Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Could You Do With a Bogus Root Name Server?

Posted by Soulskill on from the root-root-root-for-the-home-team dept.

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

7 of 120 comments (clear)

  1. Simple recipe by canuck57 · · Score: 5, Insightful

    If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

    • You open up email to read todays email. You PC looks up pop3.yourisp.com.
    • DNS returns the IP of evil PC to your PC which will connect to it.
    • Next, evil PC will emulate your login, IP address and record the password. Could even be a /. password.
    • Evil pc now has the info needed to read/retrieve your email.

    Better yet, people often use similar IDs and passwords into other systems. Evil hackers can often use the email to figure out which banks, credit, stock brokers and on line e-tailers you use. Maybe change the home address of your Amazon account and order stuff, if the e-tailor isn't right on top of it.

    Root servers need to be secure, end of story.

    I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

    1. Re:Simple recipe by Joe+The+Dragon · · Score: 3, Insightful

      ISP can make so that pop3 only works from inside of there own network and force you to have a differnt web mail password not use the same login in system for web mail and pop3 mail.

    2. Re:Simple recipe by imipak · · Score: 4, Insightful
      Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

      Think about it.

  2. break everything by imipak · · Score: 3, Insightful
    Then sit back cackling with glee whilst civilisation falls apart?

    Seriously, in the last decade the premise that the Net is always there has become a silent assumption underlying a lot of critical systems. No I'm not talking about nuclear power stations being online, I'm talking about basic logistics chain outages that mean there's no-one there to run the power station, because they've no fuel for their car, because the petrol tanker driver is off scavaging food for his kids. There are a number of scenarios that could knock out the net (or at least cause widespread depeering, so you'd be stuck on your provider's network and unable to get traffic to/from anywhere else); it would be... well, a bit too interesting for my liking to see how things would go with, say, a seven day outage. Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure, having a heterogenous mix of code for all critical functions, oh and and enforcing BGP security.

  3. Re:The heck with DNS by eneville · · Score: 2, Insightful

    Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing. It's a JOKE! Alright? Well, it's not such a silly idea. When I look at my firefox 3 smart book marks, there are maybe 5 pages that I go to regularly. Anything else I can see using google page cache. So what's the big deal, having those few sites in a local hosts file isn't so much of a task.
    --
    Why UNIX?
  4. Take it... by Timosch · · Score: 2, Insightful

    ...and sell it to the Chinese government. The answer to all their desires... No, just kidding.

  5. Re:I've heard of this new technology... by Anonymous Coward · · Score: 4, Insightful

    Digitally signing every DNS request? Good luck handling the computational load :)

    You don't need to sign the requests, you need to sign the replies. And you only need to compute the signing once, and store the signed value.