ICANN ponders DNS hack defence role
Paper tiger burning bright
The international body that oversees the Internet's naming system struggled this week to find a role in the war against terrorism by putting one of the Net's weakest links under a microscope.
In the wake of the September 11 terrorist attacks the Internet Corporation for Assigned Names and Numbers (ICANN) swept aside most of its scheduled agenda to explore its options in shoring up the security of the Internet's domain name system (DNS), the infrastructure that invisibly translates domain names like www.securityfocus.com to Internet IP addresses like 22.214.171.124.
In a beachside hotel venue secured by plainclothes guards sporting Secret Service-style earpieces, researchers labored Tuesday and Wednesday to explain in excruciating detail the DNS' vulnerability to spoofing, cache poisoning and other, more exotic attacks that hackers have already used to divert traffic from victims' Web sites. "A hacked web page appears, even though victim site was untouched," said NAI Labs' Edward Lewis on a Tuesday panel. "That is by far the most important impact of an attack on DNS"
Many participants looked to the DNSSEC protocol to counter such attacks in the future. A project of the standards-setting Internet Engineering Task Force (IETF), DNSSEC uses public key cryptography to protect domain records from spoofing or corruption. But five years after the protocol's base specifications were laid out, it's still considered unripe for wide deployment.
Compounding the DNS' vulnerability, older versions of the Berkeley Internet Name Domain (BIND) software -- the standard program for domain resolution -- is notoriously insecure, and yet is still in use, presenters said. A recent survey found that authoritative servers for 50 of the 250 top-level domains ran a version of BIND that suffers from documented security holes allowing attackers to gain complete control of the system remotely.
But most of the focus of ICANN's attention wasn't on vulnerabilities that lend themselves to occasional mischief, but on the potential for a cyber attack on the 13 crucial 'root servers' at the top of the domain name system's hierarchy.
Scattered throughout the Internet, those servers are the sine qua non of domain name resolution. And with their IP addresses effectively hardwired into DNS software, the root servers are immobile targets in an otherwise flexible system.
The DNS can easily absorb a loss of some of those servers, but not all of them at the same time. "If you take out, or make all the root name servers stop serving domain names, many if not most Internet servers will suffer from reachability problems," said Lars-Johan Liman, who runs a root server in Stockholm.
Physical attacks aren't much of a concern, Liman said, because the servers are ordinary off-the shelf computers that can be easily replaced.
But the servers are vulnerable to distributed denial of service attacks, similar to those that crippled Yahoo!, CNN.com, and other high-profile web properties in February of last year. If an attacker staged such an assault on a large enough scale, the root servers would be unusable.
"The attacks are going to be ddos attacks," said Randy Bush, co-chair of the IETF working group on the DNS. "Stop trying to rearrange deck chairs on the Titanic."
But it's not clear what ICANN can do about a problem that has its roots in the Internet's infrastructure. At a Wednesday session, participants looked at developing emergency plans for securely communicating with one another to reconstitute the DNS system in the event of a malicious outage. "Authenticated contact information needs to be out there now, while things are working," said AT&T Fellow Steven Bellovin.
Participants later broke up into committees to form recommendations for ICANN's board of directors. Among the options, ICANN could put strict security requirements into its contracts with accredited domain name registrars, issue non-binding guidelines, or do nothing at all.
ICANN's unusual move to transform its membership meeting into a security think tank was not without controversy. But on Wednesday it drew praise from Washington.
In a keynote address, John Tritak, director of the US Critical Infrastructure Assurance Office, said terrorists may soon target the Internet, and it was "appropriate and proper" for ICANN to consider DNS security.
© 2001 SecurityFocus.com, all rights reserved.