The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about a threat actor that is conducting targeted distributed denial of service (DDoS) attacks on the U.S. healthcare sector. The attacks involve flooding networks and servers with fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs), which overloads DNS servers and prevents legitimate DNS requests. These attacks have been conducted since at least November 2022.
DNS servers are used to locate web resources and identify the IP addresses of the requested resources to allow a connection to be made. A DNS Proxy Server will contact the DNS Authoritative Server when a request is received, and if the IP address of that resource is identified, it will be relayed back allowing a connection to be made. In a DNS NXDOMAIN flood DDoS attack, the DNS Proxy Server will be flooded with requests for non-existent domains and the server’s resources will be consumed querying the NXDOMAIN requests with the DNS Authoritative server, and the DNS Authoritative Server will use its resources dealing with the queries.
These requests are usually sent to the DNS Proxy server by a botnet – an army of malware-infected devices under the control of the attacker. Depending on the scale of the attack, legitimate DNS requests will be slowed down or may even be completely prevented, thus stopping legitimate users from accessing a website or web application.
These attacks tend to be relatively short-lived, lasting several hours to a few days. During an attack on a healthcare provider’s domain, patients may be prevented from accessing appointment scheduling applications and patient portals, and a healthcare provider’s website may be rendered inaccessible. Staff may also be prevented from accessing web applications.
These attacks are typified by large amounts of DNS queries for non-existent hostnames under legitimate domains, UDP packets encapsulated in IPv4 and IPv6, widely distributed source IPs, potentially spoofed source IPs, and DNS servers generating lots of NXDOMAIN errors.
Blocking these attacks is difficult as the devices that are part of the botnet are often widely distributed and the botnet may consist of several thousand devices. While it may not be possible to block an attack in progress, there are mitigations that can limit the impact of these attacks. These include blackhole routing/ filtering out suspected domains and servers, implementing DNS Response Rate Limiting, blocking further requests from the client’s IP address for a limited period, ensuring cache refresh takes place, reducing the timeout for recursive name lookup to free up resources in the DNS resolver, increasing the time-to-live (TTL) on existing records, and applying rate limiting on traffic to overwhelmed servers.
While HC3 did not confirm the source of these attacks, the healthcare sector is being targeted by the hacktivist group, Killnet, in response to U.S. Congress’ support for Ukraine. Killnet has been active since at least January 2022, and has stepped up its attacks on the U.S healthcare sector in recent months.
The post HC3 Warns of DNS NXDOMAIN DDoS Attacks on the Healthcare Sector appeared first on HIPAA Journal.