Feeds

ICANN ponders DNS hack defence role

Paper tiger burning bright

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The international body that oversees the Internet's naming system struggled this week to find a role in the war against terrorism by putting one of the Net's weakest links under a microscope.

In the wake of the September 11 terrorist attacks the Internet Corporation for Assigned Names and Numbers (ICANN) swept aside most of its scheduled agenda to explore its options in shoring up the security of the Internet's domain name system (DNS), the infrastructure that invisibly translates domain names like www.securityfocus.com to Internet IP addresses like 66.38.151.125.

In a beachside hotel venue secured by plainclothes guards sporting Secret Service-style earpieces, researchers labored Tuesday and Wednesday to explain in excruciating detail the DNS' vulnerability to spoofing, cache poisoning and other, more exotic attacks that hackers have already used to divert traffic from victims' Web sites. "A hacked web page appears, even though victim site was untouched," said NAI Labs' Edward Lewis on a Tuesday panel. "That is by far the most important impact of an attack on DNS"

Many participants looked to the DNSSEC protocol to counter such attacks in the future. A project of the standards-setting Internet Engineering Task Force (IETF), DNSSEC uses public key cryptography to protect domain records from spoofing or corruption. But five years after the protocol's base specifications were laid out, it's still considered unripe for wide deployment.

Compounding the DNS' vulnerability, older versions of the Berkeley Internet Name Domain (BIND) software -- the standard program for domain resolution -- is notoriously insecure, and yet is still in use, presenters said. A recent survey found that authoritative servers for 50 of the 250 top-level domains ran a version of BIND that suffers from documented security holes allowing attackers to gain complete control of the system remotely.

But most of the focus of ICANN's attention wasn't on vulnerabilities that lend themselves to occasional mischief, but on the potential for a cyber attack on the 13 crucial 'root servers' at the top of the domain name system's hierarchy.

Scattered throughout the Internet, those servers are the sine qua non of domain name resolution. And with their IP addresses effectively hardwired into DNS software, the root servers are immobile targets in an otherwise flexible system.

The DNS can easily absorb a loss of some of those servers, but not all of them at the same time. "If you take out, or make all the root name servers stop serving domain names, many if not most Internet servers will suffer from reachability problems," said Lars-Johan Liman, who runs a root server in Stockholm.

Physical attacks aren't much of a concern, Liman said, because the servers are ordinary off-the shelf computers that can be easily replaced.

But the servers are vulnerable to distributed denial of service attacks, similar to those that crippled Yahoo!, CNN.com, and other high-profile web properties in February of last year. If an attacker staged such an assault on a large enough scale, the root servers would be unusable.

"The attacks are going to be ddos attacks," said Randy Bush, co-chair of the IETF working group on the DNS. "Stop trying to rearrange deck chairs on the Titanic."

But it's not clear what ICANN can do about a problem that has its roots in the Internet's infrastructure. At a Wednesday session, participants looked at developing emergency plans for securely communicating with one another to reconstitute the DNS system in the event of a malicious outage. "Authenticated contact information needs to be out there now, while things are working," said AT&T Fellow Steven Bellovin.

Participants later broke up into committees to form recommendations for ICANN's board of directors. Among the options, ICANN could put strict security requirements into its contracts with accredited domain name registrars, issue non-binding guidelines, or do nothing at all.

ICANN's unusual move to transform its membership meeting into a security think tank was not without controversy. But on Wednesday it drew praise from Washington.

In a keynote address, John Tritak, director of the US Critical Infrastructure Assurance Office, said terrorists may soon target the Internet, and it was "appropriate and proper" for ICANN to consider DNS security.

© 2001 SecurityFocus.com, all rights reserved.

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?