Types of Attack and Forms of Defense
As the internet evolves, so do the methods that are used to attack domains. There are particular forms of
attack to be aware of to best protect your website.
Typosquatting is Is a pretty common way for the less-savvy criminal to prey upon unwary site owners. Also
known as URL hijacking, this is a form of cybersquatting where someone registers misspellings of someone
else’s brand in the hope they can make money from the traffic made from typing mistakes. They target
users who type the website address in their browser incorrectly.
When these types of typos are made, users might land on an alternative page created by a hacker designed
for malicious purposes. Typosquatters not only target landing pages but employ phishing to get people
to visit fake websites. Typosquatters are creative, registering all types of common misspelling to rob
your brand traffic. They not only target misspelling, but singular and plural versions of your domain
and common domain extensions.
The only way to protect your domain from typosquatting is registering misspellings of your domain name before
hackers get the chance to.
Misspellings - Buy obvious misspellings of your domain name and consider phonetically
spelt versions. Consider buying alternative spellings such as ones with an 1 or l for i and a
0 for O. For instance, buying both onlylaptops.com and 0nlylaptops.com would be best practice.
Singular and Plural Versions - Buy both versions of your domain name to be on the safe
side, portland-car-repair.com and portland-car-repairers.com for example.
Hyphenations - Purchase both hyphenated and not hyphenated versions, i.e. brasssupplier.com
and brass-supplier.com. It would be wise to these versions to second guess people missing or
adding a hyphen between words.
Common Domain Extensions - Purchase your domain name with the most popular domain extensions
.org, .com and .net at minimum.
Once you’ve registered all possibilite alternative versions of your domain name, just redirect them to you
core domain. This way, instead of a hackers website picking up your typo-traffic, visitors will land
on your true domain.
Registrar hacking, while uncommon, poses a serious risk to all domain website owners. Most domain names are
registered via a registrar, except those privately registered such as brand TLDs, .google for example.
Your registrar represents the greatest single potential point of failure. If your registrar is hacked,
you’re done. The hackers will have complete control over your domain name. They can point it wherever
they want and worse still, transfer it to a new owner.
When a hacker gets hold of your domain name logins, they can change the domain details on official nameservers
and and do whatever they want with them: direct them to a clone site to collect customer information,
serve up malware, and more. Threats can be on an epic scale and are varied in their execution. Taking
into account the delay in updating the DNS, if any changes are made, they might go unnoticed for several
hours before anything suspicious is noticed.
Incidents have occurred where handovers of top-level domains enabled
unauthorized access to the nameservers
for a registry. This can result in redirecting thousands of domains to a malicious website. Once someone notices any suspicious
activity, the registrar's technical team will change all affected logins and revert any changes made.This
process can take several hours.
Despite the fact these incidents are out of your control, you may add extra security to your website and
DNS to reduce the risk of your domain being hijacked:
Monitor DNS resolution actively; you might just catch a rat. Keeping an eye on your DNS traffic could
reveal the presence of botnets (a network of infected computers , the network is used to spread
malware), in your network. Monitor such traffic using name resolvers and security systems you
maybe already have deployed.
Using a firewall (include a rule to prevent IP spoofing and deny queries outside your allocated numbers
space - this will prevent your name resolver from being exploited in distributed denial of services
attacks. Those which seek to take your site offline. Be sure to inspect DNS traffic for suspicious
byte patterns to block name server software exokit attacks. Firewalls provide this feature readily,
some such as Sonicwall can detect and block tunneling traffic.
Request DNSSEC from your domain name registrar. DNSSEC adds additional security to your DNS by attaching
digital signatures to your domains DNS information.
Contact the registry for your domain extension (.us) for example about how it will detect an attack
and act fast.
Protect visitors by preloading strict transport security into browsers.
Choose a registrar that offers additional security precautions which reduce the risk of your account falling
into the hands of a hijacker. Specifically we recommend seeking out a registrar offering:
2-factor authentication - A significant amount of hijacks would have been prevented if domain registrars
put enhanced authentication measures in place. Providing two-factor authentication requires not
only a username and password, but also something unique to the user. The registrar might ask
for a piece of information only the true domain owner would know. There is also technology in
place to call or send an sms to a domain owners mobile phone containing a code that must be entered
to access their account.
Account lock - To block people from trying all possible combinations of letters, numbers and special
character to break your password, a registrar can automatically lock people out after entering
three invalid passwords. The point of limiting password attempts is to stop brute force password
attacks. If unusual login activity is noticed, the domain account will be locked for a set amount
of time before the user can retry. The best case scenario is when the account is locked until
the domain owner recovers it by resetting their password via the registrar.
Registry lock - Registry lock is a service designed to provide a high level of protection for a domain
name. A registry lock is a mechanism whereby any requests to change a domain name server must
be verified manually. Security researchers advocate it as a useful barrier in situations a registrar
might be compromised.
If your registrar falls short, switch to a registrar with better security practices.
Domain hijacking is a form of theft that takes place online. The thief takes access of a domain without the
consent of the domain registrant. It’s up to yourself and your domain/ hosting company to prevent your
domain falling prey to this form of attack because they happen due to security flaws on both yours and
Domains can be hijacked for
malicious use, when hackers seek to take a website down. While it’s inaccessible, the
domain owner might be losing money. Their reputation as a safe website will also have taken a
blow. The hacker might extort money from you to transfer your domain back into your hands, or
replace your website with another to extort money or precious information from unknowing visitors,
this is known as phishing which we’ll look into later.
Competent hackers may
transfer the domain from the rightful owner to some other name. In these cases, it’s
tricky to get your domain back. Hackers may impersonate you to request your registrar transfer
the domain to a different registrar or another account. In this scenario, legal help would be
necessary to claim your domain back if you aren’t able to convince the registrar about your situation.
What Happens When a Domain is Hijacked
To hijack a domain, an attacker needs to gain access to the targeted domains control panel. For this they
need just two things:
The name of the domain registrar.
The administrative email associated with the targeted domain and a password. An attacker can use
one of the popular password cracking methods such as brute-force. A brute-force attack involves
trying all possibilities of numbers, letter and special character combinations until eventually
A straightforward lookup in the public
WHOIS database of the target domain will give an attacker the administrator record including the
admin email associated with the domain. In effect, anyone listing their contact information in the WHOIS
database is giving out the back door to hijacking their domain name.
To unlock the domains control panel to take over full access to the domain, the hacker must hack the admin
email. Once they have this access, they may reset the control panel password, login in and hijack the
Protect yourself with these countermeasures:
Protect your domain control panel - don’t allow your domain to suffer from hijacking
because of your negligence toward security. Once your domain is registered, the registrar will
grant you access to your domain’s control panel. From the panel you can modify your domains settings
such as which server it's pointed toward.
On registration, you will have provided an email address for access to the panel. If anyone has access
to the administrative email account, they have access to your domains control panel and all its
settings. Hackers often get this information from the WHOIS registration records. Using domain
privacy will block them from accessing this information.
Choose a trusted domain provider - another security threat comes is the result of the
security failings of your domain provider. If a hacker has access to the back end of your registrar,
your domain is at risk.
To protect yourself, choose an ICANN accredited domain registrar. ICANN is the body who coordinate
IP addresses for domain names across the world, and they also issue new domain extensions. If
there are any disputes over ownership, administering body ICANN is your best bet to recover a
Enable domain auto-renewal - Not all domains are stolen, your domain registration can
expire, and someone can register the domain in the meantime. This is an entirely legal practice
so you can’t take any actions against this behaviour. To avoid this happening, enable auto-renewal
of your domain or register for longer durations. Most registrars allow up to ten years for example.
Apply for domain privacy protection - Use WHOIS privacy to block your name from the
WHOIS records, swapping your details for your domain registrars in the records.
How to Recover a Stolen Domain Name
Contact your domain registrar, the people you purchased your domain name from initially.
Contact the support team, and explain the situation. Provide them with relevant details such
as the account name used to purchase the domain, any recent correspondences, and complete any
If the registrar is of no help because the domain has already been transferred to another registrar,
seek legal help. Documentation is key to proving your right to ownership, for example,
copies of registration records or correspondence from registrars relating to the hijacked domain,
Keep track of any financial transactions associating you or your organization with the hijacked
domain and any marketing material or directory such as the Yellow pages associating the hijacked
domain with your organization.
Your final option is to
contact ICANN. ICANN has extensive documentation relating to domain dispute resolution.
If you find yourself in this situation, follow this link to their
help page. The documentation and steps provided may help recover your hacked website.
Spam is more than merely annoying, unsolicited emails. It’s known as the preferred delivery infrastructure
for ransomware, malware, phishing and other security threats.
Domain phishing is a scam which tricks unsuspecting email recipients into handing out their account
details. An email is sent to a domain owner imitating their registrar, asking them to click.
There have been instances where the link asks them to log into their account to check for suspicious
activity. The link forwards them to a replica site where they freely give up their username and
It’s important to keep on top of phishing scams because they are also the delivery mechanism for
malware. Another type of phishing email ask recipients to follow a link to download all complaints
against their domain name. The file downloaded is packed with malware. These types of emails
are blanket sent to clients of numerous registrars, they can be unsophisticated, yet people still
Why do people fall for phishing?
It’s not at all surprising that people click on bad links, and why phishing scams are prevalent.
Registrars aren’t following email best practices - It’s difficult for cybercriminals
to merge data in emails. When a registrar sends you an email, it should not only address you
by name. Unfortunately, It’s not expected of registrars, so not a red flag when you receive a
phishing email. If you have any doubts about an emails legitimacy, feel free to contact your
registrar's support separately with any questions. An extra five minutes could save you a lot
Companies selling inexpensive WHOIS data - Some registrars sell WHOIS data. This is
why domain owners receive so much spam after registering their domain name. Fly-by-night registrars
have been known to sell cheap copies of whois data. For this reason, new domain registrars receive
a lot of spam.
New verification requirements in WHOIS - The new requirements as of 2013 RAA require
registrars to verify information in WHOIS. Phishing is often accomplished by emailing registrants
asking them to click a link. This is in a sense training customers to click on links in emails,
instead of instructing them to go to the site and log in, leaving them naturally more likely
to fall for these scams.
Protect yourself from falling prey to one of these emails with these countermeasures:
Check for authenticity - There are some telltale signs to spot a “fishy” email.
Are there unique identifiers addressing you when your registrar emails you. For example, an email
containing “dear Sir/ Madam” is more likely phishing than one that includes specific information
such as your name and/ or account information.
Does the message contain a mismatched URL? Verify links - Check the full URL within an email
by hovering over a link. If the hyperlinked address is different from the address displayed
in the email text body, it’s probably malicious.
It’s unlikely a reputable registrar would send out an email on behalf of their company before
it has been reviewed for spelling, grammar and legality. If a message is full of spelling
and grammar mistakes, it probably didn’t come from them.
One of the biggest red flags is when a message asks for personal information. No matter how official
the email might look, it’s a bad sign to ask for details such as password, login details
or the answer to your security question.
Trust your instincts, if something just doesn’t look right, there’s probably good reason. In
this instance, contact your registrar and confirm the email came directly from them.
Turn on 2-factor authentication - This is a solid form of counter-defense if you are
prey to a phishing attack. If your registrar doesn’t offer this, switch to one that does.
Add WHOIS privacy - Block the number of scam emails from making it to your inbox. Hackers
avidly phish people listed in the WHOIS records.
Use an up-to-date browser with antivirus software - Most modern browsers will alert
you if you’re visiting a page identified in a phishing attack, but it can take some time for
sites to be flagged. You should also use antivirus software. In the current attack, this should
stop you from opening the download file.
DNS Attacks and Cache Poisoning
Today’s headlines are filled with reports of successful DNS attacks. “65,000 Internet users in the United
States lose connectivity because of DNS changer malware”, “Bank of America customers cannot access website
or account information because of a DOS/DDOS attack” are just a few headlines reported by the press.
When the internet was originally architected services such as DNS weren’t necessarily designed with security
in mind. If DNS goes down, all network-attached devices go down. DNS-based attacks are on the rise because
many organizations don’t realize DNS is a threat and therefore don’t protect it. A company loses connectivity
to the internet and hence cannot conduct business online. This leads to loss of revenue, customer defection
and negative brand impact.
When attackers targeted Microsoft and Twitter, they gained access to MelbourneIT, the registrar responsible
for these important domains and changed the authoritative DNS servers, diverting them to their own. Twitter’s
attackers were a function of the Iranian Cyber Army altered the DNS records and redirected the traffic
and redirected traffic to propaganda hosted on servers they controlled. They were able to modify DNS
twitters settings after they compromised a Twitter staffer's email account. They used this account used
to authorize DNS changes. During that incident, the registrar Dyn Inc. was contacted in to process the
Domain Attacks: Time to Live
This style of domain name system attack is one of the most problematic to undo since the attacker has compromised
not only the registration of the domain itself, they can change the DNS servers assigned to it. The most
dangerous part of this attack is what's called time to live (TTL). Changes of this nature are cached
on recursive DNS servers across the globe for a matter of seconds, or a full day. Unless operators can
purge caches, it can take an entire day (sometimes longer) to reverse the effects.
Let’s take a look at the primary forms of DNS attack to be aware of:
Attack 1: DNS Spoofing
Also referred to as DNS cache poisoning, DNS spoofing diverts traffic from one computer towards fake, replica
ones. When a user looks up a domain name in their browser, they are routed to the wrong website. For
example, a user might type Yahoo into a browser but a page chosen by the hacker loads on their screen
instead. Since they are typing in the correct domain name, they don’t always realize the site they are
using is fake.
Detecting DNS cache poisoning is difficult. It can last until the administrator realizes and resolved the
problem. During this time, the opportunity for attackers to use phishing technique to mine information,
from login credentials to banking information from unsuspecting internet users. The extent of the attack
depends on the intention of the attacker and the scope of the poisoning.
Attack 2: DNS Amplification for DDoS
DNS amplification attacks differ from spoofing, instead of threatening the DNS systems, hackers exploit the
open nature of DNS services to give force to attacks. Well known sites, Microsoft, Sony and the BBC have
been targeted in this manner.
Amplification attacks occur when an attacker takes advantage of a DNS server that permits recursive lookups
and uses recursion to spread his attack to other DNS servers. In simpler terms, rather than sending traffic
directly from a botnet to a victim, the botnet forwards DNS requests to other systems. Those systems
respond by sending even larger volumes of traffic to the targeted website.
The result of an amplified attack is the relatively small amounts of traffic is sent from a botnet which
generates proportionally greater. Hence the term increased volumes of traffic from DNS servers. This
extra traffic is directed to a victim website, causing the system to crash or slow down.
Attack 3: Cache Poisoning
Cache poisoning occurs when DNS cache data is corrupted. Whenever you browse the web visit websites and send
emails, your computer is most likely using DNS data cached from somewhere on the DNS network. This process
improves the speed emails are sent, and web pages are loaded, however, caches are another point of vulnerability.
During a cache poisoning attack, attackers seek to exploit and target vulnerabilities in DNS servers and
change the addressing information in caches. When users attempt to visit a site, they land at a server
controlled by an attacker and land on a substitute site. Often these are close replicas of the targets
official site. It’s difficult for the users to be aware that they are being phished because their browser
is telling them it is the official site.
The impact of such as attack includes the loss of vital information from logins and password to logins and
passwords to the credit card numbers of the users captured. The best method to prevent a DNS cache poisoning
attack includes regular program updating, regularly clearing the DNS caches of local machines and networking
systems and setting short TTL times.
Attack 4: Denial of Service and DDoS
Denial of service is an attack in when a hacker or malicious bot sends more traffic to a targeted IP address
than the programmers who planned its data buffers anticipated someone might send. The attacker uses a
network of malware-infected computers to send large amounts of traffic to a target, such as a server.
The target becomes unable to resolve legitimate requests.
A distributed denial of service attack (DDoS) involves the attacker uses a botnet to generate massive amounts
of resolution requests to a targeted IP address. The goal is to overload the target domain and slow it
down or crash it. No matter how over-provisioned a website may be, if the DNS infrastructure cannot handle
the number of incoming requests it receives, the performance of the site will be degraded or disabled.
DNS is particularly vulnerable to such attacks because it represents a logical choke point on the network.
One solution to this problem is DNSSEC which has been widely rolled out across registrars and registries.
How to Prevent and Mitigate DNS attacks
As a response to such attacks, ICANN has invested in DNSSEC, a technology developed to avoid DNS server attacks.
DNSSEC works by adding a signature of authenticity to each DNS request to help servers weed out fake
requests. The one drawback to DNSSEC is that it must needs to be implemented at all stages of the DNS
protocol to work – which has taken some time to apply.
You can implement safeguards to reduce the risk of falling victim to a DDoS attack against your domain names:
Keep up to date on the latest DNS attacks and the technology to prevent is a good way to stay ahead.
Host your domain on multiple servers, that way, if one becomes overloaded, the other will kick in.
Use a managed DNS provider that employs a widely distributed, highly redundant network of Anycast
servers to handle DNS traffic. Using Anycast to mirror your DNS servers can significantly improve
performance as well as balance the load during a DDoS attack. If you would instead build your
own managed DNS service, then be sure to leverage the power of Anycast.
Deflect and defend with UTM firewalls. They can be configured to recognize and block DDoS attacks
in real time.
Configure your systems to rely on more than one DNS server so that if the primary server goes down,
you have a fallback.