DNS – Your Website’s and IP Network’s Achilles Heel

In case you thought I made this up, a search on ” DNS Achilles Heel ” yielded the following:

1. DNS Servers – An Internet Achilles Heel
   May 28, 2007 … Scan finds that hundreds of thousands of the servers that act as the white pages of the Net are vulnerable to attack.news.zdnet.com/2100-1009_22-144018.html – 107k – Cached – Similar pages –

2. Is DNS the Achilles heel in your MySQL installation? | MySQL …

   Is DNS the Achilles heel in your MySQL installation? Posted by Baron Schwartz. Do you have skip_name_resolve set in your /etc/my.cnf? If not, consider it. …www.mysqlperformanceblog.com/2008/05/31/dns-achilles-heel-mysql-installation/ – 44k – Cached – Similar pages –

3. DNS Servers: An Internet Achilles‘ Heel | EDUCAUSE CONNECT

   In a presentation at the Black Hat conference last week, security researcher Dan Kaminsky argued that domain name system (DNS) servers represent a broad …connect.educause.edu/Library/Abstract/DNSServersAnInternetAchil/36500 – 15k – Cached – Similar pages –

4. DNS servers – an Internet Achilles‘ heel

   “That is almost 10 percent of the scanned DNS servers,” Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. …www.gss.co.uk/news/article/2145/go – 36k – Cached – Similar pages –

5. DNS servers–an Internet Achilles‘ heel

   9 posts – Last post: Aug 4, 2005

   Report as spam Discussion – Post 1 of 8; DNS servers–an Internet Achilles‘ heel : According to a presentation at the Black Hat security …

   techrepublic.com.com/5208-6230-0.html?forumID=4&threadID=178944&start=0 – 55k – Cached – Similar pages –

6. DNS – The Internet’s Achilles‘ Heel?

   DNS – The Internet’s Achilles‘ Heel? Tuesday May 10, 2005. | Commentary | Every time a major Web site like Google experiences a DNS outage, critics of the …compnetworking.about.com/b/2005/05/10/dns-the-internets-achilles-heel.htm – 23k – Cached – Similar pages –

7. DNS servers–an Internet Achilles‘ heel – CNET News

   Scan finds that hundreds of thousands of the servers that act as the white pages of the Net are vulnerable to attack. A CNET article by Joris Evers, …att.com.com/DNS-servers–an-Internet-Achilles-heel/2100-7349_3-5816061.html – 79k – Cached – Similar pages –

8. ISN 2005/08: [ISN] DNS servers — an Internet Achilles‘ heel

   http://news.com.com/DNS+servers–an+Internet+Achilles+heel/2100-7349_3-5816061. html By Joris Evers Staff Writer, CNET News.com August 3, 2005 Hundreds of …lists.jammed.com/ISN/2005/08/0014.html – 9k – Cached – Similar pages –

9. VenChar: DNS – The achilles heel of the Internet

   August 03, 2005. DNS – The achilles heel of the Internet. CNET has a good article on the vulnerability of the Internet to DNS “cache poisoning” attacks. …www.venchar.com/2005/08/dns_the_achille.html – 32k – Cached – Similar pages –

Network Solutions DNS Outage & VOIP provider blues

When the largest registrar of domain names in the world has a DNS outage, all hell starts to break loose. http://www.soonews.ca/viewarticle.php?id=20863

It sure seems a bit more severe than Network solutions admitted to…

Potential Latency on Network Solutions DNS | Network Solutions …
There may be some latency on Network Solutions DNS Severs and some queries may be timing out. This may include instances when someone types a domain name into
Network Solutions – Small business… – http://blog.networksolutions.com/

By now it must be obvious to readers of this blog that DNS resolver code as it exists on the name-servers of most hosting providers is not the safe structure it was once assumed to be.

Just Google ” DNS Achilles Heel ” for articles that started appearing years ago:

DNS Achilles Heel

And in case you thought your VOIP phone lines were safe, notice Packet8’s outage…

DNS Issue Temporarily Cripples Packet8 VoIP Service A source tipped me off to a Packet8 VoIP service outage last night & 8×8, DNS, ipconfig, Joan Citelli, outage, packet8, Register.com, voip. VoIP & Gadgets Blog – http://blog.tmcnet.com/blog/tom-keating/

TPile » Blog Archive » Packet 8 Suffers DNS Related Outage – Some … According to posts in our forums, the problem was DNS related. “Registry.com messed up all our entries wiping out the DNS configuration pointing to Packet8/8×8 when they tried to renew the expiration for three of our … TPile – http://popmartian.com/techpile/

AT RISK – Firewall Vendors, ISPs, Email, Password retrieval + a Hacker’s view of exploits

It’s getting worse.
What was once a vague threat of eavesdropping, if you didn’t encrypt your email, has reached over into areas where many of us, from consumers to tech providers (of security hardware, no less) once felt fairly safe.

The following stories appeared in August :

Firewall Vendors Scramble to Fix Problems with DNS Patch

By Robert McMillan in ComputerWorld

Brief Synopsis:

Digg

Slashdot

Email

• Researchers unleash DNS attack code
• Horrific DNS vulnerability now exploited
• With DNS flaw now public, attack code imminent
• Details of major Internet flaw posted by accident
• Fix DNS Now

August 4, 2008 (IDG News Service) Nearly a month after a critical flaw in the Internet’s Domain Name System was first reported, vendors of some of the most widely used firewall software packages are scrambling to fix a problem that can essentially undo portions of the patches that address this bug.

The DNS flaw affects server software made by many vendors, including Microsoft, Cisco Systems, and the Internet Systems Consortium.

Some firewall software undoes a source port randomization feature that was introduced in the DNS patches. While this change doesn’t completely negate the DNS patch, it could make it easier for attackers to pull off a cache-poisoning attack against the DNS server, security experts say.

This could lead to virtually undetectable phishing attacks against users of those DNS servers.

Full Article:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111500&intsrc=hm_ts_head

SMALLER ISP’s AT RISK:

http://www.networkworld.com/news/2008/080108-smaller-isps-at-risk-to.html

Security expert: DNS Attacks are Happening

http://news.cnet.com/8301-1009_3-10022303-83.html

Email – “Forgot your password? Send it to a hacker.”

http://www.cnn.com/2008/TECH/biztech/08/06/internet.security.ap/index.html

Finally,

what hackers are probing and leveraging…

http://topics.cnn.com/topics/hackers

…. when they’re not just trying to shut you down, wholesale…

http://nirlog.com/2006/03/28/dns-amplification-attack/

Hacker : “Hey, can I use your domain to DDoS my competitor?” You: “Er… I don’t think so… “

Hacker: “How about to relay my spam?” You: “Of course not.”

Hacker: “I guess I won’t ask permission then…”

Did you know that your DNS server may respond to queries from websites that you visit, or even domains that you send mail to, rather than just your own domain? An open DNS Server, or open recursive, responds to queries for domains that the DNS server is not authoritative for, and does so for anyone (rather than just clients on your local network).

Now, when DNS servers and mailservers were originally put into use, they were all open. That’s just how the Internet was way back when.

Over the years, spammers started relaying through open relays, so the best practice became not to run open relay mailservers. For quite a few years now, “best practice” has been not to have a DNS server be both authoritative and caching (doing recursive lookups). But most DNS servers are still open.

Once again, getting folks to act in their intelligent self-interest is not as easy as it might seem . . .

The problem is that there are now DDoS attacks (attacks that send lots of data to a computer, so that it becomes overloaded) that use open DNS servers, using amplification (sending small packets to a computer that then sends large packets to the victim, making it possible to send more data to the victim). Specifically, a UDP DNS packet is sent with a forged source IP address (the one of the victim), and a query is made in a small packet (about 75 bytes) for a domain that has a very large response packet (using EDNS0, it can be 4,000 or more bytes).

The response packet then goes to the victim. The victim gets about 50 times as much data as the attacker is sending out. So with a dialup connection, they could saturate a T1 line. Or, with a broadband connection – - well, you get the picture . . . it’s not pretty.

Is your DNS “bleeding” traffic? Prone to DDoS? Easily hijacked?

CLICK for FREE Analysis Report of Your DNS

Web-surfers are not known for being a patient lot. ( If they were, who would ever pay for broadband? )

So . . . can they get to your site, first time, every time? Is your site really accessible by everyone trying to get there, or are you “bleeding” traffic?

Do you know how many unique visitors out of every 100, hour after hour, are getting 404 Page Errors or Server Time-Out messages?

How do you know?

Here are 10 more questions. If you don’t have the answers off the top of your head, contact this blog for a free analysis and save yourself an hour of research.

What resolver code are you running? What version? Is it patched? If patched, is it slower than it used to be?

Are you running an open recursive server?

Are your name-servers on the same /24 address space, or separate? Is that good or bad?

Do your serial numbers match across all name-servers?

Is your delegation “LAME” ? (No, I don’t mean the MP3-ripping program)

Do your parent and authoritative name-servers agree? ( ” Mommy & Daddy! Please don’t fight! ” )

CLICK for FREE Analysis Report of Your DNS

Favorite Dan Kaminsky Quotes on the 7/8/08 Recursive Exploit Patches

On the biggest internet security flaw discovered in the past decade:  One of the remarkable things about this exploit being made public is the gradual public understanding that it would be a simple matter to replicate, and how quickly it could be adapted. Thus the possibility will be thousands of times greater that it will be aimed at sites that you and I visit daily and affect us directly. And if any yahoo can attack any site that happens to tick him off, well…

From Robert McMillan in PC World:

By day’s end, Kaminsky had even turned his most vocal critic, Matasano’s Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. “He has the goods,” Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. “He’s pretty much taken it to point and click to an extent that we didn’t see coming.”

The whole article: http://www.pcworld.com/businesscenter/article/148151/internet_bug_fix_spawns_backlash_from_hackers.html

Then in an interview for Kim Zetter’s Threat Level in WIRED’s blogs, I thought these remarks of Kaminsky’s were particularly salient:

DK: “People are allowed to be very, very skeptical. But, you know, don’t be so skeptical that you’re telling people to not patch.

This is a really bad bug. And for everyone who (says), Oh, I knew about this years ago . . . no, you didn’t. Stop pretending you did. Because every time you say it, another network doesn’t patch (their system).

Read the rest of this entry »

What’s more “retarded?” Paying for safe, effective DNS or…

(1) losing some of your hard-earned traffic

(2) getting DDoSed

(3) having your customers syphoned off to a scammer’s copycat site to give up their secure information, thinking they are on your (previously) trusted site?

Here’s the story: One of my colleagues had the misfortune to speak with a paid employee who flatly announced in the North American vernacular, “Paying for DNS is “retarded.” Really?

Never mind the insensitivity of such a term, calling the buyer “retarded” insults the IT Professional or businessperson who has chosen to insure his investment. This misguided “genius” insinuates that the buyer who actually invests in something whose basic function can be had gratis is worse than a fool.

Some kind of DNS name-server set-up is necessary for any hosting solution. It started out 3 decades ago, and is still largely offered as, a “free” component of one’s hosting infrastructure. So what? Read the rest of this entry »

One DNS Provider Goes Down

A low-cost, non-SLA DNS Provider went down last night…

This is the distinction between paying to be on as big a network as you can afford, with full-redundancy distributed over many countries and continents VS a typical hosting provider or someone else who purports to manage DNS, but can’t or won’t guarantee uptime (or even if they were to do so, there would be little at stake as far as actual refunded fees go). Most likely, what you ultimately want, though, is 100% DNS uptime. Period. If you can’t afford it, you can get some protection and even some “guarantees” out there. Practially speaking, the more skin a DNS provider has in the game, meaning, the most invested in its infrastructure, the most actual nameservers physically located behind the firewalls of as many large ISP’s as possible, the faster the average global response times, the greater ability to dilute DDoS attacks, and the more you should expect to pay. Conversely, the more you pay, the more you should expect. Simple, no?

Read the rest of this entry »

Latest BIND (Open-source Resolver Code) Security Flaw discovered…

Dan Kaminsky is a premier “white-hat hacker” and researcher at IOActive. Dan delved deep into the code and uncovered a security flaw with BIND software, which is common also to Microsoft’s DNS code, and Beta patches have been released for both codes.

This has caused some frenzied activity world-wide for IT professionals charged with locating and updating all their servers running either code. Although it is a recursive-level exploit, most will likely opt to update authoritative servers as well, and they will likely have to go through this all again in a couple of weeks when the final versions of the patches are released.

Some experts are calling this perhaps the most significant DNS exploit in the past 10 years, and is most likely to capture the attention of hackers who wish to compromise or control computers. It may be glib to suggest this, yet it is true that avoiding the use of open-source resolver code for your mission-critical DNS applications, in general, is one way to side-step issues like these.

The Internet gets a patch, as DNS bug is fixed
NetworkWorld.com – Southborough,MA,USA
The Internet Software Consortium’s open-source BIND (Berkeley Internet Name Domain) software runs on about 80 percent of the Internet’s DNS servers. …
See all stories on this topic

Read the rest of this entry »

Internet Security Threats – focus on Germany + the EMEA region

Many of my daily business contacts are in Europe, and a large percentage of those are in Germany.

During a conversation with the CTO of one of the largest German Venture Capital firms that invest in and consult with internet start-ups, he remarked that he was “not surprised” by relatively high DDOS and other attacks in Germany.

As someone who has suffered through the havoc caused by a DDoS attack or two, he also understood why newer IT managers might feel complacent if they haven’t experienced first-hand the frustration and downtime these attacks cause.

“Always-on” internet-connected (broadband) computers are of course also easier to use in DDoS attacks. It is not surprising that the concentration of attacks from German computers (and targeted at German companies), as well as the high number of German bot-infected computers, parallels the relatively high number of broadband users in Germany.

Symantec has been publishing reports on Global and Regional Internet Threats for nearly a decade. Read the rest of this entry »