There is a new security mechanism coming to DNS which is called DNS over TLS the current DNS infrastructure uses UDP traffic that is sent in clear text which means it can be read by anyone who is sniffing traffic Also for some it provides that extra privacy
The current DNS implementations use UDP port 53 to accept connections from clients the traditional DNS setup has no encryption and also does not really have any spoofing protection as UDP inherently has no security mechanism or checks against source traffic
With DNS over TLS the client and the server will establish a secure channel over TCP port 853 there will be a handshake between the client and the server which will protect the traffic using TLS.
If you are not familiar with TLS or (Transport Layer Security) it is a technology that provides encryption it is commonly used in websites and VPN’s.
Software vendors on the host and server side will need to enable support for these types of servers as there will most likely be a mix of traditional and secure DNS servers for a while before it completely becomes a norm I mean HTTPS has been around for ages but we still see HTTP sites around so the transition will be slow.
For security admins, you will need to consider the ramifications of encrypting DNS traffic as we cant see the hostnames being resolved content filtering and others like it will need to adapt.
With cloud blowing up we cant even block a certain IP as many websites and content are using shared resources such as AWS or AZUREblocking an IP can potentially block 10’s or 100’s of websites.
You can read the full RFC for DNS over TLS here https://tools.ietf.org/html/rfc7858
As of recent DNS over TLS support is being pushed in the latest versions of Android OS.
Shodan was created as a search engine for devices for example if you search “DLINK” you will find all of the Dlink routers and devices found by the crawler. The crawler looks for devices with publically reachable ports such as HTTP or Telnet.
You can also search by service type such as DNS and you will see all devices that have port 53 open lets take a look.
Here is the SHODAN main page you can perform some basic searches without a login but you will need an account for full site access
A search on Dlink devices brings up the following results I have removed the IP’s
As you can see from above the search engine has found some services on these devices that are exposed to the internet lets drill down on one of them to see what the results are
As you can see from above the device has NTP exposed to the internet a big NONO as we are aware NTP is used in a lot of DDoS attacks.
You can get creative with your searches I am not going to do that in this article but you can take some time to explore the tool.
This tool sheds a lot of light on the issues that are facing this industry a lot of consumer devices and even corporate devices improperly configured and exposing these services to the internet.
Whats more is that some of these devices still have the default credentials !!!!
There has been a new security flaw found in the WPA2 stack a security researcher was able to manipulate handshake packets in the 4 way WPA handshake and perform a key re-installation attack.
1.)T he basics of this attack is that an attacker would need to be in close range of your network
2.) The attacker manipulate the 3rd stage of the handshake process which tricks the client to install a key that is already in use thus allowing the attacker to read all of the traffic that should be encrypted via WPA
It has been found that Linux ,MAC and Android devices are most vulnerable since an implementation bug allows for the devices to install an all zero key
This is a perfect example as to why it is important to be using a VPN service when connected to a public WI-FI if you did fall victim to this attack it would be in-effective if the traffic were encapsulated in a VPN tunnel.
See below for a demo of this attack from the researcher who found the exploit.
It is highly recommended to check your router for firmware updates if not available it may be time to replace your WI-FI router to better protect your self
Also you will want to check for software patches on your operating systems to patch this vulnerability .
In my day to day Job, I have been responsible for mitigating DDoS attacks and making sure that they are detected in a timely manner.
The company I work for has an awesome platform to mitigate DDoS attacks which have an alert system and analytics but I came across a public tool that you can enter an IP or domain into and check if there has been a DDoS against that target.
DDoS Mon gets data from telecoms and other sources around the world to compile a list of DDoS attacks. I have personally used this tool and compared it to known real attacks and let me tell you this tool is very accurate. It’s great to be able to quickly search for attacks also it’s easy to use the URL to search for an attack
Here is a snippet of some interesting data there is much more on the site
In conclusion this tool is very useful and can be incorporated as another tool in a SOC environment or for any business who suspects they may have experienced attacks but don’t have the resources to check.
This tool is also great for research purposes.
I would like to know what you think about this tool ! send me a email with you thoughts or leave a comment !