IT Jobs
Internet poisoned by open DNS servers
The Web 2.0 backdoor stands ajar.
By Robert McMillan, IDG News Service
Published: 08:29 GMT, 11 December 07
Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.
The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.
The researchers estimate that there are 17 million open-recursive DNS servers on the Internet, the vast majority of which give accurate information. Unlike other DNS servers, open-recursive systems will answer all DNS lookup requests from any computer on the Internet, a feature that makes them particularly useful for hackers.
The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.
"This is a crime with few witnesses," said David Dagon, a researcher at Georgia Tech who co-authored the paper. "These hosts are like carnival barkers. No matter what you ask them, they'll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads."
Attacks on the DNS system are not new, and online criminals have been changing DNS settings in victim's computers for at least four years now, Dagon said. But only recently have the bad guys lined up the technology and expertise to reliably launch this particular type of attack in a more widespread way. While the first such attacks used computer viruses to make these changes, lately attackers have been relying on Web-based malware.
Here's how an attack would work. A victim would visit a Web site or open a malicious attachment that would exploit a bug in his computer's software. Attackers would then change just one file in the Windows registry settings, telling the PC to go to the criminal's server for all DNS information. If the initial exploit code was not stopped by anti-virus software, the attack would give attackers virtually undetectable control over the computer.
Once they'd changed the Windows settings, the criminals could take victims to the correct Web sites most of the time, but then suddenly redirect them to phishing sites whenever they wanted - during an online banking session, for example. Because the attack is happening at the DNS level, anti-phishing software would not flag the phoney sites.
Or an attacker could simply take complete control over the victim's Internet experience, Dagon said. "If you look up the address of a Christian Science Reading Room site, they'll point you to skin exotica," he said. "If you ask where Google.com is located, they'll point you to a machine in China selling luggage."
"It's really the ultimate back door," said Chris Rouland, chief technology officer with IBM's Internet Security Systems division. "All the stuff we've deployed in the enterprise, it's not going to look for this."
Rouland expects to see more of these DNS attacks launched from Web 2.0 sites in the coming months, because they make it very easy for people to "mash up" Web pages from many different sources -- some of whom may be untrustworthy "This is truly the next generation of phishing," he said.
Preliminary findings by Dagon's team shows that the Web is an important vector for these attacks. Using Google's network of Web crawlers, researchers uncovered more than 2,100 Web pages that used exploit code to change the Windows registry of visitors.
The team's paper, entitled Corrupted DNS Resolution Paths, is set to be published at the Network and Distributed System Security Symposium (NDSS) in San Diego. It is co-authored by Chris Lee and Wenke Lee, of Georgia Tech and Niels Provos, a senior engineer with Google.
Last year Dagon and Wenke Lee, founded a startup called Damballa, which is developing ways to protect against these types of attacks.
Damballa, which bills itself as an anti-botnet appliance vendor, can identify compromised machines by tracking whether or not they are communicating with DNS servers that are known to be malicious.
.gif)
Add your commentComments
Mokje | Published: 09:07 GMT, 12 December 2007
Are we talking about 'open' dns servers or 'attacker controlled' dns servers? A plain open dns server will happily serve the same data as the standard provider supplied dns server.
Andy Macdonald | Published: 17:35 GMT, 11 December 2007
Cops and robbers is evidently a very lucrative trade in cyberspace as well as the real world. The two sides are in a symbiotic relationship that doesn't do the rest of us any good at all. It would be useful to have a list of these dubious DNS servers - but I don't expect to see one, unless I cough up a lot of money.
Marty R. Milette -- hotel-club.net | Published: 14:30 GMT, 11 December 2007
Browsing the wrong web page is a minor and trivial annoyance -- what is much worse is when systems go to 'automatic update' sites (such as windowsupdate.microsoft.com, etc.). This function is typically performed with high level access to the system (administrator-level) and hence can run any code that the spoofed site decides to push out. This attack CAN be totally silent and invisible to the user. Even experienced users are unlikely to expect it or go looking for problems.
And some ISP's and even registrars are in on the g | Published: 14:02 GMT, 11 December 2007
Some ISP's think they can provide their customers not only Internet Access but also a DNS server that returns their own Advertisement strewn server for every DNS request that is not defined. And the top level registrars for some top level domain do the same. Famously the "guardian" of the .com domain had to remove such malicious servers after a storm of protests, because it is not only misleading but also breaks the protocol.