Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Day 17 - Containing a DNS Hijacking

Published: 2008-10-17
Last Updated: 2008-10-31 02:01:02 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

Our 17th topic for our October Cyber Security Awareness Month effort is Containing a DNS Hijacking.

Containment, as a part of Incident Response during DNS hijacking, is going to involve taking action/s to limit the identified impacts of the incident to your site. Under ideal circumstances, detailed DNS Hijacking containment actions are just one part of a previously approved response plan, and the actions would be tailored for your site.

Of course, the plans containment actions will have been tested and prioritized for whatever automatic or manual mitigation actions are available at your site.

Typically, the teams that would be involved in containment during a DNS Hijacking incident include your network team, system administrators, perhaps your Legal and PR department. In some instances ISP's, third party DNS or other service providers and government CERT's may be needed to achieve containment.

Network related manual containment options mentioned in IR plans can include the details to;

  • Secure the systems under your control.
  • Contact the owner/s and upstream provider of systems involved.
  • Implement Network device configuration options including filtering, blacklisting and Null routing.
  • Implement Firewall configuration options.
  • Implement Security device configuration options.
  • Invoke alternate DNS or other service provider arrangements.

Containment may also need to include Notification to customers - timely notification of impacts and other critical information.

Incident response containment effort is not static, you take actions, you collect and analyze more data, report, contain again, and repeat loop until you can get to the final three steps in IR.

Although preparation has been covered in previous Diaries, DNS Hijacking containment can involve many teams and containment options, and the containment process will rely heavily on your coordination with the other teams. Your reaction time is going to be dependent on your ability to communicate quickly with the other teams. Your plans details should include OOB communication details and a method ensuring that all parties have regularly received up to date information on the communication details.

Thanks for participating with us and keep those suggestions coming! "If you would like to submit a tip, please use our contact form and be sure to put something in the subject like "Security Tip, day 15" to make it easier for us to sort them.  Keep your tips brief and to the point, also remember that the audience is broad, including end users, sysadmins, and managers".

0 comment(s)
Diary Archives