Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/18/2007
07:55 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking a New DNS Attack

DNS expert disputes Georgia Tech and Google research that points to malicious deployment of certain types of DNS servers

New findings by researchers at the Georgia Institute of Technology and Google on a malicious DNS-related attack have stirred some debate over whether open recursive DNS servers are inherently insecure. (See DNS Servers in Harm's Way.)

DNS servers basically translate domain names, like darkreading.com, into IP addresses so that computers can find one another. Recursive DNS servers respond to DNS lookup requests from any machine on the Internet. The researchers found an increase in corrupted DNS servers that send clients to malicious sites, and concluded that the large number of open recursive DNS servers on the Net could ultimately be compromised and used as part of a malicious DNS infrastructure that routes users to phishing sites and other bad places.

But David Ulevitch, CEO of OpenDNS, which offers a free open recursive DNS service, says the report is flawed because it points the finger only at open recursive DNS servers. (Closed recursive servers are only accessible to users on a specific network.) "The data they collected may have been accurate, but their interpretations of it are as far off base as you can get," Ulevitch says. "They drew the conclusions that open recursive names servers on the Net are enabling a new form of phishing. That's wrong."

Ulevitch argues that some DNS name servers on the Net indeed do get compromised and provide malicious results to users. But it's not just the open recursive DNS servers: "All they [the researchers] were able to test were the open ones," Ulevitch says. "[But] being open has nothing to do with being compromised. Any name server can be compromised."

The new form of DNS threat is dubbed "DNS resolution path corruption" by the researchers: David Dagon, Chris Lee, and Wenke Lee of Georgia Tech and Google's Niels Provos. They will present their findings in February at the Network and Distributed System Security Symposium (NDSS) in San Diego.

The researchers found somewhere around 17 million open-recursive DNS servers on the Net, and discovered that about .4 percent, or 68,000 of them, are performing malicious operations by answering DNS queries with false information that sends them to malicious sites. About 2 percent are returning suspicious results, they reported.

But even legitimate open recursive servers can sometimes appear to be acting unusually or maliciously, security experts say.

One such example is OpenDNS's servers, which correct fat-fingering mistakes from sending a user to a typo-squatter's site as well as block unwanted sites. "The problem is that they [the researchers] are referring to those changes in DNS responses as malicious. We are blocking adult and phishing sites," OpenDNS's Ulevitch says.

In this type of attack, the client machine first would get infected via a tainted Website or by clicking on a malicious attachment that runs an exploit, according to the researchers. The user's machine would then be directed to visit the bad guy's DNS server, and the attacker could direct the victim to some correct Websites so as not to arouse suspicion, as well as phishing sites, for instance.

Such an attack could help a botmaster consolidate his bot assets more easily and quietly, says Bill Guerry, vice president of product management for Damballa, the company Dagon and Wenke co-founded. Guerry noted that the new research is not Damballa's, but that of the Georgia Tech and Google researchers.

"All of this is very real," says Paul Parisi, CTO for DNSstuff.com, which has filed for a patent for a new technology that could help detect online fraud before it actually occurs by checking a user's DNS settings. (See New DNS Technology Flags Bad Guys Before They Act.) "They [the researchers] are basically saying that by a bot or some other means, a user's DNS settings get changed," he says. DNSstuff.com's new technology would detect that a user's DNS settings had been changed, and alert him, Parisi says.

Meanwhile, misconfigured Internet-facing DNS servers are a common problem. A recent survey conducted by DNS vendor Infoblox and The Measurement Factory found that organizations aren't properly configuring their DNS servers for security. Recursive queries and zone transfers -- two features that can be exploited by an attacker -- are allowed by more than half of the servers and 31 percent, respectively.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Damballa Inc.
  • OpenDNS
  • DNSstuff.com
  • Google (Nasdaq: GOOG)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Latest Comment: Exactly
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25514
    PUBLISHED: 2020-09-22
    Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
    CVE-2020-25515
    PUBLISHED: 2020-09-22
    Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
    CVE-2020-14022
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
    CVE-2020-14023
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
    CVE-2020-14024
    PUBLISHED: 2020-09-22
    Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...