DNS hijacking grabs headlines, but it’s just the tip of the iceberg
- 17 June, 2019 20:00
Internet pioneer Dr. Paul Vixie wishes people would stop ignoring his advice and start taking security seriously. “I am complaining about too many things,” he tells me. “It couldn't be as bad as I say it is. Except it is.”
The man who made extensive contributions to the Domain Name System (DNS) has just given the opening keynote at the CARO 2019 conference in Copenhagen, and once again has asked the security community to be more collaborative “for the good of all.” The growth of the internet of things (IoT) poses new challenges in the field of DNS security, and so do government-sponsored hackers who have started targeting the backbone of the internet.
I call Vixie right after the conference. He’s on a train going to the far west of Denmark to pick up his BMW R100 classic motorcycle for a few days of fun. The monotonous train ride takes him back to the beginnings of the internet. Vixie reflects on the mistakes of the past and the things that could be done to improve DNS security.
Half-baked and barely working
Vixie spent the first half of his career making the internet easier to use, authoring many standards documents concerning the Domain Name System, the internet phone book that allows us to use human-readable names for websites instead of IP addresses. Then, he changed tactics.
“I’ve spent roughly the second half [of my career]… trying to make communications harder... because of all the criminals and spammers that we brought with us,” the tech veteran said in his Internet Hall of Fame acceptance speech in 2014.
He tries to make communications safer with Farsight Security, a company he co-founded. Farsight passively collects internet data including domain names, IP addresses, and name servers, providing security teams both a real-time and a historical view of an organization’s online presence to help them detect cyberattacks more quickly. Paul Mockapetris, who pioneered the first DNS architecture in 1983, serves on Farsight's board.
Vixie is even better known for his contribution to Domain Name Systems Security Extensions (DNSSEC), a set of extensions to DNS that strengthens authentication, preventing someone from impersonating someone else. Although the solution has been around since 1996, not everyone is deploying it. “A lot of people [in the industry] are resisting turning it on because it means more work for them,” Vixie tells me.
In fact, a fundamental theme of his career in security has been putting in effort and developing technologies that solve big problems but aren’t adopted by everyone. “Advice like mine is ignored by people who can't believe that things are as bad as I say,” he tells me. “The world does seem to keep turning and the lights do come on when you flip the switch on, and so it can’t possibly be as hokey as I’m describing.”
Yet, he says that the tools we’re building are neither well structured, nor well understood. “Everything about technology is so half-baked, and so barely working, that really the part that is working for you right now, at any given moment, is the exception rather than the rule. A lot of it is individual acts of heroism by people that may someday be replaced by those who don't care as much.”
Vixie himself performed many acts of heroism or “midnight engineering,” as he calls it. But he also had his share of blunders and opportunities not taken. “Probably my biggest mistake was to use IP fragmentation as a way to get larger messages,” he tells me. “That was clearly a bad idea.”
A missed opportunity for internet security
He could have made the internet more secure in the late 1990s, when his implementation of DNS software was used on almost 100% of the servers. Yet, he and his friends thought the internet was too big to be rebuilt from scratch. “We were wrong. At the time, there were 3 billion users. Compared to the future, that network would have been pretty easy to change… That would have been the time to make a fundamental redesign.”
Some of his mistakes were obvious even at that time, he says, but there was nobody to challenge him and refute his work, in particular after the internet grew bigger. He regrets not being nice and kind enough to build a collaborative community around him that would have benefited the whole world.
“I wish I had been a lot more polite,” he tells me. “Seriously.”
“The cultural norm within the DNS technical community right now is somewhat hostile and unforgiving. A lot of that comes from people following my earlier example. I should have been a better person.”
The high-speed train that’s taking Vixie to his classic motorcycle in West Denmark enters a long tunnel. Soon, I lose him.
Attackers becoming more capable, sophisticated
DNS security has been grabbing headlines in the past two years, as domain hijacking incidents increased. Both government-sponsored hackers and cybercriminals have targeted the backbone of the internet in a number of ways, in spite of the United Nations cyberwarfare norms that call against attacks on critical infrastructure.
“If DNS is the phone book of the internet, then hijacking DNS is making prank calls with real-life consequences,” says Stefan Tanase, security researcher at Ixia.
I meet him in a cafe just outside his company’s office in Bucharest, Romania. He grabs a thick stack of papers from his backpack. All are on DNS security, one of the topics he has been following throughout his career. Tanase says that hackers targeting DNS are becoming more capable and more sophisticated.
“A few years ago, we mostly had opportunistic attacks, often performed by hacktivists like the Syrian Electronic Army, who claimed responsibility for taking over the New York Times’ website in 2013,” he says.
Today, the researcher sees more targeted actions. His team has recently discovered a campaign in which traffic meant for PayPal, Gmail, Netflix, Uber and some Brazilian banks and hosting services was redirected to malicious websites. Hackers targeted home routers, which are often left unpatched. They leveraged known firmware vulnerabilities to change DNS server settings.
“As routers get more RAM, more processing power and more storage space, they become more appealing to cybercriminals,” Tanase says. Victims often don’t know they are hit. “They have an antivirus installed on their computer and think they are safe. Truth is, their router could be hacked, or the router of the ISP, or the DNS of the TLD.”
Tanase says hackers use plenty of techniques, some of which take advantage of the growth of the internet of things. He mentions DNS rebinding attacks on IoT networks, in which a malicious web page makes visitors run a script that targets other machines on the network. There are also DNS amplification DDoS attacks, in which vulnerabilities in the DNS servers are exploited to turn small queries into larger packets that flood a victim's servers.
The researcher has also seen hackers who used DNS queries to communicate with command-and-control servers. “Why? Because sysadmins often fail to log DNS requests,” he says. “Cybercriminals buy a domain, and they set up a DNS server so that it accepts requests for any subdomain of that domain. Then, they use encrypted commands as subdomains to communicate with command and control servers.”
Tanase sips his coffee and tells me that some of the most prolific DNS cybercrime gangs he has followed are based in Latin America, probably because legislation against such crimes is falling behind in this region.
State-sponsored attackers targeting DNS servers
It’s not just cybercriminals who abuse DNS to carry out dubious work. Cisco Talos has recently analyzed at least two separate state-sponsored actors, Craig Williams, director of outreach, tells me in a video call. The first campaign his team monitored was DNSpionage, which stole login credentials from government organizations and companies in the United Arab Emirates and Lebanon. It hijacked the DNS servers of the entities they targeted and redirected the traffic to internet addresses it controlled. The campaign used two malicious websites that had job postings, and the victims downloaded Microsoft Office documents with embedded macros.
“That's actually incredibly common for state-sponsored actors,” Williams tells me. “A lot of people hear state-sponsored and they think they must have had a zero-day or some sort of undetectable attack. That's almost never the case. Generally, a state-sponsored attack is something very simple, something that's very reliable.”
Willams tells me that this campaign was fascinating to study. “DNSpionage would actually have a complete C2 system that would tunnel over DNS, which is relatively unusual... [But] they used self-signed certificates from Let's Encrypt, which is very common.”
Shortly after DNSpionage, Cisco Talos found a second state-sponsored campaign, the Sea Turtle, which poses an even more severe threat. The actor behind these attacks hit 40 different organizations in 13 countries, especially from the Middle East and North Africa. Among the victims were ministries of foreign affairs, military and energy organizations, intelligence agencies, but also DNS registrars, telecom companies, and internet service providers. In fact, according to Cisco Talos, the campaign was probably the first known case of a domain name registry organization being compromised for cyber espionage operations.
“Sea Turtle was a very brazen actor,” Williams tells me. It didn’t stop operating after it was detected, which is unusual for government-sponsored attackers. “Even after our write-up was published, they still kept doing it, and they're probably still doing it right now,” Williams says.
He fears that the success of such operations might prompt government-sponsored actors to target DNS more broadly, which will have devastating effects for everyone. “If they ever decide to attack corporations or commercial [entities], it would undermine the fundamental trust that people have in DNS,” he says. “That trust keeps e-commerce going and keeps the internet working.”
Williams believes there should be a global agreement on what’s illegal and immoral when it comes to governments hacking each other. He fears that the lack of such a treaty will intensify attacks against the DNS.
“We’re living in a Wild West model of the internet, where everybody seems to attack anything with no regard to what happens,” he says. “We need to come together as users of the internet and agree that there should be some things that are off-limits. Without some sort of agreement, we're going to continue to have these types of attacks escalate, and I don't know at what point it stops.”
“If government A wants to attack government B, that's great. Let's hack each other, but don't break DNS while you're doing it!,” Williams says.
Giving the good guys an edge
Meanwhile in Denmark, Paul Vixie’s train exits the tunnel, and I’m able to talk to him a little bit longer. I remember one of the things he said at a conference, when he asked his peers in the security community to reflect more on the kind of world they help build. “A number of us have really been focused on 1s and 0s without understanding the social implications of what we create,” he told the audience at the Hack.lu in Luxembourg last year.
Back then, he introduced SIE Europe, an initiative that allows organizations to share passive DNS data to help investigations, but also reduce risk from phishing, ransomware and other attacks. He built SIE together with Christoph Fischer, the CEO of BFK, and Peter Kruse, co-founder of CSIS Group.
Vixie believes that information sharing as well as regulations could address some of the security issues the world is facing right now. “I love GDPR [the European Union’s General Data Protection Regulation],” he tells me. “And some of my friends are petitioning Washington, DC right now to create an accountability framework.”
As for DNS hijacking, the tech veteran says he doesn’t worry too much about high-value domains such as Google.com or Amazon.com, because they are well protected against this type of attack, at least through the registrar system. Yet, smaller websites, which invest less in security, will continue to be hit, he says.
In his opinion, hijacking is just the tip of the iceberg. “As a technologist with some decades of experience with DNS, when I look at security problems, my biggest worry is not hijacking, but protocol misuse, when you are able to spoof someone else’s content,” Vixie says. The solution to that would be the extension he helped create, DNSSEC, which should be used by everyone, but isn’t.
It’s our unwillingness to do complicated things and to see the big picture that keeps us at risk, he says. “Do you want to know why the world doesn't get better, why we continue to live with corruption in our governments or malfeasance in our financial institutions?” he asks. “It's because there are too many problems for people to be bothered by and [they] really just want to live their lives.”
Regardless of what comes next, Vixie plans to keep working to make the internet safer. “I've only got... some number of days of my life remaining to me, and I'm not gonna spend any of them in a way that does not also move the needle on human history,” he said during one of his talks.
The fight to protect the internet often seems futile and exhausting. That’s why it helps to take a break from work every now and then. The train rolling through West Denmark is slowing down. In a short while, Vixie will arrive at his destination to pick up his motorcycle.