Slashdot Mirror
Perils of DNS at RIPE-52
An anonymous reader wrote in to say that "
The RIPE meeting got off to a good
start yesterday (for those of you outside Europe, RIPE is the European
counterpart to ARIN). Emin Sirer from Cornell presented his study of
DNS vulnerabilities. The results are staggering: the average name
depends on four dozen nameservers, 30% of domains are vulnerable to
domain hijacks by simple script kiddies, 85% of domains are vulnerable
to hijacks by attackers that can DoS two hosts. The lesson: DNS must
be managed by professionals, and the pros have to pay attention to
the DNS delegation graph when they set up name servers."
It's good that they realize and hopefully will do something about these threats.
Ryan - http://www.thecosmotron.com/
The associated paper is here. They surveyed some 600,000 names from Yahoo and DMOZ and found that a large percentage of domains are vulnerable to domain hijacks by script kiddies.
So, making money doing it is the important thing? I mean, that's what "professional" means, isn't it?
The paper Perils of Transitive Trust in the Domain Name System (coral cache) describes quite a bit of this. It's a bit scary.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
You are telling me that in all actuality, cowboyneal.org ISNT a hardcore site?
Wow, thank you...erm I mean...DAMN YOU DNS POISONERS!!!
"The fbi.gov domain is served by two machines called dns.sprintip.com and dns2.sprintip.com. A client trying to resolve www.fbi.gov will first have to get to sprintip.com to find the FBI nameservers. The sprintip.com domain is in turn served by three machines named reston-ns[123].telemail.net. Of these machines, reston-ns2.telemail.net is running an old nameserver (BIND8.2.2-p5), with nine different known exploits against it (namely, tsig, libbind, negcache, sigrec, DoS_multi, srv, zxfr, infoleak and sigdiv0 exploits). Having compromised reston-ns2 using a standard crack tool available on the web, an attacker can divert a query for dns.sprintip.com to a malicious nameserver, which can then divert the subsequent query for www.fbi.gov to any other address, hijacking the FBI's web site and services." I bet that's not its real version. I configure my DNS servers to return funny values. (Sometimes. If I remember. And can be bothered.)
Get your own free personal location tracker
Get your own free personal location tracker
ARIN (from the website)
Established in December 1997, the American Registry for Internet Numbers (ARIN) is a Regional Internet Registry (RIR) incorporated in the Commonwealth of Virginia, USA. ARIN is one of five (5) RIRs. Like the other RIRs, ARIN:
* Provides services related to the technical coordination and management of Internet number resources in its respective service region. The ARIN service region includes Canada, the United States, and several islands in the Caribbean Sea and North Atlantic Ocean;
* Facilitates the development of policy decisions made by its members and the stakeholders in its region;
* Is a nonprofit, membership organization;
* Is governed by an executive board elected by its membership.
...(for those of you outside Europe, RIPE is the European counterpart to ARIN) Oh good. And ARIN is?
It was perversly amusing to find OpenBSD on the most vulnerable lists.
No, you nutter. What it's saying is, is that even if you configured your DNS correctly, all of the parent DNS servers used in the process of resolving your domain names have to be correctly configured too. Imagine you own foo.com. Your DNS server is OK, but if the .com servers aren't, I can just make the .com servers pass requests for foo.com to my DNS servers, and then return whatever values I want. It's all a big pyramid.
Get your own free personal location tracker
Meaning that until the number of dependencies can be cut to a more manageable size, it's far too easy to exploit the vulnerability at any point in the chain, and the greater the number of nameservers, the harder it would be to backtrack to the source of any problem. It's no wonder the phishers are so successful, when they can use the Internet's own structure against it.
GetOuttaMySpace - The Anti-Social Network
I was trying to figure out why the article has a tRNA at the top of it... took me longer to sort it out than I care to say. (tRNA... translates mRNA codons to amino acids... the name of the group is CoDoNS... ugg).
Found it amusing that one of the explicit purposes of the group is to facilitate dealing with Slashdot.
CoDoNS decouples server location from server authority, and hence any server can serve any binding. DNSSEC-compliant signatures ensure that the verity of the records served by CoDoNS servers can be checked. CoDoNs automatically adjusts the system respond to sudden changes in object popularity, as in the so called "slashdot effect."
S
To look up www.futurequest.net (for example) requires:
.net
.edu domains are a little more haphazard?
Ask one of the 13 root servers who is nameserver for
Get back (A-M).GTLD-SERVERS.NET, they thoughtfully include IPs
Now ask a GTLD who has futurequest.net
Get back (ns1-ns3).futurequest.net, includes IPs
Now ask ns1 who www is
It provides IP for www is 69.5.6.116
So I guess there were 30 IP addresses involved, but I don't see the arcane resolution problems that this paper talked about. Maybe
Intron: the portion of DNA which expresses nothing useful.
When I was trying to register some nameservers for a reverse delegation, RIPE didn't allow me to put the nameservers in the in-addr.arpa domain. They claimed that would cause a loop. This means that they force every reverse delegation to be glueless, causing the amount of involved nameserver to be (much) greater than needed. (Granted, this was a few years ago, but I'll bet you don't find many registered nameservers in in-addr.arpa even today)
.org served by nameserver outside of .org itself? To make it even worse, .org is served by nameservers with names in .net, .org, .info and .co.uk. Who makes this stuff up? And .com is served by nameservers entirely in .net. No wonder a gazillion nameservers have influence over the resolution of any given name...
And (not RIPE related) why the hell is
It's all a big pyramid.
You are, of course, correct, but it has always been like this. Emin Sirer's report strikes me as either:
1) Chicken Little - "The sky is falling! The sky is falling!"
or
2) A graduate student who needed something to write a paper about.
What's next? A hysterical report about how (gasp!) a root server could be compromised and we'd all be hosed? Duh! Talk about stating the obvious.
This survey was a lot of fun. It's sort of like a "how to 0wn the Internet via DNS" survey. In fact, that was the subtitle of my talk and was the most fun academic paper I ever wrote. It's all based on public information, by the way. The findings were quite surprising, at least to us.
First, the average DNS name depends on a large number of nameservers. Not just the two or three nameservers that you designate when you register the name, but also the nameservers those servers are served by, and so on. This set includes a few dozen hosts for the average .COM domain. If you are in the Ukraine, Malaysia, Poland, or Italy, this set includes more than 400 hosts! In contrast, Japan (.jp) is run very well, and names in .jp depend on very few hosts.
Second, some names are incredibly vulnerable. The most vulnerable name in our survey, the Roman Catholic Church web site in the Ukraine, depends on servers in Berkeley, NYU, UCLA, Russia, Poland, Sweden, Norway, Germany, Austria, France , England, Canada, Israel, and Australia. It's possible to take over that Ukrainian website (and announce a new pope, perhaps?) by compromising a host in Monash, Australia. DNS makes a small world after all.
Typically, you can find some compromised hosts in the dependence graph, DoS the non-vulnerable hosts for a very short time when DNS glue is about to expire, and poison caches. Repeat and rinse until you have hijacked the name of your choice.
Finally, some nameservers are very valuable, they control a large percentage of names. Some of these valuable nameservers are in educational institutions, which have no fiduciary responsibility to the names they serve. In fact, folks at NYU may not be aware that they can control the entire namespace for Baltic countries under the right circumstances.
Interestingly, the FBI.GOV site was vulnerable. We reported this to the DHS and someone upgraded the nameserver involved. We suspect the vulnerability we found was a real one, though we did not attempt to take advantage of it so we can't tell for sure.
Our website has an active webserver where you can type in your favorite sitename, see its dependencies and vulnerabilities. The data is a snapshot we took when we performed this study; do not be surprised if it does not reflect changes you made in the last few months.
The takeaway from this study is that the conventional wisdom about DNS servers, which says "the more DNS servers you have, the merrier as you increase fault tolerance" is wrong. You increase fault tolerance at the cost of increasing your trusted computing base. If you don't pay attention, someone from Monash Australia can hijack your site, and you might not even notice.
My research group generally looks at how to build more resilient infrastructure services. We built a safety net for DNS, a system for monitoring updates on the web, and a system for avoiding SPAM on P2P filesharing networks. Check them out if you are interested in new distributed services for the Internet.
Quote from the article The names in the top level domains .UA, .BY, .AL, .SM, .MT, .MY, .VA, .PL, .IT, in that order, are on average the most vulnerable. Most country code TLDs average more than 100 dependencies per name..
The part which I have emphasized gives us a hint: in Poland there is a tradition of unreliable telecommunications network. The biggest operator is a post-communistic ineffective giant delivering low quality of service. Therefore most businesses have developed a workaround - redundancy. Many registrars (DNS operators) are also Tier-2 ISPs and have links to most polish Tier-1 ISPs. When in reality they have 1 DNS server it can show up as many IP addresses, one for every Tier-1 ISP. And this is not taken into account by this survey, as far as I have gathered from a quick glance.
You can defy gravity... for a short time
Did anyone else notice that slashdot.org is in the list of vulnerable sites?
I was wondering that when I was reading the article.
... so what?
If you (correctly) configure your systems, you'll have 3 different DNS boxes on 3 different networks so any single problem won't take all of them out.
Okay, that does mean that you've just increased your attack visibility by 3x, but
And yes, if an attacker can get control of 1 of those boxes and DDoS the other 2 then he can redirect those queries to whatever box he wants to.
The vulnerabilties of DNS have been expounded on forever, people already know this. The survey then goes on to point out how trust is an issue and for all that the conclusion of this survey is that cryptographic name to address bindings are key. That's only part of the solution.
The bigger problem is clearly TRUST and can be alleviated if the DNS system was simply reimplemented. Easier said that done, yes, but a p2p with a trust metric system applied isn't overtly complicated and would scale. For instance, lets say you want example.com. It would be delegated when you register, propogated by it's trust amongst the root servers and the two or more namservers you've added when you've signed up. You then setup the trust system algo to prevent large attacks or changes.
The benefits are numerous, the roots are still the roots but are less taxed; their main purpose? The ultimate in trust so that subsequent nameservers always follow the trust metric and should a rogue amount decide to disobey trust metric they are flagged and dropped.
The only problem is actually doing it and setting up some sort of migration path.
Domain hijacking isn't the greatest threat posed by DNS system, it's the system itself.
Attacker could use DNS to relay virus payload to host, thus entirely bypassing NIDS systems.
Any command that resolves hostname could be used to exploit this concept.
It's not commonly used because the limited length of hostnames would require several
queries to transfer larger payloads.
But with some time and effort, attacker could hide the transfer almost completely.
There was an article about this on phrack? around 199x so it's not new idea.
There are no atheists when recovering from tape backup.
It really isn't the same at all. You sort of hope/expect a root server to be very closely monitoring and controlled by a professional team, but once you start adding multiple links in the chain of varying security and on top of that throw in broken DNS resolvers (like the ones SBC/AT&T use that only cache one nameserver for a given domain... even if the nameservice provider has redundancy, you won't benefit from it if the cached nameserver gets hosed).
DNS is a system in which each failure of any individual in the pyramid has the same ability to hose access to your site, but differential security and quality of service. That's not ideal at all.
To back this thesis up, there have been several major DNS outages (joker.com and Worldnic both bit me in the ass, and there were reports on SANS of others), some due to malicious activity, some due to other problems, in the past few months that have made life insane for tens of thousands if not hundreds of thousands of site operators. The system is way too fragile, IMHO.
Online citizen journalism from the inner city: The View From The Ground
From the list of 500 most vulnerable nameservers, a good number seems to be Ukrainain, especially near the top. For the 1000 non net/com/org/gov/mil, the top 20 are all Ukrainian. Some are ridiculously depended, for example http://www.ames.lviv.ua/ (what appears to be an English school) is dependent on no less than 604 nameservers. Is there any particular reason why *.ua names are so vulnerable/dependent? (Other than the TLD system of www.*.oblast.ua, which adds an extra lookup layer, but that shouldn't increase the number of hops by *that* much...)
No, actually it might even make you MORE vulnerable. Remember that each of your servers can respond "authoritatively". Consider, if one of your 3 machines gets owned, then roughly a third of your traffic might have just gotten hijacked, depending on how load balancing is set up. I don't think the bosses would like to hear "well, 2 out of 3 connections made it to the legit destination, so that's pretty good, right?"
Now, if you run 3 servers with different vulnerabilities, you might have just increased your chances of getting hacked, because presumably you have MORE possible exploits: the sum of all the possible exploits on each mahine.
You disregard that as the number of servers increases, the exploit value of each server is less. Meaning, with more servers it is more work to get the same exploit value.
While more servers may increase the number of exploits (I question this), that does not mean suddenly the attacker can get more overall exploit value out of those servers.
I suppose you would argue all the DNS eggs should be in one basket?
Anything is possible given time and money.
Their counts seem inflated, as they mark every single root server for a TLD as a "dependent" server, etc. If you have multiple DNS servers for your own domain (e.g., microsoft.com has 5 nameservers), they count each of _those_ as a separate "dependent" server as well.
It seems to me that it would be more accurate to only count 1 server at each level of the hierarchy as Dependent, and all the peers at that level as Redundant (co-dependent?).
Oh! Thanks for clearing that up, then.
That's why I go with Network Solutions!
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
(for those of you outside Europe, RIPE is the European counterpart to ARIN
That's nice to know. Then what is ARIN?
Actually RIPE is more analogous to NANOG (the North American Network Operator's Group). It is RIPE-NCC (the RIPE Network Coordination Centre) that is the Regional Internet Registry (RIR) for Europe (and parts of the Middle East and Central Asia). RIR's are non-profit member organizations that oversee IP address and ASN registration and allocation.
You disregard that as the number of servers increases, the exploit value of each server is less. Meaning, with more servers it is more work to get the same exploit value.
Not really. The unhacked DNS servers can be DOSed. The attacker probably can't force all lookups to the hacked box, but if he can shut down the other DNS servers enough to get most of the lookups, that's almost as good.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
So what about Secure DNS? Sweden has already converted, so why doesn't the rest of the world follow?
*grin*
I consider a DOS'ed DNS server the same as exploited.
Further, DOSing sends up a red flag, the last thing an attacker wants is more attention.
Anything is possible given time and money.
I consider a DOS'ed DNS server the same as exploited.
It is a form of exploit, but a simple DOS attack just makes the service unavailable. Coupling the hacking of a vulnerable server with a DOS on the other servers allows the attacker to redirect users and do some real damage.
Further, DOSing sends up a red flag, the last thing an attacker wants is more attention.
But the red flag is visible to the sysadmins managing the DNS servers, not to the poor schmuck who's getting sent to the attacker's copy of www.paypal.com. And the typical method of doing a large-scale DOS attack is with a horde of zombies, so the attacker isn't likely to be tracked down that way. The fake machine the attacker redirects people to is his point of vulnerability, since he has to be able to retrieve the stolen data from it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.