Unwitting Collaborators, Part 11: DNS Poisoning and Domain Hijacking

Date: Aug 30, 2002

Article is provided courtesy of Addison-Wesley Professional.

What if you could fool the world into thinking that an organization's web site had been cracked, simply by redirecting Net users (invisibly) to a site that looked like the original, but defaced? The tactic is much easier than you may think.

Introduction: The Real Threat of Disinformation Campaigns

In any war, the dissemination of propaganda and the use of disinformation are just as effective as the destruction or disruption of an enemy's infrastructure.

Disinformation campaigns, such as spreading false rumors electronically that are picked up by the media as true, cracking into news servers to plant false or misleading stories, or entering false or misleading information in databases, are tactics that can be used by cyberterrorists to undermine the effectiveness of organizations relying on that information.

One effective method to accomplish this spread of disinformation is DNS poisoning (also called DNS spoofing). This tactic consists of convincing a name server that a domain has a different IP address. A close cousin is domain hijacking, which involves stealing a domain at the registrar level.

The DNS Hijacking Scenario

In the year 2000, RSA Security, an Internet security firm, was the victim of a defaced web site. RSA Security is a major player in the security industry, so it was quite surprising to hear that their network was vulnerable to something like a web defacement attack.

Was it true? As it turned out, the answer was both yes and no.

Defacing a web site entails taking advantage of a number of security flaws in an organization to crack the network, gain access to the web site files, and modify the HTML of selected web pages. But that didn't happen in this case. RSA's security was tight—after all, that's their business. So how did their web page become defaced?

To start, it wasn't the files on their system that were defaced—their DNS was hijacked. DNS hijacking or spoofing happens when a DNS server accepts and uses incorrect information from a host that has no authority to give that information. DNS spoofing actually "poisons" the cache by placing counterfeit data in the cache of the name server. These kinds of attacks can result in serious security problems for DNS servers that are vulnerable; for example, by causing users to be directed to incorrect Internet sites.

That's what happened in the case of RSA Security. The DNS hijacker rerouted RSA visitors to another URL that looked like the RSA site. The attacker created a fake web page and then redirected web traffic to that fake page by manipulating DNS IP addresses away from the real RSA Security. When site visitors saw the spoofed home page, they assumed that an intruder had cracked the real RSA Security web site. In reality, the site was not cracked at all.

The Security Breach

A malicious attacker can use such methods to subvert a normally functioning web site without actually penetrating that web site's security. A large number of Internet domains are vulnerable to domain hijacking. Domain hijacking or spoofing is a unique form of cyber-attack. It doesn't matter how secure you make your web server. And most forms of this attack are relatively simple to perform.

Here's how it's done.

Every domain name that ends in .com, .net, .org, .gov, and so on translates into an IP address such as 125.25.125.10. A domain registrar such as VeriSign tells users of the Net which DNS server is responsible for each domain name. When an organization registers a domain name, it tells the domain registrar what IP address—or server on the Net—that domains resides upon.

For example, when a user types a domain name into his or her browser, that request goes to a domain registrar's database, which locates the IP address on which that domain resides. The domain name is automatically resolved and the user is sent to the correct IP address.

But what if some one changed the IP address for an authoritative name server in the registrar's database? If that happened, users would be sent to the wrong web server—without the user or the owner of the real site being aware of the redirection. Though making such domain name changes is a powerful attack tool, it's also relatively simple to do. Why? Because changes to domain registrations are frequently done through email, and the authentication methods to ascertain whether an authorized person is making the changes are most often very weak. The problem with authentication is that the registrar doesn't send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself. Therefore, utilizing this flaw, someone could spoof anyone's email address and change any domain name's information.

If you're curious as to how this is done, a step-by-step guide shows how easy it can be to make changes to a registrant's database. Again, keep in mind that no programming skills are required and the domain name owner will probably not be aware that his domain has been hijacked for some time.

Here's another simple tactic.

The password you use to make changes to your domain name account is also vulnerable to attack. Some registrants offer a simple method of resetting your password. If you claim to have "forgotten" your password, you can just send a contact form with a new password, along with a fax that authorizes the registrant to process that form. Policies like these make it very easy for attackers to change your password.

Corrective Actions

To prevent these types of attacks, it's necessary to have security built directly into DNS systems:

To minimize the risk of a spoofing attack, every organization or individual responsible for a domain should consult the developer of the domain's name server as to whether the server is secure against DNS spoofing.
Email can be forged, as mentioned earlier. If you accept domain changes via email, require an SSL-encrypted web page or PGP signed and encrypted email for all changes to domain information.
One of the best solutions so far to guard against DNS hijacking has appeared in the form of DNS Security (DNSSEC). DNSSEC supplies cryptographic verification information along with DNS messages. That means that public key cryptography is combined with digital signatures to provide a means for a requester of domain information to authenticate itself. DNSSEC ensures that a request can be traced back to a trusted source, either directly or via a chain of trust linking the source of the information to the top of the DNS hierarchy.

DNSSEC adds two new record types for authentication in DNS: the KEY record and the SIG record. Like many encryption schemes, the KEY record stores the public key for a host or administrative zone. The SIG record stores a digital signature associated with each set of records. In a signed zone, each record set includes a SIG record. The SIG record contains the signature of the set as generated by the above zone KEY. Briefly, a DNSSEC-aware resolver can determine whether a zone is signed, and if the resolver sees an unsigned recordset when it expects a signed one it can identify that there's an error.
Use strong passwords and SSL systems for registering and authorizing changes to your domain names, and use registrars that assist you with setting up these security methods. In addition, don't rely on faxed documents or phone calls, as malicious attackers can easily forge them.

Don't Be an Unwitting Collaborator

You can go on for some time before discovering that your domain has been hijacked. So do the following:

Secure your DNS servers by using up-to-date software, limiting zone transfers to authorized hosts, being vigilant in looking for events that could show a problem, and deploy DNSSEC as soon as it's feasible for your organization to do so.
Secure your domain names by using SSL and strong passwords with your registrar, using a dedicated email address, using PGP or other encryption for email contents, and having a change control process so that unauthorized changes can be detected.
Finally, regularly check your domains using WHOIS or tools like the ones available at Network-Tools.com to verify that your information is valid both from inside and outside your domain.