Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/18/2007
07:55 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking a New DNS Attack

DNS expert disputes Georgia Tech and Google research that points to malicious deployment of certain types of DNS servers

New findings by researchers at the Georgia Institute of Technology and Google on a malicious DNS-related attack have stirred some debate over whether open recursive DNS servers are inherently insecure. (See DNS Servers in Harm's Way.)

DNS servers basically translate domain names, like darkreading.com, into IP addresses so that computers can find one another. Recursive DNS servers respond to DNS lookup requests from any machine on the Internet. The researchers found an increase in corrupted DNS servers that send clients to malicious sites, and concluded that the large number of open recursive DNS servers on the Net could ultimately be compromised and used as part of a malicious DNS infrastructure that routes users to phishing sites and other bad places.

But David Ulevitch, CEO of OpenDNS, which offers a free open recursive DNS service, says the report is flawed because it points the finger only at open recursive DNS servers. (Closed recursive servers are only accessible to users on a specific network.) "The data they collected may have been accurate, but their interpretations of it are as far off base as you can get," Ulevitch says. "They drew the conclusions that open recursive names servers on the Net are enabling a new form of phishing. That's wrong."

Ulevitch argues that some DNS name servers on the Net indeed do get compromised and provide malicious results to users. But it's not just the open recursive DNS servers: "All they [the researchers] were able to test were the open ones," Ulevitch says. "[But] being open has nothing to do with being compromised. Any name server can be compromised."

The new form of DNS threat is dubbed "DNS resolution path corruption" by the researchers: David Dagon, Chris Lee, and Wenke Lee of Georgia Tech and Google's Niels Provos. They will present their findings in February at the Network and Distributed System Security Symposium (NDSS) in San Diego.

The researchers found somewhere around 17 million open-recursive DNS servers on the Net, and discovered that about .4 percent, or 68,000 of them, are performing malicious operations by answering DNS queries with false information that sends them to malicious sites. About 2 percent are returning suspicious results, they reported.

But even legitimate open recursive servers can sometimes appear to be acting unusually or maliciously, security experts say.

One such example is OpenDNS's servers, which correct fat-fingering mistakes from sending a user to a typo-squatter's site as well as block unwanted sites. "The problem is that they [the researchers] are referring to those changes in DNS responses as malicious. We are blocking adult and phishing sites," OpenDNS's Ulevitch says.

In this type of attack, the client machine first would get infected via a tainted Website or by clicking on a malicious attachment that runs an exploit, according to the researchers. The user's machine would then be directed to visit the bad guy's DNS server, and the attacker could direct the victim to some correct Websites so as not to arouse suspicion, as well as phishing sites, for instance.

Such an attack could help a botmaster consolidate his bot assets more easily and quietly, says Bill Guerry, vice president of product management for Damballa, the company Dagon and Wenke co-founded. Guerry noted that the new research is not Damballa's, but that of the Georgia Tech and Google researchers.

"All of this is very real," says Paul Parisi, CTO for DNSstuff.com, which has filed for a patent for a new technology that could help detect online fraud before it actually occurs by checking a user's DNS settings. (See New DNS Technology Flags Bad Guys Before They Act.) "They [the researchers] are basically saying that by a bot or some other means, a user's DNS settings get changed," he says. DNSstuff.com's new technology would detect that a user's DNS settings had been changed, and alert him, Parisi says.

Meanwhile, misconfigured Internet-facing DNS servers are a common problem. A recent survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren't properly configuring their DNS servers for security. Recursive queries and zone transfers -- two features that can be exploited by an attacker -- are allowed by more than half of the servers and 31 percent, respectively.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • OpenDNS
  • DNSstuff.com
  • Google (Nasdaq: GOOG)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-5292
    PUBLISHED: 2020-03-31
    Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
    CVE-2020-7009
    PUBLISHED: 2020-03-31
    Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
    CVE-2019-13495
    PUBLISHED: 2020-03-31
    In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
    CVE-2020-5291
    PUBLISHED: 2020-03-31
    Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...
    CVE-2019-14905
    PUBLISHED: 2020-03-31
    A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...