Feeds

ICANN ponders DNS hack defence role

Paper tiger burning bright

  • alert
  • submit to reddit

Security for virtualized datacentres

The international body that oversees the Internet's naming system struggled this week to find a role in the war against terrorism by putting one of the Net's weakest links under a microscope.

In the wake of the September 11 terrorist attacks the Internet Corporation for Assigned Names and Numbers (ICANN) swept aside most of its scheduled agenda to explore its options in shoring up the security of the Internet's domain name system (DNS), the infrastructure that invisibly translates domain names like www.securityfocus.com to Internet IP addresses like 66.38.151.125.

In a beachside hotel venue secured by plainclothes guards sporting Secret Service-style earpieces, researchers labored Tuesday and Wednesday to explain in excruciating detail the DNS' vulnerability to spoofing, cache poisoning and other, more exotic attacks that hackers have already used to divert traffic from victims' Web sites. "A hacked web page appears, even though victim site was untouched," said NAI Labs' Edward Lewis on a Tuesday panel. "That is by far the most important impact of an attack on DNS"

Many participants looked to the DNSSEC protocol to counter such attacks in the future. A project of the standards-setting Internet Engineering Task Force (IETF), DNSSEC uses public key cryptography to protect domain records from spoofing or corruption. But five years after the protocol's base specifications were laid out, it's still considered unripe for wide deployment.

Compounding the DNS' vulnerability, older versions of the Berkeley Internet Name Domain (BIND) software -- the standard program for domain resolution -- is notoriously insecure, and yet is still in use, presenters said. A recent survey found that authoritative servers for 50 of the 250 top-level domains ran a version of BIND that suffers from documented security holes allowing attackers to gain complete control of the system remotely.

But most of the focus of ICANN's attention wasn't on vulnerabilities that lend themselves to occasional mischief, but on the potential for a cyber attack on the 13 crucial 'root servers' at the top of the domain name system's hierarchy.

Scattered throughout the Internet, those servers are the sine qua non of domain name resolution. And with their IP addresses effectively hardwired into DNS software, the root servers are immobile targets in an otherwise flexible system.

The DNS can easily absorb a loss of some of those servers, but not all of them at the same time. "If you take out, or make all the root name servers stop serving domain names, many if not most Internet servers will suffer from reachability problems," said Lars-Johan Liman, who runs a root server in Stockholm.

Physical attacks aren't much of a concern, Liman said, because the servers are ordinary off-the shelf computers that can be easily replaced.

But the servers are vulnerable to distributed denial of service attacks, similar to those that crippled Yahoo!, CNN.com, and other high-profile web properties in February of last year. If an attacker staged such an assault on a large enough scale, the root servers would be unusable.

"The attacks are going to be ddos attacks," said Randy Bush, co-chair of the IETF working group on the DNS. "Stop trying to rearrange deck chairs on the Titanic."

But it's not clear what ICANN can do about a problem that has its roots in the Internet's infrastructure. At a Wednesday session, participants looked at developing emergency plans for securely communicating with one another to reconstitute the DNS system in the event of a malicious outage. "Authenticated contact information needs to be out there now, while things are working," said AT&T Fellow Steven Bellovin.

Participants later broke up into committees to form recommendations for ICANN's board of directors. Among the options, ICANN could put strict security requirements into its contracts with accredited domain name registrars, issue non-binding guidelines, or do nothing at all.

ICANN's unusual move to transform its membership meeting into a security think tank was not without controversy. But on Wednesday it drew praise from Washington.

In a keynote address, John Tritak, director of the US Critical Infrastructure Assurance Office, said terrorists may soon target the Internet, and it was "appropriate and proper" for ICANN to consider DNS security.

© 2001 SecurityFocus.com, all rights reserved.

Secure remote control for conventional and virtual desktops

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.