Part 4 – Everything Seems to be Working

Five Reasons Why You Don’t Need IT Support

This is the fourth of a five-part blog series which busts the myths about why you don’t need IT support.

Even though everything on your PC and network seems to be working, this may not actually be the case.

May 2018 saw nearly 800,000 Draytek router breaches. This happened when hackers changed the DNS servers to two different values:

DNS Server 1: 38.134.121.95
DNS Server 2: 8.8.8.8

The first value is a rogue DNS Server and the second is Google’s public DNS.

So what does this mean for you?

What the heck is DNS?

DNS or the Domain Name System converts web addresses, which are human readable into IP addresses, which are machine readable.

Our brains struggle when trying to remember large number sets. Think how many times you’ve forgotten a loved one’s phone number.

Therefore saying to someone “Have you seen that latest post on 192.168.0.1 this morning?” would be extremely cumbersome.

In order to convert to web addresses, there are 13 root servers which hold the information for each country’s Top Level Domain (.com, .uk, ,fr, .it etc.) and then thousands of servers which hold the information for where web pages are stored.

So what’s the issue?

Having a rogue DNS server means that every request your browser makes (from google.co.uk, reddit.com, youtube.com etc.) is sent through THAT server, as opposed to the trusted one from your ISP.

It could also send you the wrong response and infect your machine. For example recently people trying to log into facebook.com were directed to faceb00k.com.

The Draytek router breaches were particularly malicious for three reasons:

  • It impacted more than 800,000 routers, most of which were used in businesses.
  • The attack worked in such a way that the internet worked ‘normally’ from a client point of view.
  • Even when the server was no longer available, it reverted back to Google DNS and users were none the wiser that anything had even happened.

While there may not have been time for the server to start infecting machines, it’s probable that a large amount of data was sent to it. This is likely to be a list of web addresses visited, but not the contents. However this data may otherwise have needed to either stay internal or be regulated (such as in the financial services industries).

Also, this bypasses Government mandated blocks, such as CleanFeed in the UK, which is never a good thing.

How would I have known?

One way of knowing would be when you start getting error messages connecting to internal resources that rely on DNS (servers, for example). By this point it could be too late.

However, we’re hoping this breach has now been patched. For further information on this scenario read this interesting article:

https://www.techrepublic.com/article/more-than-800k-draytek-routers-vulnerable-to-dns-reprogramming-attack/

Here at SupportWise we offer 24/7 security monitoring on all devices and ensure that things like this don’t impact your business.

To find out more give us a call on 0330 113 7749 .