Perils of DNS at RIPE-52

An anonymous reader wrote in to say that " The RIPE meeting got off to a good start yesterday (for those of you outside Europe, RIPE is the European counterpart to ARIN). Emin Sirer from Cornell presented his study of DNS vulnerabilities. The results are staggering: the average name depends on four dozen nameservers, 30% of domains are vulnerable to domain hijacks by simple script kiddies, 85% of domains are vulnerable to hijacks by attackers that can DoS two hosts. The lesson: DNS must be managed by professionals, and the pros have to pay attention to the DNS delegation graph when they set up name servers."

Associated paper with more details.

The associated paper is here. They surveyed some 600,000 names from Yahoo and DMOZ and found that a large percentage of domains are vulnerable to domain hijacks by script kiddies.

More information -- paper

[scovetta]

The paper Perils of Transitive Trust in the Domain Name System (coral cache) describes quite a bit of this. It's a bit scary.

Also , for those outside (and inside) of Europe

[tddoog]

ARIN (from the website)

Established in December 1997, the American Registry for Internet Numbers (ARIN) is a Regional Internet Registry (RIR) incorporated in the Commonwealth of Virginia, USA. ARIN is one of five (5) RIRs. Like the other RIRs, ARIN:

        * Provides services related to the technical coordination and management of Internet number resources in its respective service region. The ARIN service region includes Canada, the United States, and several islands in the Caribbean Sea and North Atlantic Ocean;
        * Facilitates the development of policy decisions made by its members and the stakeholders in its region;
        * Is a nonprofit, membership organization;
        * Is governed by an executive board elected by its membership.

Re:This also just in

[caluml]

No, you nutter. What it's saying is, is that even if you configured your DNS correctly, all of the parent DNS servers used in the process of resolving your domain names have to be correctly configured too. Imagine you own foo.com. Your DNS server is OK, but if the .com servers aren't, I can just make the .com servers pass requests for foo.com to my DNS servers, and then return whatever values I want. It's all a big pyramid.

Re:dig is your friend.

[mmkkbb]

EdgeSuite is an Akamai product. If the FBI is using Akamai then that's not totally surprising, and they do.

Re:Ripe and ARIN

googlable:

American Registry for Internet Numbers (ARIN) - Home Page
http://www.arin.net/

Note from the author.

[Emin.Gun.Sirer]

I'm the speaker that the article is talking about. I head a research group at Cornell looking at building more resilient Internet infrastructure. Let me say a few words about this study and our recent IMC paper:

This survey was a lot of fun. It's sort of like a "how to 0wn the Internet via DNS" survey. In fact, that was the subtitle of my talk and was the most fun academic paper I ever wrote. It's all based on public information, by the way. The findings were quite surprising, at least to us.

First, the average DNS name depends on a large number of nameservers. Not just the two or three nameservers that you designate when you register the name, but also the nameservers those servers are served by, and so on. This set includes a few dozen hosts for the average .COM domain. If you are in the Ukraine, Malaysia, Poland, or Italy, this set includes more than 400 hosts! In contrast, Japan (.jp) is run very well, and names in .jp depend on very few hosts.

Second, some names are incredibly vulnerable. The most vulnerable name in our survey, the Roman Catholic Church web site in the Ukraine, depends on servers in Berkeley, NYU, UCLA, Russia, Poland, Sweden, Norway, Germany, Austria, France , England, Canada, Israel, and Australia. It's possible to take over that Ukrainian website (and announce a new pope, perhaps?) by compromising a host in Monash, Australia. DNS makes a small world after all.

Typically, you can find some compromised hosts in the dependence graph, DoS the non-vulnerable hosts for a very short time when DNS glue is about to expire, and poison caches. Repeat and rinse until you have hijacked the name of your choice.

Finally, some nameservers are very valuable, they control a large percentage of names. Some of these valuable nameservers are in educational institutions, which have no fiduciary responsibility to the names they serve. In fact, folks at NYU may not be aware that they can control the entire namespace for Baltic countries under the right circumstances.

Interestingly, the FBI.GOV site was vulnerable. We reported this to the DHS and someone upgraded the nameserver involved. We suspect the vulnerability we found was a real one, though we did not attempt to take advantage of it so we can't tell for sure.

Our website has an active webserver where you can type in your favorite sitename, see its dependencies and vulnerabilities. The data is a snapshot we took when we performed this study; do not be surprised if it does not reflect changes you made in the last few months.

The takeaway from this study is that the conventional wisdom about DNS servers, which says "the more DNS servers you have, the merrier as you increase fault tolerance" is wrong. You increase fault tolerance at the cost of increasing your trusted computing base. If you don't pay attention, someone from Monash Australia can hijack your site, and you might not even notice.

My research group generally looks at how to build more resilient infrastructure services. We built a safety net for DNS, a system for monitoring updates on the web, and a system for avoiding SPAM on P2P filesharing networks. Check them out if you are interested in new distributed services for the Internet.

.pl - one of most vulnerable?

[kompiluj]

Quote from the article The names in the top level domains .UA, .BY, .AL, .SM, .MT, .MY, .VA, .PL, .IT, in that order, are on average the most vulnerable. Most country code TLDs average more than 100 dependencies per name..
The part which I have emphasized gives us a hint: in Poland there is a tradition of unreliable telecommunications network. The biggest operator is a post-communistic ineffective giant delivering low quality of service. Therefore most businesses have developed a workaround - redundancy. Many registrars (DNS operators) are also Tier-2 ISPs and have links to most polish Tier-1 ISPs. When in reality they have 1 DNS server it can show up as many IP addresses, one for every Tier-1 ISP. And this is not taken into account by this survey, as far as I have gathered from a quick glance.

Re:Someone just needs to want change bad enough.

The bigger problem is clearly TRUST and can be alleviated if the DNS system was simply reimplemented. Easier said that done, yes, but a p2p with a trust metric system applied isn't overtly complicated and would scale... The only problem is actually doing it and setting up some sort of migration path.

Interestingly, the same research group cited in the story has built precisely such a system, a P2P replacement for DNS. It even has a migration path from the current DNS, supports the legacy namespace, and works well enough to answer my DNS queries even as we speak.

RIPE != RIPE-NCC

[majorowl]

Actually RIPE is more analogous to NANOG (the North American Network Operator's Group). It is RIPE-NCC (the RIPE Network Coordination Centre) that is the Regional Internet Registry (RIR) for Europe (and parts of the Middle East and Central Asia). RIR's are non-profit member organizations that oversee IP address and ASN registration and allocation.