August 3, 2005 4:00 AM PDT
DNS servers--an Internet Achilles' heel
- Related Stories
-
Phishers using DNS servers to lure victims?
March 8, 2005 -
New attacks block access to Microsoft sites
January 26, 2001
In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning.
"That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said.
The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person's PC.
How does DNS get poisoned?
There are a few steps to go through before a DNS server starts redirecting Web surfers to bogus sites.
Most people's PCs access a DNS server at an Internet service provider or within a company to map text-based Internet addresses to actual IP addresses. One DNS server can be used by thousands of Internet users.
For performance reasons, DNS servers cache the returned data, so that it takes less time to respond to the next request. When a DNS cache is poisoned, it affects all future lookups of the affected domain, for everyone who uses that particular DNS server.
To poison a DNS server:
• First, the target machine has to be tricked into querying a malicious DNS server set up by the attacker. This can be done, for example, by sending an e-mail message to a nonexistent user at the target ISP. Another way is to send an e-mail with an externally hosted image to an actual user.
• The target DNS server will then query the attacker's DNS server. In the DNS reply, the scammer includes extra data that will poison the victim's DNS cache. The extra information can be a malicious URL or even an entire domain space, such as .com.
• If the target DNS server is not configured properly, it will accept the new numerical IP listing and delete the proper entry.
• Once this has occurred, any queries sent to the DNS server for the affected URLs will be redirected to the replacement IP addresses set by the attacker. If a domain space is poisoned, all queries ending in that domain will be redirected.
Source: SANS Internet Storm Center, CNET News.com
Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam.
The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses.
In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.
As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats.
The poisoned caches act like "forged street signs that you put up to get people to go in the wrong direction," said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. "There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade."
There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.
The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against.
BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.
DNS cache poisoning is not new. In March, the attack method was used to redirect people who wanted to visit popular Web sites such as CNN.com and MSN.com to malicious sites that installed spyware, according to SANS.
"If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be," Mockapetris said. "Running that configuration would be Internet malpractice."
The new threat--pharming
Kaminsky scanned the DNS servers in mid-July and has not yet identified which particular organizations have the potentially vulnerable DNS installations. However, he plans to start sending e-mails to the administrators of those systems, he said in an interview.
"I have a couple hundred thousand e-mails to send," he said. "This is the not-fun part of security. But we can't limit ourselves to the fun stuff. We have to protect our infrastructure."
The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming.
Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic DNS consultancy and software company Men & Mice. "It is very well doable, and it has been done recently," he said.
Awareness around DNS issues in general has grown in the past couple of years, Petursson said. Four years ago, Microsoft suffered a large Web site outage as a result of poor DNS configuration. The incident cast a spotlight on the Domain Name System as a potential problem.
"It is surprising that you still find tens of thousands or hundreds of thousands vulnerable servers out there," Petursson said.
Kaminsky's research should be a wake-up call for anyone managing a DNS server, particularly broadband Internet providers, Mockapetris said. Kaminsky said he doesn't intend to use his research to target vulnerable organizations. However, other, less well-intentioned people could run scans of their own and find attack targets, he cautioned.
"This technology is known to a certain set of the hacker community, and I suspect that knowledge will only get more widespread," Mockapetris said.
See more CNET content tagged:
DNS server,
DNS,
domain,
attacker,
Internet Service Provider
Mr. AT Alishtari, POA and Founder of EDI Secure LLLP, says the Internet is a wild frontier and even putting a post office on it does not mean, cyber crooks cannot raid the IT there to get public and private ID for fraudulent purposes. Recent reports say that crooks use ID to buy gift certificates so they can more easily get away with money laundering and conversion of products for sale for cash.
This is a big business and just because it is invisible does not mean the new U.S. Commerce Department's National Institute of Standards and Technology level 1 to 4 standards on authentication and ID protection should not be taken as a standard by the industry.
Prominent groups of consumers are now looking at the US to do what British e-commerce boycotters announced last week in the UK where they tried to force two factor authentication with offline devices now.
This is despite the fact that the UK has adapted the popular rules but just not yet enforced. In the US, the Commerce Department makes the rules voluntary but one must ask if voluntary protection of public and private ID by banks who can easily do level 4 authentication is enough.
KM
Mr. AT Alishtari, POA and Founder EDI Secure LLLP, is warning the bloggers interested in ID protection that DNS servers are presenting a risk. In the last several weeks, Company servers were hacked by use of pharming and top levels of worms.
Although Company is working with service providers, the damage throughout the system is considerable meaning certain servers that were waiting to go online had to be totally reformatted. The hidden costs is not when you catch the virus but the ability of cybercriminals to actually remotely take over servers and turn them into robots doing crime in your name.
The fact that Company servers were linked to other industry servers and/or ISP's and that there was no due origination meant that it only took two hours for ISP technicians to see the robotted takeover that was stopped was external fraud. In the case of many companies, they would not even know servers were breaking laws until police knock on their doors.
We have a UNIX admin that is in charge of our DNS platforms but we still have "network guys" like me that have the ability to do things like update records, restart processes etc.
In my opinion BIND does not scale well. We constantly have only a few rogue Windows machines (usually spam zombies pulling thousands of MX records) killing or slowing down our caching name servers.
Our only real defense has been to filter their IP addresses.
Even on big iron hardware it really does not take much to overload named.
I think a better solution would be to design a server just for DNS.
Instead of running standard BIND installs on "regular" servers, why not build DNS right into the kernel and run it in kernel space?
Instead of using a "regular" server, you could load the kernel+DNS server onto diskless nodes in a chassis.
The custom kernel+DNS combo could handle many more requests than just named in user space.
The chassis could provide power, network connectivity, and the image to load for~4 cards, and load balance requests between them.
2 chassis, each with ~4 cards might even be a tad overkill, but could handle a load exponentially higher than just running named on a couple standard 2U Red hat boxes.