What Could You Do With a Bogus Root Name Server?

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

Simple recipe

[canuck57]

If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

• You open up email to read todays email. You PC looks up pop3.yourisp.com.
• DNS returns the IP of evil PC to your PC which will connect to it.
• Next, evil PC will emulate your login, IP address and record the password. Could even be a /. password.
• Evil pc now has the info needed to read/retrieve your email.

Better yet, people often use similar IDs and passwords into other systems. Evil hackers can often use the email to figure out which banks, credit, stock brokers and on line e-tailers you use. Maybe change the home address of your Amazon account and order stuff, if the e-tailor isn't right on top of it.

Root servers need to be secure, end of story.

I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

Re:Simple recipe

[Joe+The+Dragon]

ISP can make so that pop3 only works from inside of there own network and force you to have a differnt web mail password not use the same login in system for web mail and pop3 mail.

Re:Simple recipe

[imipak]

Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

Think about it.

Re:Simple recipe

[jeiler]

Instead of a MitM attack, would it be possible to do a "proxy-in-the-middle" attack?

* User opens up to read email/connect to their bank account/something secure.
* DNS returns IP of evil impersonator (EI) instead of Real Computer (RC).
* User requests connection from EI. EI transparently proxies that connection to RC, while listening for the password that authenticates the key exchange.
* Profit! Or would it be?

I can't imagine this kind of hole not already being covered, but it seems like it would be feasible without some form of encryption on the initial password itself.

break everything

[imipak]

Then sit back cackling with glee whilst civilisation falls apart?

Seriously, in the last decade the premise that the Net is always there has become a silent assumption underlying a lot of critical systems. No I'm not talking about nuclear power stations being online, I'm talking about basic logistics chain outages that mean there's no-one there to run the power station, because they've no fuel for their car, because the petrol tanker driver is off scavaging food for his kids. There are a number of scenarios that could knock out the net (or at least cause widespread depeering, so you'd be stuck on your provider's network and unable to get traffic to/from anywhere else); it would be... well, a bit too interesting for my liking to see how things would go with, say, a seven day outage. Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure, having a heterogenous mix of code for all critical functions, oh and and enforcing BGP security.

Re:break everything

[ijakings]

THis post raises an interesting point. For the most part what Ive seen is that the IT or general tech industry has no large union. At least it doesnt in the UK.

THink about it, If they did they could bring a country to its knees with say a 7 day strike. People have become so dependent on things just working, and when they dont they call in the tech guy that they would be going crazy after 7 days.

Sure youve got that one guy in every department who is or thinks he is really good at computers, but how long until this guy runs into somehting he needs a higher access for, but cant get.

Whats that RIAA, your doing your old tricks again. Whoops the tech industy has a strike. (Obviously I know it doesnt work anything like this but its an interesting scenario)

Re:break everything

Maybe the geeks should go on strike.

No patches; no tech support; no maintenance -- until things are organized properly.

"But what can any of us do about it? Who is Linus Torvalds?"
- Stallman Shrugged.

Re:The heck with DNS

[eneville]

Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing. It's a JOKE! Alright? Well, it's not such a silly idea. When I look at my firefox 3 smart book marks, there are maybe 5 pages that I go to regularly. Anything else I can see using google page cache. So what's the big deal, having those few sites in a local hosts file isn't so much of a task.

Take it...

[Timosch]

...and sell it to the Chinese government. The answer to all their desires... No, just kidding.

Re:I've heard of this new technology...

Digitally signing every DNS request? Good luck handling the computational load :)

You don't need to sign the requests, you need to sign the replies. And you only need to compute the signing once, and store the signed value.