Internet DNS infrastructure undergoing ‘significant’ attacks

The internet’s DNS infrastructure is under attack, warns ICANN
25 February 2019

Engineer installing equipment in a data center rack. Source: Shutterstock

The internet’s address bookkeeper— the Internet Corporation for Assigned Names and Numbers (ICANN)— has warned of a sustained pattern of increased attacks on the global domain name system infrastructure.

Issuing an emergency statement, ICANN reported an “ongoing and significant risk”, comprising “multifaceted attacks utilizing different methodologies”. The result could be the redirection of web traffic to malicious domains.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names.

Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers.

This attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity.

Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.

It seems that adoption rates of DNSSEC is still slow. Statistics by Cloudflare state that only three percent of the Fortune 1000 are using the technology, while global adoption rates are only at 20 percent.

In a report by Cisco’s Talos research division last year, it described the sophisticated cyber espionage campaign as “DNSpionage”.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from several government and private sector entities by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Security firm Crowdstrike then published a blog post detailing every Internet address known to be abused by this espionage campaign, and it included US and Sweden’s internet infrastructure as well.

John Crain, chief security, stability and resiliency officer at ICANN, says that many of the best practices that can make it difficult for hackers to target a domain or its DNS infrastructures are not new.

“A lot of this comes down to data hygiene, large organizations down to mom-and-pop entities are not paying attention to some very basic security practices, like multi-factor authentication,” said Crain.

“These days, if you have a sub-optimal security stance, you’re going to get owned. That’s the reality today.”

Some of the best practices for companies include:

# 1 | Use DNSSEC for both signing zones and validating responses

# 2 | Registration features like Registry Lock can help protect domain name records for being changed

# 3 | Access control lists for applications, Internet traffic and monitoring are good avenues to explore

# 4 | Two-factor authentication is a must, and it should be used by all relevant users and subcontractors

# 5 | As always, passwords should be unique and password managers are a good option to consider

# 6 | Registrars and other providers need to review accounts, and monitoring of certificates through transparency logs is a good start