Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

DNS: Definitely Not Safe?

New attacks on the Internets domain name system keep CISOs guessing. Heres what you can do about it.

By CSO Contributor

February 01, 2007CSO

When it comes to the Web's domain name system (DNS), many otherwise vigilant CSOs heed the adage of leaving well enough alone. It's understandable, as DNS has for years reliably allowed people to use domain names (such as www.csoonline.com) with their Web browsers rather than having to remember remarkably non-mnemonic IP addresses (such as 64.28.79.93).

Unfortunately, for all its success, DNS is one area in which what you don't know can hurt you—badly. Despite well-publicized attacks on domain name servers in 2000 and 2001, evidence suggests that many companies simply have not taken the steps necessary to protect this vital part of their networks. Experts differ on just how much danger companies generally face. However, they seem to agree that, depending on the circumstances and the company, the results could include electronic attacks and unknowingly providing confidential information to competitors. Some companies aren't just leaving the back door unlocked—they're taking out the hinge pins and removing the door entirely.

"There is a lack of appreciation of just how damned vulnerable DNS is," says Lloyd Hession, CSO for BT Radianz. Indeed, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) has recently reported a rise in distributed denial-of-service (DDoS) attacks using DNS. No matter how safe DNS may seem, companies need to stay alert. Here's a quick roundup of DNS vulnerabilities and attack methods CISOs should understand.

Open To Misuse

What makes DNS such a vulnerable part of the Internet is the range of exploits it makes possible. DDoS attacks are the best known because they were the basis of some prominent attacks a few years ago. DNS servers can be the targets of these attacks, but—and this is less widely known—hackers can use DNS servers to perpetrate a DDoS attack on a third party, essentially amplifying the volume of data hitting the target system by upwards of 4,000 percent.

On one hand, says Marty Lindner, senior member of the technical staff at the Carnegie-Mellon University CERT/CC, DDoS can be executed by bombarding a DNS server to block real traffic from getting in and effectively keeping those users off the Internet. Perpetrators can also flip the tactic, creating spoofed requests to a DNS server that supports recursion. Recursion is the method by which a name server hunts down the IP address of an unfamiliar domain name by working down trees of name servers that provide authoritative information on given parts of the Internet. The original name server receives one packet of information after another that each provide the equivalent of directions to reach the destination, and passes them all on to the requester. When the initial request is spoofed with the address of the hacker's target, all that data goes whistling back to the target. "It doesn't take more than 10 or 20 name servers to mount a denial-of-service attack against another target," says Cricket Liu, vice president of architecture at network appliance vendor Infoblox and coauthor of the book DNS and BIND.

RESOURCE CENTER