Feeds

DNS flaw reanimates slain evil sites as ghost domains

Life after death trick could be exploited by cyber-crooks

Protecting against web application threats using SSL

Analysis Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS).

A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team of researchers from universities in China and the US. These DNS servers are critical to the running of the internet: they convert human-readable domains into numeric addresses that networking kit can understand in order to route, say, page requests to the right websites.

In their paper Ghost Domain Names: Revoked Yet Still Resolvable, the researchers – Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu – explain:

Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.

In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.

Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 per cent of the servers will still resolve it.

The researchers found that DNS server implementations by BIND, Microsoft and OpenDNS are all potentially vulnerable. There's evidence that the vulnerability has been exploited, and the prevalence of the flaw make the possibility of attack far from theoretical.

"This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry," the Sino-American team warns.

The academics suggest various approaches towards mitigating the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.

Jack Koziol, a director at the InfoSec Institute, a Chicago-based security biz, told El Reg that ghost domain DNS trickery might be used by cyber-crooks to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. He thinks the flaw will be tricky to correct.

Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc).

"Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the internet."

Prateek Gianchandani, a security researcher at the institute, has published a detailed analysis of ghost domain problem, including screenshots of DNS lookups to illustrate the risk, here.

The InfoSec Institute hasn't seen the flaw exploited in anger as yet, but nonetheless considers it a serious risk. "We don't have documented proof yet, but have a few scripts running to watch for it," Koziol explained.

Cricket Liu, a DNS book author, expert and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.

"It is a threat, but I think it's worth pointing out that it's relatively simple to prevent," Liu explained. "By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."

"DNSSEC offers another layer of protection; zones that have been signed don't have this problem. (Of course, that's incentive for bad guys not to sign the zones they use for their malicious purposes.)"

The high-water mark of DNS security flaws was set by a widespread cache poisoning problem famously identified by security researcher Dan Kaminsky back in 2008. Liu reckons the ghost domain flaw is nowhere near as severe - not least because it doesn't involve a flaw in the DNS protocol itself, unlike the earlier Kaminsky mega-bug.

"This vulnerability and the Kaminsky vulnerability are very different," he explained. "This new one doesn't let you inject arbitrary data into a cache, it only lets you maintain some existing data in a cache; it is worth noting that the impact is minimal if the vulnerability is actually executed." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.