. Between May of 2012 and July of 2013, 17 ccTLDs that manage DNS records for Microsoft (and many other organizations) in specific countries and regions were compromised. Typically such compromises are perpetrated using a combination of Structured Query Language (SQL) injection exploits and social engineering.

If attackers are successful, when computer users attempt to reach a website using a URL that is resolved by a hijacked DNS server, their system is typically redirected to a server controlled by an attacker, unbeknownst to the user. The proprietors of the targeted website(s) usually have no control over the ccTLD and typically have no knowledge of the attack. Attacker operated servers typically host malicious content such as exploit kits, malware, phishing sites, or inappropriate content. The website that the user sees can look like the legitimate website they wanted to visit and typically does not provide any indication that it is malicious. Attackers use malicious IFrames (the size of a pixel) or malicious Jscript to expose the unsuspecting user’s system to a variety of exploits. If all the software on the user’s system has not been kept up-to-date with security updates, one or more of these exploits could allow attackers to successfully compromise the system and allow attackers to download malware onto the system. Attackers will then have remote access to the system and potentially control it remotely. The user’s system can then be used for a wide range of illicit activities without the user’s knowledge or consent, such as DDoS attacks, spam projects, hosting stolen and pirated content and software, stealing data and software keys from the compromised system, potentially stealing the compromised computer’s users’ identities, etc. I mentioned DDoS attacks; these attacks can target Cloud services and websites alike, potentially interrupting service to users. I will discuss DDoS attacks in depth in part two of this series. Compromised systems are also used to host malicious websites for attackers to use in attacks on other Internet users – a very effective way for attackers to increase the scale of their attacks and maintain their anonymity. This type of attack is very popular with some attackers because it can enable them to expose a large volume of Internet users and connected devices to drive-by download attacks and phishing attacks, increasing the odds that they can compromise large numbers of systems.

Microsoft believes that close collaboration in this effort between industry peers, partners, and industry groups such as ICANN can help increase awareness for ccTLDs and reduce the unfortunate impact of DNS records manipulation.

Guidance to Help Manage the Risk
This type of DNS hijacking diminishes public confidence in the victimized organizations and adversely affects their reputations. Security best practices, tools, training and awareness can help prevent these types of attacks. Below are some specific suggestions to help manage the risk of DNS attacks.

  • Since SQL injection attacks are a common way for attackers to compromise servers, understanding and protecting servers from SQL injection attacks is important. Microsoft has published free guidance on how to protect systems from SQL injection attacks in these SDL Quick Security Reference Guides.
  • Because of the frequency and potentially serious impact of attacks on Internet registries, Microsoft provides free help to registries. Microsoft offers a ccTLD Registry Security Assessment Service, free of charge, that helps registry operators find and fix vulnerabilities and avoid compromise.
  • For owners of websites in vulnerable ccTLDs, preventing DNS attacks at the TLD level can be very difficult or impossible. Website owners should urge their ccTLD registrars to visit and take advantage of the Microsoft ccTLD Registry Security Assessment Service to find and mitigate any vulnerabilities that may leave domains open to attack.
  • Because attackers also target individual domains for DNS hijacking directly, website owners should act to ensure that their designated authoritative name servers cannot be changed without their approval. Many domain name registrars offer domain locking services that can help prevent DNS records from being changed without the domain owner’s approval. Website owners should take advantage of any locking services offered by their registrars, and should urge registrars to offer such services if they do not. Site owners should also take general precautions to secure their domain names against unauthorized changes, such as carefully protecting the usernames and passwords they use to access their domain registry accounts, and only using SSL connections to review their accounts or make changes.
  • Internet connected devices need to be kept up-to-date with the latest security updates, to reduce the likelihood of compromise if they do get exposed to a drive-by download attack or malware. This includes keeping all software and hardware updated, not just operating systems and browsers.  For example, Oracle Java has been one of the most heavily attacked pieces of software in the world in recent years because so many systems run out of date versions of it. For more details, please see these articles:

    What You Should Know About Drive-By Download Attacks – Part 1
    What You Should Know About Drive-By Download Attacks – Part 2
    The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date

The next part of this series will cover Distributed Denial of service (DDoS) attacks.

Tim Rains
Trustworthy Computing