Arguably one of the most important aspects of Internet operations is the Domain Name Systems (DNS), the Internet’s “phone book” that translates human-friendly addresses (e.g., whoareyou.com) into machine-friendly numeric addresses.
DNS is a hierarchical naming system for computers, services, and other resources participating in the Internet. The top of that hierarchy is the root domain where 13 “root servers” communicate DNS information throughout the Internet. The root domain contains all top-level domains (TLD) of the Internet. TLDs are the part that follows immediately after the "dot" symbol in an address - some of the popular TLDs include .com, .org, .net, .gov, .biz and .edu.
As of July 2015, the root domain contained 1058 TLDs, including 730 generic top-level domains (gTLDs) and 301 country code top-level domains (ccTLDs). Loss of control and security of DNS can provide various vectors of attacks ranging from nuisance to significant.
This article examines some of the historic and more recent DNS attacks and their ramifications.
Two major Distributed Denial of Service (DDoS) attacks targeted the 13 root severs over the last decade. On October 21, 2002, the first attack lasted for just over an hour degrading the performance of nine of the 13 root servers. Following the attack, efforts to add redundancy to the root system were executed using IP Anycast mirroring. February 2007 saw a second major coordinated DDoS attack conducted over several days. This time, the attack only degraded two of the 13 roots – the two that had not implemented Anycast.
In May 2006, security firm Blue Security was put out of business by a DDoS attack against its DNS infrastructure. Blue Security, an Israeli-American start-up, offered a controversial anti-spam service, designed to force spammers to remove its customers from their databases based on the sheer volume of complaints. The spammers fought back with the DDoS attack and two weeks later, Blue Security announced it would cease operations as an anti-spam company.
In July 2008, security researcher Dan Kaminsky discovered a weakness in DNS using “cache poisoning” techniques that at the time, could potentially present one of the greatest security threats to the Internet. Dan constructed software to demonstrate this weakness that “would enable malicious hackers to transparently imitate any Web page or e-mail account by poisoning the DNS information cached by Internet service providers.”
“Today, DNSSEC, the new standard security extensions for the DNS protocol, offers the best way of preventing the kind of cache poisoning attack that Kaminsky's findings would have enabled.”
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit corporation responsible for allocating IP addresses and managing the DNS. On June 26, 2008, icann.com, itself, experienced a web defacement attack at the hands of a hacker gang calling itself NetDevilz. The attack was successfully executed using social engineering techniques. ICANN's domain name registrar was persuaded to change the name servers for icann.com, and several related domains, to point to a server the attackers controlled.
Although the changes were rolled back within 20 minutes of the attack, visitors were directed to the defaced page for up to 48 hours. As a response to this incident, ICANN’s Stability Advisory Committee (SSAC) created recommended best practices for registrars to secure customers' domain names.
In November 2018, Cisco’s Threat Intelligence Division – Talos – reported that perpetrators of DNSpionage, via DNS hijacking, were able to steal email and other login credentials from government and private sector entities in Lebanon and the United Arab Emirates. Email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers. The DNS hijack allowed attackers to obtain SSL encryption certificates for the targeted domains with they could decrypt intercepted email and VPN credentials and view them in plain text.
On January 22, 2019, The U.S. Department of Homeland Security (DHS) issued Emergency Directive 19-01 which mandated all government agencies (.gov and other agency-managed domains) take immediate actions to mitigate DNS attacks including auditing DNS Records, changing DNS account/administrator passwords, using multi-factor authentication to DNS accounts, and monitor certificate transparency logs. To illustrate the severity of the issue, DHS required agencies to submit a status report by January 25, 2019 and a report detailing the completion of the four mandated actions by February 5, 2019.
The DNSpionage attacks prompted ICANN to hold an emergency meeting in late February 2019, that called for “full DNSSEC deployment and community collaboration to protect the Internet.” Since the original design of DNS did not include any security features, Domain Name System Security Extensions (DNSSEC) attempts to add security while maintaining backward compatibility with base DNS.
Other reporting on DNSpionage attacks include:
- Krebs on Security - A Deep Dive on the Recent Widespread DNS Hijacking Attacks (February 18, 2019)
- FireEye - Global DNS Hijacking Campaign: DNS Record Manipulation at Scale (January 9, 2019)
- CrowdStrike - Widespread DNS Hijacking Activity Targets Multiple Sectors (January 25, 2019)
GoDaddy Hole and Spammy Bear
GoDaddy, the world’s largest Domain Name Registrar, is being exploited by spammers via an authentication weakness. The spamming campaign, given the moniker “Spammy Bear”, used the security hole to access legitimate but dormant GoDaddy domains to blast out their spam. While GoDaddy acted to secure the hole, it appears spammers have enough of these dormant domains under their control to continue their scamming campaigns. Starting around February 1, 2019, “a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.”
The above are examples of DNS exploits ranging in severity from nuisance level attacks like spam to serious attacks in the form of DNSpionage where security certificates and data can be stolen. As one of the original Internet protocols, DNS was not designed with security aspects as part of its DNA. Efforts such as DNSSEC have attempted to “bolt” on security features after the fact. Unfortunately, roll outs of these types of updates takes years and we have not seen the end of DNS attacks.
For more information on mitigating DNSpionage please see DHS’ Alert (AA19-024A) DNS Infrastructure Hijacking Campaign.
Share This Article