Feeds

ICANN ponders DNS hack defence role

Paper tiger burning bright

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

The international body that oversees the Internet's naming system struggled this week to find a role in the war against terrorism by putting one of the Net's weakest links under a microscope.

In the wake of the September 11 terrorist attacks the Internet Corporation for Assigned Names and Numbers (ICANN) swept aside most of its scheduled agenda to explore its options in shoring up the security of the Internet's domain name system (DNS), the infrastructure that invisibly translates domain names like www.securityfocus.com to Internet IP addresses like 66.38.151.125.

In a beachside hotel venue secured by plainclothes guards sporting Secret Service-style earpieces, researchers labored Tuesday and Wednesday to explain in excruciating detail the DNS' vulnerability to spoofing, cache poisoning and other, more exotic attacks that hackers have already used to divert traffic from victims' Web sites. "A hacked web page appears, even though victim site was untouched," said NAI Labs' Edward Lewis on a Tuesday panel. "That is by far the most important impact of an attack on DNS"

Many participants looked to the DNSSEC protocol to counter such attacks in the future. A project of the standards-setting Internet Engineering Task Force (IETF), DNSSEC uses public key cryptography to protect domain records from spoofing or corruption. But five years after the protocol's base specifications were laid out, it's still considered unripe for wide deployment.

Compounding the DNS' vulnerability, older versions of the Berkeley Internet Name Domain (BIND) software -- the standard program for domain resolution -- is notoriously insecure, and yet is still in use, presenters said. A recent survey found that authoritative servers for 50 of the 250 top-level domains ran a version of BIND that suffers from documented security holes allowing attackers to gain complete control of the system remotely.

But most of the focus of ICANN's attention wasn't on vulnerabilities that lend themselves to occasional mischief, but on the potential for a cyber attack on the 13 crucial 'root servers' at the top of the domain name system's hierarchy.

Scattered throughout the Internet, those servers are the sine qua non of domain name resolution. And with their IP addresses effectively hardwired into DNS software, the root servers are immobile targets in an otherwise flexible system.

The DNS can easily absorb a loss of some of those servers, but not all of them at the same time. "If you take out, or make all the root name servers stop serving domain names, many if not most Internet servers will suffer from reachability problems," said Lars-Johan Liman, who runs a root server in Stockholm.

Physical attacks aren't much of a concern, Liman said, because the servers are ordinary off-the shelf computers that can be easily replaced.

But the servers are vulnerable to distributed denial of service attacks, similar to those that crippled Yahoo!, CNN.com, and other high-profile web properties in February of last year. If an attacker staged such an assault on a large enough scale, the root servers would be unusable.

"The attacks are going to be ddos attacks," said Randy Bush, co-chair of the IETF working group on the DNS. "Stop trying to rearrange deck chairs on the Titanic."

But it's not clear what ICANN can do about a problem that has its roots in the Internet's infrastructure. At a Wednesday session, participants looked at developing emergency plans for securely communicating with one another to reconstitute the DNS system in the event of a malicious outage. "Authenticated contact information needs to be out there now, while things are working," said AT&T Fellow Steven Bellovin.

Participants later broke up into committees to form recommendations for ICANN's board of directors. Among the options, ICANN could put strict security requirements into its contracts with accredited domain name registrars, issue non-binding guidelines, or do nothing at all.

ICANN's unusual move to transform its membership meeting into a security think tank was not without controversy. But on Wednesday it drew praise from Washington.

In a keynote address, John Tritak, director of the US Critical Infrastructure Assurance Office, said terrorists may soon target the Internet, and it was "appropriate and proper" for ICANN to consider DNS security.

© 2001 SecurityFocus.com, all rights reserved.

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.