Feeds

ICANN ponders DNS hack defence role

Paper tiger burning bright

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The international body that oversees the Internet's naming system struggled this week to find a role in the war against terrorism by putting one of the Net's weakest links under a microscope.

In the wake of the September 11 terrorist attacks the Internet Corporation for Assigned Names and Numbers (ICANN) swept aside most of its scheduled agenda to explore its options in shoring up the security of the Internet's domain name system (DNS), the infrastructure that invisibly translates domain names like www.securityfocus.com to Internet IP addresses like 66.38.151.125.

In a beachside hotel venue secured by plainclothes guards sporting Secret Service-style earpieces, researchers labored Tuesday and Wednesday to explain in excruciating detail the DNS' vulnerability to spoofing, cache poisoning and other, more exotic attacks that hackers have already used to divert traffic from victims' Web sites. "A hacked web page appears, even though victim site was untouched," said NAI Labs' Edward Lewis on a Tuesday panel. "That is by far the most important impact of an attack on DNS"

Many participants looked to the DNSSEC protocol to counter such attacks in the future. A project of the standards-setting Internet Engineering Task Force (IETF), DNSSEC uses public key cryptography to protect domain records from spoofing or corruption. But five years after the protocol's base specifications were laid out, it's still considered unripe for wide deployment.

Compounding the DNS' vulnerability, older versions of the Berkeley Internet Name Domain (BIND) software -- the standard program for domain resolution -- is notoriously insecure, and yet is still in use, presenters said. A recent survey found that authoritative servers for 50 of the 250 top-level domains ran a version of BIND that suffers from documented security holes allowing attackers to gain complete control of the system remotely.

But most of the focus of ICANN's attention wasn't on vulnerabilities that lend themselves to occasional mischief, but on the potential for a cyber attack on the 13 crucial 'root servers' at the top of the domain name system's hierarchy.

Scattered throughout the Internet, those servers are the sine qua non of domain name resolution. And with their IP addresses effectively hardwired into DNS software, the root servers are immobile targets in an otherwise flexible system.

The DNS can easily absorb a loss of some of those servers, but not all of them at the same time. "If you take out, or make all the root name servers stop serving domain names, many if not most Internet servers will suffer from reachability problems," said Lars-Johan Liman, who runs a root server in Stockholm.

Physical attacks aren't much of a concern, Liman said, because the servers are ordinary off-the shelf computers that can be easily replaced.

But the servers are vulnerable to distributed denial of service attacks, similar to those that crippled Yahoo!, CNN.com, and other high-profile web properties in February of last year. If an attacker staged such an assault on a large enough scale, the root servers would be unusable.

"The attacks are going to be ddos attacks," said Randy Bush, co-chair of the IETF working group on the DNS. "Stop trying to rearrange deck chairs on the Titanic."

But it's not clear what ICANN can do about a problem that has its roots in the Internet's infrastructure. At a Wednesday session, participants looked at developing emergency plans for securely communicating with one another to reconstitute the DNS system in the event of a malicious outage. "Authenticated contact information needs to be out there now, while things are working," said AT&T Fellow Steven Bellovin.

Participants later broke up into committees to form recommendations for ICANN's board of directors. Among the options, ICANN could put strict security requirements into its contracts with accredited domain name registrars, issue non-binding guidelines, or do nothing at all.

ICANN's unusual move to transform its membership meeting into a security think tank was not without controversy. But on Wednesday it drew praise from Washington.

In a keynote address, John Tritak, director of the US Critical Infrastructure Assurance Office, said terrorists may soon target the Internet, and it was "appropriate and proper" for ICANN to consider DNS security.

© 2001 SecurityFocus.com, all rights reserved.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.