|
News broke this week about an attack in Puerto Rico that caused the local websites of Google, Microsoft, Yahoo, Coca-Cola, PayPal, Nike, Dell and Nokia to be redirected for a few hours to a phony website. The website was all black except for a taunting message from the computer hacker responsible for the attack. These attacks were carried out just weeks after the DNS cache poisoning attack against a Brazilian Bank and ISP. As attacks on the DNS increase, the reports on large scale “scares” are becoming more prevalent. DNS attacks hitting mainstream media just highlights how serious the problem is becoming. DNS redirection, pharming, and cache poisoning are no longer viewed as sophisticated internet crimes and no longer infrequent. Any Internet security expert will tell you that tinkering with DNS is not that difficult and it happens more often that most of us are aware.
It is critical now more than ever that we secure the DNS and to do so we need DNSSEC implemented industry wide! DNSSEC thwarts online attacks such as DNS redirection, pharming, and cache poisoning that are used to commit fraud, distribute malware, or steal personal and confidential information. With Internet vandalism on the rise, it is imperative that the Internet Community takes all security precautions necessary to protect and preserve the Internet as it is integral to today’s era of technology.
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Lauren,
Can you please provide an explanation of why you think DNSSEC would have protected anyone in the Puerto Rico incident?
The very article you linked to points out the attackers “used a SQL injection attack to break into the Puerto Rico registrar’s management system.”
If it was the same kind of attack as that in NZ, which I suspect it was, then DNSSEC would have helped. Here in NZ once the registrar was compromised the attacker used the registrar systems to request a nameserver change at the registry, which meant those zones now pointed to different nameservers. If those zones had DNSSEC protection then the resolver clients would know straight away that those new nameservers were bogus and so not been fooled. The only way it would not have worked is if the registrar ran the nameservers for those zones, had the crypto key online for automatic generation of sigs and if the hackers then made the change on those local nameservers. However, certainly in the NZ case, and probably in the PR case given the nature of the companies, the registrars were not hosting the zones and so this would have been possible. Which is why the hackers have to usurp the regstrar systems to change nameservers with the registry.
Penultimate sentence - should finish "... would not have been possible."
Hi and thank you for your comment. The point of the blog is high profile Internet attacks are increasing and we need to take all necessary security precautions, DNSSEC being one of them in reference the DNS cache poisoning attack in Brazil.
.. DNSSEC wouldnt have protected anybody in Puerto Rico. Not under the circumstances the attacks were carried out. These are not kaminsky style cache poisoning .. something much more old fashioned .. gain control of the resolver through sql injections or other ways to compromise the base OS, and then control DNS views. DNSSEC is essential - but I do wish you'd pick more appropriate examples to promote it.
Hi and thank you for your comment. The point of the blog is high profile Internet attacks are increasing and we need to take all neccesary security precautions, DNSSEC being one of them in reference to the cache poisoning attack in Brazil.
I saw your boilerplate reply the very first time. And I do appreciate the value of dnssec. Only - where there's a compromise of the sort you described, DNSSEC is useless because the bad guys just did an end run around it. If you'd like to reply to this, I'd appreciate your thoughts rather than another repeat of the same boilerplate.