The attacks being used by pro-Assad hacktivists are not new, but they demonstrate the ability of bad guys to exploit the Internet's ecosystem.
The Syrian Electronic Army has been at it again. Most recently, it was the online presence of the New York Times and Twitter being targeted with traffic being redirected to pro-Syrian Web pages. And as the Obama administration publicly contemplates military action against the Assad regime, it is a safe bet that the hacktivists will be watching for opportunities in the .gov domain.
(UPDATE: Over the weekend, the SEA reportedly attacked a Marine Corps recruiting website, redirecting visitors to a message appealing to U.S. soldiers not to attack Syria.)
We still don’t know much about the SEA, but the attacks are — unfortunately — well known.
“This is really not new,” said Paul Ferguson, vice president of threat intelligence at Internet Identity. “It’s happening with alarming frequency.”
In this case the attackers modified Domain Name Service records to redirect traffic to propaganda pages. “It didn’t cause a lot of havoc,” Ferguson said. “It could have been worse.”
But the more serious issue is that attackers are leveraging low-level exploits, in this case a phishing attack against a domain name registrar, to escalate attacks and hop-scotch to third-party targets. By taking advantage of the weakest link in the chain of Internet services, attackers can move up the chain and past the defenses of more important targets. This time it was the SEA against New York Times and Twitter. In the past it has been China going after Lockheed Martin through RSA. Regardless of the attackers, the targets and the exploits used, it is happening on a regular basis, Ferguson said. “It’s a phenomenon we see more and more of.”
In the current case, it is believed that a phishing attack was used against an Australian domain name registrar to steal credentials. The credentials were used to access and change DNS records on a server. These records can become distributed through the DNS hierarchy, redirecting traffic until they expire. In this case, the time to live for the records was set at 24 hours.
The Domain Name System was designed to work in this distributed way so that it can handle the huge volume of global Internet traffic, translating URLs to numerical IP addresses without overwhelming a small number of servers. “It’s a feature, not a flaw,” Ferguson said. “It was designed to keep the chatter in the DNS system as local as possible.”
Ferguson calls the design ingenious, but unfortunately the bad guys understand how to use it for their own purposes. Records with very short times to live are used for “fast flux” botnets, changing the addresses for command and control servers quickly so that they are more difficult to identify and shut down. Records with a long time to live can disrupt the flow of traffic to target sites.
Even when the results of a given attack are not serious, the cumulative effect of such misuse of the DNS system is an erosion of trust in Internet transactions. The best defense against this is to strengthen the weak links with fundamental Internet hygiene and basic security. In a system that is globally interconnected, there is no link in the chain that can be assumed to be unimportant.