Comments on: DNS servers--an Internet Achilles' heel
Scan finds that hundreds of thousands of the servers that act as the white pages of the Net are vulnerable to attack.
Most Popular
Latest tech news headlines
- Another holiday blowout for Apple?
December 28, 2009 8:00 AM PST
- Smart-grid spending to hit $200 billion by 2015
December 28, 2009 7:15 AM PST
- China introduces law to boost renewable energy
December 28, 2009 6:41 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
Mr. AT Alishtari, POA and Founder of EDI Secure LLLP, says the Internet is a wild frontier and even putting a post office on it does not mean, cyber crooks cannot raid the IT there to get public and private ID for fraudulent purposes. Recent reports say that crooks use ID to buy gift certificates so they can more easily get away with money laundering and conversion of products for sale for cash.
This is a big business and just because it is invisible does not mean the new U.S. Commerce Department's National Institute of Standards and Technology level 1 to 4 standards on authentication and ID protection should not be taken as a standard by the industry.
Prominent groups of consumers are now looking at the US to do what British e-commerce boycotters announced last week in the UK where they tried to force two factor authentication with offline devices now.
This is despite the fact that the UK has adapted the popular rules but just not yet enforced. In the US, the Commerce Department makes the rules voluntary but one must ask if voluntary protection of public and private ID by banks who can easily do level 4 authentication is enough.
KM
Mr. AT Alishtari, POA and Founder EDI Secure LLLP, is warning the bloggers interested in ID protection that DNS servers are presenting a risk. In the last several weeks, Company servers were hacked by use of pharming and top levels of worms.
Although Company is working with service providers, the damage throughout the system is considerable meaning certain servers that were waiting to go online had to be totally reformatted. The hidden costs is not when you catch the virus but the ability of cybercriminals to actually remotely take over servers and turn them into robots doing crime in your name.
The fact that Company servers were linked to other industry servers and/or ISP's and that there was no due origination meant that it only took two hours for ISP technicians to see the robotted takeover that was stopped was external fraud. In the case of many companies, they would not even know servers were breaking laws until police knock on their doors.
Calling the weakness to the system of online DNS servers as having an Achilles Heel is so true.
Imagine how simple it is to just keep private bank data offline or to use a system that acts like a moat where only the user can access the data.
This is possible but it requires think in macro platform micro services where the customer, oh no, is in charge of his security.
No one els has proven to be competant. Well, that's what I think. Ciao now.
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
- I agree with article.
- by Dachi October 4, 2005 7:12 AM PDT
- This article mirrors my thoughts exactly. DNS has been a huge point of failure over the years.
- Like this Reply to this comment
-
-
- DNS
- by eme222 April 3, 2007 1:56 PM PDT
- You are correct that BIND does not handle the DNS load of the average site today-to hear more on a global DNS network, non-BIND (proprietary technology BGP & IP Anycast, real-time propagation, enhanced security (mitigate DDOS, phishing, pharming etc) contact me at emerson.sampsell@neustar.com
- Like this
-
(9 Comments)We have a UNIX admin that is in charge of our DNS platforms but we still have "network guys" like me that have the ability to do things like update records, restart processes etc.
In my opinion BIND does not scale well. We constantly have only a few rogue Windows machines (usually spam zombies pulling thousands of MX records) killing or slowing down our caching name servers.
Our only real defense has been to filter their IP addresses.
Even on big iron hardware it really does not take much to overload named.
I think a better solution would be to design a server just for DNS.
Instead of running standard BIND installs on "regular" servers, why not build DNS right into the kernel and run it in kernel space?
Instead of using a "regular" server, you could load the kernel+DNS server onto diskless nodes in a chassis.
The custom kernel+DNS combo could handle many more requests than just named in user space.
The chassis could provide power, network connectivity, and the image to load for~4 cards, and load balance requests between them.
2 chassis, each with ~4 cards might even be a tad overkill, but could handle a load exponentially higher than just running named on a couple standard 2U Red hat boxes.
www.ultradns.com