Friday, June 27, 2008

Internet DNS Root Managers Attacked

In the past hour, various news outlets have reported that users to the web sites of ICANN (the Internet Corporation for Assigned Names and Numbers) and, the Internet Assigned Numbers Authority, have been redirected by a Turkish hacker group calling itself "NetDevilz".

According to the New York Times, users visiting the servers of the above organizations were re-routed to a domain called "" and greeted by the message ""You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

This is obviously *not* good news. These two organizations manage the core (root) servers that match domain names (i.e. web sites) with the http requests made by your browser (the site you type into the address field - i.e.

When hackers "poison" DNS servers (Domain Name Servers) in the manner they did today, their intention is most often to take your request for the web site of a bank and redirect it to a site "dressed up" to look like your bank.

This is usually called a "DNS poisoning" or "pharming" attack, but the points are usually much closer to your PC: common points of attack include your local hosts file, your cable router, the DNS server at your ISP - in short, places relatively close to home.

An attack on the root DNS system would be of a different magnitude entirely. Attacks on the root DNS system are potentially far more damaging than attacks on your local ISP DNS servers. Rather than just re-route a single request, or group of requests from a user, a prolonged attack on the root DNS system could have potentially quite harmful effects if the rerouting were to involve targeting of banking or financial systems, or government addresses.

I'm frankly amazed that attacks of this nature are still possible at organizations like this. To me, the attack, labeled a "cyberprank" by some news organizations, is anything but a cyberprank. A different, lower-level hack involving manipulation of records for financial gain or terrorism could have created quite a different story.

DNS security is an often overlooked requirement and something that almost no security software suites provide an answer for.

When we were designing the core concepts for SafeCentral at Authentium, one of the requirements that I added to the service early on was a requirement that every DNS request generated by the user should be send to a secure infrastructure for resolution - rather than into the non-secure DNS system as it currently exists. We've since added additional security methods to ensure that these DNS requests reach the right destinations.

Today's attack shows why such diligence is necessary - and why the Internet remains a somewhat unpredictable and non-secure environment - and why you should use the best security possible when banking or transacting online.

No comments: