Cybersecurity Ventures predicts that cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. Banking and Finance (BF) industries are especially vulnerable to cyberattacks due to large amount of funds that are digitally stored and transferred. In fact, according to a report from Boston Consulting Group (BCG) , cyberattacks have hit financial services firms 300 times more than other companies!
As per reports published by EFFICIENTIP in June 2019 titled: 2019 Global DNS Threat Report , 82% of companies experience DNS attacks, out of which 63% of the companies experience downtime. The report also revealed that organizations in the financial services sector suffer the highest cost per DNS attack, compared to organizations in other industries.
The number of companies that suffered DNS-based attacks has increased, growing 5% over 2018, and reaching an alarming 82% in 2019.
The report also quoted: “DNS is critical to ensure service continuity. Faulty or ineffective DNS services can negatively affect the perception of any organization (from clients, partners or employees), impact your e-commerce applications, resulting in lost revenue, and ruin a brand image.”.
What is DNS?
DNS, an acronym for Domain Name System, often referred to as Domain Name Server, can be treated as a phonebook on the internet. The entire communication that happens over the internet is based on Internet Protocol (IP) and Address Resolution Protocol (ARP). Each resource over the internet is accessed by Internet Protocol Address (considering IPv4 mechanism), which is of the 32-bit address. It is very difficult for the human mind to access resources over the internet via Internet Protocol Address. Say, for example, the official URL of Zensar Technologies is supposed to be accessible using: https://18.104.22.168. It is very difficult to remember this link. So, what is the solution for this? Well, the answer to this is having a Domain Name System (DNS), like www.zensar.com, which is internally mapped with IP address 22.214.171.124. Whenever any users request for the website www.zensar.com, in the background the DNS name is being converted to IP address and the resource, https://126.96.36.199 being accessed by the user. Figure 2. shows the working of the DNS Concept at the abstract level.
DNS Cache Poisoning Attack
There are several types of DNS based attacks which over the past have caused severe damage for Banking and Financial Organizations. The most common out of them is DNS Cache Poisoning (often termed as DNS Spoofing), which can redirect the actual request to some malicious websites (which can compromise end-user system) or fake website (which might appear similar to the requested website). The kind of attack can be dangerous, especially if bank login credentials or debit/credit card information is being entered. Fake websites can also install malicious virus/worm/trojan into the end-user’s system.
Explanation: Refer to Figure 3. The client had requested some websites www.test.com which should access the resource 172.16.10.45, but somehow the DNS Server is compromised, and the attacker has successfully injected a fake entry for www.test.com. In this case, the request will be routed to System 172.16.10.190.
Blockchain as a scope and solution to DNS cache poisoning attacks:
Blockchain is one of the emerging technologies of the recent era that can play a vital role in mitigating many cybersecurity reported issues that exist today.
Figure 4. shows the proposed methodology to prevent DNS Servers using encryption, added with user-defined ports.
In the first phase, a predefined port is used for initiating the communication (say, for example, in the case of HTTP transmission, the default 80 port will be used) with the DNS server. Simultaneously, a randomly generated port along with IP Address will be encrypted with the help of blockchain and transmitted to the DNS server. As 0-1023 ports are used by systems, any other valid port generated by the system will be used.
In the second phase, the data is decrypted at the DNS server, using the key with which data was encrypted at the DNS Client. After decryption, the DNS server will be able to get the information about IP and randomly generated port in the first phase. After this success, an acknowledgment will be sent from DNS server to DNS client.
Acknowledgment simply means DNS Server is ready to initiate the data transmission using a user-defined port.
In the Third Phase, the client will initiate transmission with user-defined ports. Request and response will be received accordingly. Randomly/user defined port number is explicitly used to prevent Man-in-the middle-attack which further resolves the DNS Cache Poisoning attack explained in Figure 3. FIGURE 5. shows encrypted requests received at DNS Server and decryption of the same.
Figure 6. Shows how the DNS Cache poisoning will be prevented by the proposed architecture.
Refer to Figure 6. In this case, the attacker will not know on which port the attack is supposed to happen. Even if the request is intercepted by the attacker, the attacker will not know the c/o decryption key. As a result, the attacker will not be able to see the request, and it will fail to acknowledge the user (172.16.10.120 in our case). Hence, no further communication will occur between the client & the attacker. In addition to this, every event (transaction in the blockchain world) that is being performed on DNS Server will be logged into the blockchain ledger for audit purposes. This will also help to identify if any DNS based attacks are still occurring over the network.
DNS is more than ever a central network foundation, enabling all clients to access every application. Any DNS performance impact has major business implications. At the same time, the fact that most traffic first goes through a DNS resolution gives it unique visibility over legitimate and malicious network activity.
Blockchain can help organizations save millions of dollars each year by encrypting the data and preventing hackers from accessing it. This can be one of the ways organizations can fortify their DNS defenses. This type of defense is especially critical for the Banking & Financial Sector businesses, which we know are being targeted more and have more to lose in terms of reputation and financial implications.
- Son, Sooel; Shmatikov, Vitaly. “The Hitchhiker’s Guide to DNS Cache Poisoning” (PDF). Cornell University. Retrieved 3 April 2017