Feeds

DNS flaw reanimates slain evil sites as ghost domains

Life after death trick could be exploited by cyber-crooks

Protecting against web application threats using SSL

Analysis Cyber-crooks may be able to keep malicious domains operating for longer - even after they are revoked - by manipulating the web's Domain Name System (DNS).

A weakness in the cache update logic of many widely used DNS servers creates the potential to establish so-called ghost domains, according to a recent joint study by a team of researchers from universities in China and the US. These DNS servers are critical to the running of the internet: they convert human-readable domains into numeric addresses that networking kit can understand in order to route, say, page requests to the right websites.

In their paper Ghost Domain Names: Revoked Yet Still Resolvable, the researchers – Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu – explain:

Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.

In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.

Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 per cent of the servers will still resolve it.

The researchers found that DNS server implementations by BIND, Microsoft and OpenDNS are all potentially vulnerable. There's evidence that the vulnerability has been exploited, and the prevalence of the flaw make the possibility of attack far from theoretical.

"This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry," the Sino-American team warns.

The academics suggest various approaches towards mitigating the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.

Jack Koziol, a director at the InfoSec Institute, a Chicago-based security biz, told El Reg that ghost domain DNS trickery might be used by cyber-crooks to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. He thinks the flaw will be tricky to correct.

Koziol reckons the ghost domain tactic will make life far easier for cyber-crooks while making it far harder to scrub the traces of malicious domains from the net.

"If you have a domain that is doing really bad stuff, serving up fake AV malware, phishing, etc, it can be deleted at the TLD level to get it off the internet," Koziol explained. "Malware authors that used the domain basically could do nothing about it, they would just move to a new domain (which could be very disruptive to serving malware or phishing pages, etc).

"Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the internet."

Prateek Gianchandani, a security researcher at the institute, has published a detailed analysis of ghost domain problem, including screenshots of DNS lookups to illustrate the risk, here.

The InfoSec Institute hasn't seen the flaw exploited in anger as yet, but nonetheless considers it a serious risk. "We don't have documented proof yet, but have a few scripts running to watch for it," Koziol explained.

Cricket Liu, a DNS book author, expert and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.

"It is a threat, but I think it's worth pointing out that it's relatively simple to prevent," Liu explained. "By only restricting recursive queries to authorised clients with an ACL [Access Control List] (that is, not running an open recursive name server), you'd prevent malicious folks on the internet from refreshing their delegation."

"DNSSEC offers another layer of protection; zones that have been signed don't have this problem. (Of course, that's incentive for bad guys not to sign the zones they use for their malicious purposes.)"

The high-water mark of DNS security flaws was set by a widespread cache poisoning problem famously identified by security researcher Dan Kaminsky back in 2008. Liu reckons the ghost domain flaw is nowhere near as severe - not least because it doesn't involve a flaw in the DNS protocol itself, unlike the earlier Kaminsky mega-bug.

"This vulnerability and the Kaminsky vulnerability are very different," he explained. "This new one doesn't let you inject arbitrary data into a cache, it only lets you maintain some existing data in a cache; it is worth noting that the impact is minimal if the vulnerability is actually executed." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.