Home / Blogs

Another Attack, Another Reason for the Urgency of DNSSEC Adoption

News broke this week about an attack in Puerto Rico that caused the local websites of Google, Microsoft, Yahoo, Coca-Cola, PayPal, Nike, Dell and Nokia to be redirected for a few hours to a phony website. The website was all black except for a taunting message from the computer hacker responsible for the attack. These attacks were carried out just weeks after the DNS cache poisoning attack against a Brazilian Bank and ISP. As attacks on the DNS increase, the reports on large scale “scares” are becoming more prevalent. DNS attacks hitting mainstream media just highlights how serious the problem is becoming. DNS redirection, pharming, and cache poisoning are no longer viewed as sophisticated internet crimes and no longer infrequent. Any Internet security expert will tell you that tinkering with DNS is not that difficult and it happens more often that most of us are aware.

It is critical now more than ever that we secure the DNS and to do so we need DNSSEC implemented industry wide! DNSSEC thwarts online attacks such as DNS redirection, pharming, and cache poisoning that are used to commit fraud, distribute malware, or steal personal and confidential information. With Internet vandalism on the rise, it is imperative that the Internet Community takes all security precautions necessary to protect and preserve the Internet as it is integral to today’s era of technology.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Lauren Price, Sr. Product Marketing Manager, .ORG, The Public Interest Registry

Lauren Price also contributes to the .Org weblog located here.

Visit Page

Filed Under

Comments

Lauren,Can you please provide an explanation of Mike Damm  –  May 1, 2009 8:30 PM

Lauren,

Can you please provide an explanation of why you think DNSSEC would have protected anyone in the Puerto Rico incident?

The very article you linked to points out the attackers “used a SQL injection attack to break into the Puerto Rico registrar’s management system.”

DNSSEC probably would have worked Jay Daley  –  May 5, 2009 4:45 AM

If it was the same kind of attack as that in NZ, which I suspect it was, then DNSSEC would have helped. Here in NZ once the registrar was compromised the attacker used the registrar systems to request a nameserver change at the registry, which meant those zones now pointed to different nameservers. If those zones had DNSSEC protection then the resolver clients would know straight away that those new nameservers were bogus and so not been fooled. The only way it would not have worked is if the registrar ran the nameservers for those zones, had the crypto key online for automatic generation of sigs and if the hackers then made the change on those local nameservers. However, certainly in the NZ case, and probably in the PR case given the nature of the companies, the registrars were not hosting the zones and so this would have been possible. Which is why the hackers have to usurp the regstrar systems to change nameservers with the registry.

missing word Jay Daley  –  May 5, 2009 4:47 AM

Penultimate sentence - should finish "... would not have been possible."

Hi and thank you for your comment. Lauren Price  –  May 2, 2009 8:52 PM

Hi and thank you for your comment.  The point of the blog is high profile Internet attacks are increasing and we need to take all necessary security precautions,  DNSSEC being one of them in reference the DNS cache poisoning attack in Brazil.

His point, which I do agree with, is that ... Suresh Ramasubramanian  –  May 3, 2009 3:26 AM

.. DNSSEC wouldnt have protected anybody in Puerto Rico. Not under the circumstances the attacks were carried out. These are not kaminsky style cache poisoning .. something much more old fashioned .. gain control of the resolver through sql injections or other ways to compromise the base OS, and then control DNS views. DNSSEC is essential - but I do wish you'd pick more appropriate examples to promote it.

Hi and thank you for your comment. Lauren Price  –  May 3, 2009 12:00 PM

Hi and thank you for your comment.  The point of the blog is high profile Internet attacks are increasing and we need to take all neccesary security precautions, DNSSEC being one of them in reference to the cache poisoning attack in Brazil.

Sorry - but is that an autoresponder you setup? Suresh Ramasubramanian  –  May 3, 2009 2:00 PM

I saw your boilerplate reply the very first time. And I do appreciate the value of dnssec. Only - where there's a compromise of the sort you described, DNSSEC is useless because the bad guys just did an end run around it. If you'd like to reply to this, I'd appreciate your thoughts rather than another repeat of the same boilerplate.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix