4.5 Network Infrastructure
4.5.2 DNS Servers
DNS servers can be regarded major infrastructure devices and in particular in 4G networks a number of services and functions operates by means of DNS names. Given their role obviously availability is the main security objective. Furthermore the integrity of their data is
crucial as modifications might lead to large scale attacks like traffic redirection. Usually confidentiality is not an important security objective for DNS (servers and data).
In the following, the threat categories specified in chapter 3.2 are discussed for a sample DNS server.
T1 Flooding an interface
As DoS attacks against DNS servers have been quite popular for a long time, a certain occurrence rate of such attacks can be expected (at least once per year which gives a "3" for the likelihood). Some operators might use dedicated DNS servers for their core environments (not providing services for other parts of the network or for customers). Furthermore in general DNS servers can cope quite well with packet floods. The vulnerability is subsequently rated "2". In case of a successful attack the availability of the DNS service will be impacted (at least for the period of the attack), but due to factors like records being cached on resolving devices the overall impact is not rated higher than "3".
T2 Crashing a network element via a protocol or application implementation flaw The most widely deployed DNS server software (ISC BIND) has been susceptible to various DoS attacks in the past, but in most networks attacks against DNS servers by means of malformed packets have only be observed quite rarely in the recent years. The likelihood is thus rated as "2". Given the overall maturity of the main DNS server variants (e.g. Microsoft DNS, ISC BIND, djbdns) the vulnerability is rated low (2) as well. As such an attack might require an affected system to be rebooted, the impact is rated slightly higher than in case of a flooding attack (see above).
T3 Eavesdropping
As DNS data mostly is public anyway, getting hold of it by means of eavesdropping is a very uncommon attack method (therefore likelihood = "1"). By default the data is transmitted in an unencrypted manner which would render it susceptible to eavesdropping attacks (if those were performed at all). As confidentiality of DNS data usually is not a main security objective, the overall impact of such an attack would be low ("2").
T4 Unauthorized access to sensitive data on a network element via leakage
There's a well known attack against DNS servers that abuses the (built-in and architecturally required) so-called "zone transfer" capability of DNS. If performed successfully an attacker gets hold of full DNS databases by just sending a certain request and might thereby identify systems to attack further or gain information about the overall infrastructure. This is a very common attack (likelihood = "4"). Most operators deny this capability to unauthorized systems though (therefore vulnerability rated "2"). If it still happens the impact is slightly higher than in the eavesdropping scenario as an attacker gets the full database (as opposed to some records).
T5 Traffic modification
If an attacker could modify DNS data in transit she might be able to perform traffic redirection or severely impact the availability of certain (core) services. This would require an attacker to be able to modify network traffic within core network segments which is hard to achieve which is the very reason why this attack cannot be observed frequently in typical operator networks (likelihood rated as "2"). Usually there's no integrity protection of DNS packets. On the other hand, again, the DNS traffic relevant for the correct function of 4G networks does
not cross network links that are easily accessible. The latter two factors combined lead to an overall vulnerability of "3". In case of a successful attack the impact would be high (reduced availability or redirection of some functions, which might still require other attacks to be performed in parallel, hence impact rated as "4").
T6 Data modification on a network element
While DNS in general includes some functionality for data to be updated over the network (see RFC 2136) this feature is (next to) never used in operator networks. Attacks in this space are very rare (likelihood "1"), the vulnerability is rated as "2" as the feature usually is not enabled (albeit if enabled usually does not require authentication). The actual impact would depend on the records to-be-modified. Overall, in case of a successful attack, it can be considered to be comparable to the "traffic modification" scenario.
T7 Compromise of a network element via a protocol or application implement. flaw For DNS servers this threat is very much comparable to the threat "crashing a network element". Consequently the likelihood and vulnerability factor are rated in the same way. The impact of a successful compromise of a DNS server would potentially be very high for a 4G network.
T8 Compromise of a network element via a management interface
Given the overall high frequency of attacks against management interfaces such attacks will happen against DNS servers (as against all other types of devices as well), thereby likelihood is rated "4". Due to the overall importance of these devices and the fact they usually run on off-the-shelf operating systems (where security knowledge is widespread amongst operations personnel) the overall vulnerability to this type of attack can be considered low ("2"). Obviously the impact would be as high as in the "compromise via implementation flaw" scenario.
T9 Malicious insider
Probably a malicious insider would go for other goals and targets than DNS servers (e.g. will perform billing fraud or redirection by LI interfaces [see so-called Athens affair] or sth.). Very small likelihood is estimated for most operator environments with regard to this asset. We estimate a high vulnerability factor (given the simplicity of access methods and lack of trustworthy auditing mechanisms in most cases) and, obviously, potentially very high impact if successful.
T10 Theft of service
Usually DNS servers are not attacked by attackers going after theft of service. Those attackers go after weakly protected entry points (VoIP Gateways etc.). Likelihood for this asset is thus regarded to be very small ("1"). The vulnerability factor is expected to be small ("2") as well as DNS servers usually cannot be abused for this type of attack. Still, the impact of a successful attack in this space would be evidently very high for operators (leading to loss of revenue and potentially non-compliance with regulations).
The following table shows the assessment resulting from the above considerations.
Threats Likelihood
Vulnerab.
Factor Impact Risk
T1 Flooding an interface 3 2 3 18
T2 Crashing a network element 2 2 4 16
T3 Eavesdropping 1 5 2 10
T4 Unauthorized data access 4 2 3 24
T5 Traffic modification 2 3 4 24
T6 Data modification on a
network element 1 2 4 8
T7 Compromise via
implementation flaw 2 2 5 20
T8 Compromise via
management interface 4 2 5 40
T9 Malicious insider 1 4 5 20
T10 Theft of service 1 2 5 10
Table 28: Risk Assessment for DNS Servers