Analysis
Attacks and Vulnerabilities
Critical infrastructure
Medical
News
Threat Landscape
Vulnerabilities

HC3 warns healthcare sector of DNS NXDOMAIN attacks, provides mitigations

April 10, 2023
HC3 warns healthcare sector of DNS NXDOMAIN attacks, provides mitigations

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) published Friday a sector alert covering fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs). A trusted third party shared information with HC3 regarding a distributed denial-of-service (DDoS) attack, which it has been tracking since last November, flooding targeted networks and servers with a fake DNS NXDOMAIN. 

The currently identified Tactics, Techniques, and Procedures (TTPs) for the campaign consist of a large amount of DNS queries for non-existent hostnames under legitimate domains, the HC3 said. The traffic consists of UDP packets encapsulated in IPv4 and IPv6, DNS servers respond with an NXDOMAIN error, source IPs are widely distributed, and source IPs could be spoofed. 

“A DNS NXDOMAIN flood DDoS attack is one of the various denial-of-service attacks that will target the DNS. The threat actor wants to overload the DNS server with a large volume of requests, which can be either non-existent or invalid,” the HC3 noted. “In this type of DDoS, the DNS server will spend time trying to locate something that does not exist instead of processing the legitimate user request. As the volume of invalid requests increases, the authoritative server will begin slow down, preventing legitimate requests from getting a response. Additionally, legitimate clients trying to access the website will increase the load even further.” 

The HC3 also added that, in most cases, the DNS proxy server and the DNS authoritative server will use all their time handling those bad requests. “When successful, the outcome of these attacks can result in higher utilization of resources on the server, and the cache will be filled up with NXDOMAIN replies. This can ultimately slow or completely prevent an authorized user from gaining access to a website or services.” 

“Like other DDoS attacks, these are also carried out by large botnets, which can consist of thousands of compromised devices located worldwide, making detecting and blocking this type of DNS attack difficult,” according to the HC3. “As a result, NXDOMAIN DDoS attacks could negatively impact network providers, website owners, and end-users or customers.”

HC3 said that if network providers cannot control or mitigate the attack, it may lead to their customers being unable to access their websites and services. 

“Website or other service providers are typically the intended victim of NXDOMAIN attacks and are affected by having their service inaccessible to legitimate customers,” HC3 noted. “End users are also affected because they cannot access the products or services offered by the website that is under attack.” 

NETSCOUT said that when a DNS proxy server is under a DNS NXDOMAIN flood DDoS attack, it will constantly send invalid requests to the respective DNS authoritative server. “As these requests are invalid, the Authoritative server will respond with a NXDOMAIN error response which will be passed back to the client. As the volume of invalid requests increases, the Authoritative server will quickly slow down, resulting in legitimate requests not getting a response. The legitimate clients will then retry the requests, resulting in the load increasing even further on both the Proxy server and the Authoritative server,” it added.

The signs of such a DDoS attack are a very high CPU load on the DNS servers and a very high rate of NXDOMAIN replies being generated, it added.

During normal operations, receiving small amounts of NXDOMAIN responses is considered normal, according to the HC3. “They can result from several things, such as users mistyping web addresses or dead hyperlinks that reference servers which no longer exist. In most cases, these requests are typically redirected to authoritative nameservers, which are the DNS servers used to host the records of public services, so that users and clients across the Internet can locate them.”

The HC3 calls upon healthcare organizations to remain cautious when blocking IPs, because this could result in legitimate users being prevented from accessing public services. 

According to NETSCOUT, there are several mitigations available for DNS NXDOMAIN flood DDoS attacks. These include blackhole routing/filtering suspected domains and servers, implementing DNS response rate limiting, and blocking requests from the client’s IP address for a configurable period of time. Organizations must also be sure that cache refresh takes place, ensuring continuous service. Additionally, they must lower the timeout for recursive name lookup to free up resources in the DNS resolver, increase the time-to-live (TTL) on existing records, and apply rate limiting on traffic to overwhelmed servers.

In February, the HC3 issued an analyst note that focuses on the threat from lesser-known but potent ransomware variants, such as the MedusaLocker ransomware, which should also be a source of concern and attention by healthcare security decision-makers and defenders. The MedusaLocker ransomware is currently targeting unsecured RDP (remote desktop protocol) servers, desktops, and vulnerabilities in the software.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights