Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/18/2007
07:55 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking a New DNS Attack

DNS expert disputes Georgia Tech and Google research that points to malicious deployment of certain types of DNS servers

New findings by researchers at the Georgia Institute of Technology and Google on a malicious DNS-related attack have stirred some debate over whether open recursive DNS servers are inherently insecure. (See DNS Servers in Harm's Way.)

DNS servers basically translate domain names, like darkreading.com, into IP addresses so that computers can find one another. Recursive DNS servers respond to DNS lookup requests from any machine on the Internet. The researchers found an increase in corrupted DNS servers that send clients to malicious sites, and concluded that the large number of open recursive DNS servers on the Net could ultimately be compromised and used as part of a malicious DNS infrastructure that routes users to phishing sites and other bad places.

But David Ulevitch, CEO of OpenDNS, which offers a free open recursive DNS service, says the report is flawed because it points the finger only at open recursive DNS servers. (Closed recursive servers are only accessible to users on a specific network.) "The data they collected may have been accurate, but their interpretations of it are as far off base as you can get," Ulevitch says. "They drew the conclusions that open recursive names servers on the Net are enabling a new form of phishing. That's wrong."

Ulevitch argues that some DNS name servers on the Net indeed do get compromised and provide malicious results to users. But it's not just the open recursive DNS servers: "All they [the researchers] were able to test were the open ones," Ulevitch says. "[But] being open has nothing to do with being compromised. Any name server can be compromised."

The new form of DNS threat is dubbed "DNS resolution path corruption" by the researchers: David Dagon, Chris Lee, and Wenke Lee of Georgia Tech and Google's Niels Provos. They will present their findings in February at the Network and Distributed System Security Symposium (NDSS) in San Diego.

The researchers found somewhere around 17 million open-recursive DNS servers on the Net, and discovered that about .4 percent, or 68,000 of them, are performing malicious operations by answering DNS queries with false information that sends them to malicious sites. About 2 percent are returning suspicious results, they reported.

But even legitimate open recursive servers can sometimes appear to be acting unusually or maliciously, security experts say.

One such example is OpenDNS's servers, which correct fat-fingering mistakes from sending a user to a typo-squatter's site as well as block unwanted sites. "The problem is that they [the researchers] are referring to those changes in DNS responses as malicious. We are blocking adult and phishing sites," OpenDNS's Ulevitch says.

In this type of attack, the client machine first would get infected via a tainted Website or by clicking on a malicious attachment that runs an exploit, according to the researchers. The user's machine would then be directed to visit the bad guy's DNS server, and the attacker could direct the victim to some correct Websites so as not to arouse suspicion, as well as phishing sites, for instance.

Such an attack could help a botmaster consolidate his bot assets more easily and quietly, says Bill Guerry, vice president of product management for Damballa, the company Dagon and Wenke co-founded. Guerry noted that the new research is not Damballa's, but that of the Georgia Tech and Google researchers.

"All of this is very real," says Paul Parisi, CTO for DNSstuff.com, which has filed for a patent for a new technology that could help detect online fraud before it actually occurs by checking a user's DNS settings. (See New DNS Technology Flags Bad Guys Before They Act.) "They [the researchers] are basically saying that by a bot or some other means, a user's DNS settings get changed," he says. DNSstuff.com's new technology would detect that a user's DNS settings had been changed, and alert him, Parisi says.

Meanwhile, misconfigured Internet-facing DNS servers are a common problem. A recent survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren't properly configuring their DNS servers for security. Recursive queries and zone transfers -- two features that can be exploited by an attacker -- are allowed by more than half of the servers and 31 percent, respectively.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • OpenDNS
  • DNSstuff.com
  • Google (Nasdaq: GOOG)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17672
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
    CVE-2019-17673
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
    CVE-2019-17674
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
    CVE-2019-17675
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
    CVE-2019-17676
    PUBLISHED: 2019-10-17
    app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.