How do you protect DNS from hacktivists like SEA?
- By William Jackson
- Sep 09, 2013
The Domain Name System has emerged as the soft underbelly of the Internet in recent attacks by the Syrian Electronic Army, offering multiple avenues for interrupting services that are essential to online activities.
Efforts to protect against such attacks should include hardening DNS servers with technology such as the DNS Security Extensions (DNSSEC), but it also requires basic network security and attention to best practices and policies to shore up a complex system with many points of entry.
“I do think that DNSSEC could help here,” said Danny McPherson, chief security officer at VeriSign, which operates two of the Internet’s root servers. “But it is not the sole protection for this type of attack. There are a lot of components. It’s all about layered defense.”
The hacktivists have exploited DNS weaknesses to modify DNS entries and redirect traffic for the New York Times and Twitter to propaganda pages supporting the Assad regime. They later attacked the Marine Corps website at www.marines.com, redirecting visitors to a message proclaiming that al Qaeda is the common enemy of both Syria and the United States. As debate and preparations for possible U.S. military action against Syria continues, government sites can expect to come under increasing pressure from such attacks.
It probably is significant that the Marine site affected, a recruiting site, was operating in the .com rather than the .gov domain. The .gov Top Level Domain is run by the government and is more tightly controlled than commercial domains that rely on commercial registrars and registries. But even in government, the DNS system is a complex environment that depends on large numbers of widely dispersed servers that direct Internet traffic from URLs to destinations defined by IP addresses.
The DNS infrastructure is a distributed, hierarchical system that associates domain names used in Uniform Resource Locators with IP addresses for more than 250 Top Level Domains and millions of secondary domains. There are millions of domain name servers in the infrastructure, each providing information about a small segment of the domain name space. The system depends on the ability of the elements to collaborate and to trust the information each provides. When information is modified or corrupted, traffic can be misdirected and bad information can be propagated throughout the system.
Because access to servers and to DNS records is possible at multiple levels (the registrant who owns a domain name, the registry that sells it, the registrar that maintains records, and the operators of the top level DNS servers), no one point or tool will secure the system.
“People should look systematically and find the weakest link,” to protect the system, McPherson said. Often, that weakest link involves the humans in the system who either implement bad policy or do not follow good policy.
“DNS is susceptible to the same types of vulnerabilities as any other distributed computing system,” as well as to additional threats because of its open, distributed nature, the National Institute of Standards and Technology says in its guidance for securing DNS. To protect against these vulnerabilities, NIST recommends:
- Implementing appropriate system and network controls such as patching for operating systems and applications, process isolation and network fault tolerance.
- Protecting DNS transactions by steps such updating of DNS resolution data and data replication on DNS nodes within the enterprise and using hash-based message authentication codes.
- Protecting the ubiquitous DNS query/response transaction by using public key digital signatures (DNSSEC).
DNSSEC addresses part of the security issue by providing a way to validate that DNS records have not been tampered with. This requires digitally signing records at each level of the DNS hierarchy so that signatures can be verified with public keys made available by the signer. When a client requests a DNS record, the public signing key from the zone also can be requested and used to validate the signature.
But the public key also should be validated. This is done by the server resolving the DNS request, which builds a chain of trust upwards through the DNS hierarchy. Each public key should be signed with a key from the zone above, and a server can continually request public signing keys in the chain until it reaches one that it can trust—a trust anchor. “The trust anchor list in a resolver is not built through a DNS transaction; it uses an out-of-band mechanism,” NIST says in its DNS security guidelines.
For this interlocking system to work, two things must happen: DNS zones and records must be digitally signed, with keys published, and resolving servers must request and verify signatures.
Progress is being made on the first step, although it is uneven. Of 318 top-level domains, 118 are signed, according to the Internet Corporation for Assigned Names and Numbers, including the major ones such as .com. Some 260,000 second-level domains have been signed in the .com TLD, by far the largest of the domains. But that is a drop in the bucket. According to the dashboard maintained by NIST, only 1 percent of more than 1,000 private-sector domains tested on Aug. 5 had enabled DNSSEC.
Government is far ahead, with DNSSEC enabled on 85 percent of .gov domains tested on Sept. 5.
Establishing chains of trust in such a fragmented environment can be difficult, and it is compounded by the fact that few servers actually are doing it. About 50 percent of resolving servers currently ask for DNSSEC information, McPherson said, but a much smaller percentage actually verify that information.
Although recent attacks manipulating the DNS system have generated a lot of attention, their practical impact has been small. But the propaganda value of disrupting websites makes them attractive targets for hacktivists, and the growing use of the Internet for business collaboration and commercial transactions makes them high-value targets for criminals. Hardening something as widely distributed as DNS is a challenge, but doing it is quickly becoming an imperative.