Home / Industry

Preventing Your DNS Account from Being Hacked

Recent years have brought a plague of attacks targeting your ability to do business online. Whether in the form of distributed denial of service attack (DDoS), spam, phishing, or Facebook and Twitter scams. Likely the most disturbing issue for e-commerce organizations has been the growing prevalence of DDoS attacks waged to interrupt their business, or worse, to extort money. 2010 has inaugurated a new type of attack, wearing an old disguise — hijacking your managed DNS by compromising your e-mail account.

We have known that e-mail addresses have been vulnerable for years. Those of us in the technical industry especially cringe every time your company rolls out a new Web application using an "I forgot my password" feature. But you accept it anyway because you know your users won't remember their password.

It hurts when that exploit happens to you.

With cloud based e-mail services, access to your e-mail address can be more easily intercepted than behind a corporate firewall. The ability to then also send a "forgot password" request to that same compromised email address adds pain to misery when you have been attacked.

This is exactly what happened to Twitter and Baidu when their DNS was compromised and switched to point to a group claiming themselves as the "Iranian Cyber Army."

DNS services are frequently outsourced because most organizations don't have the expertise to manage their own DNS, nor the capital to invest in the infrastructure required to provide global resiliency and fast resolution at the same time as withstand 40 GB+ size DDoS attacks daily. The key is for you to know who you can trust to protect yourself from being hijacked and guarantee that your DNS stays up 100% of the time.

For our own customers' piece of mind, Afilias has built a number of protections into our managed DNS service. We think these are the minimum criteria that managed DNS organizations should follow when a Web portal is used to manage your DNS settings.

Restrict access

You should restrict access to your DNS Web portal by IP address. While this might limit usability if a staff member is traveling, it ensures that if your e-mail account is compromised that the attacker cannot log-in from an IP address that is not already specified on your account.

Vary user permissions

You should vary the types of permissions allowed to users in the system. That means that not every account should have read and write access. This lowers the probability that, if attackers are able to compromise your e-mail and get your password for your DNS account, that they will have the ability to actually change something.

Afilias allows you to set user groups, to easily set user restrictions to multiple users at a time.

Also ensuring you have more than one account with access to make changes ensures that someone can correct a problem or suspend a compromised account quickly.

Out of band security alerts

E-mail alerts are great, but not if the e-mail account they are sent to is compromised. We offer a unique feature where you can also require an SMS token for password resets. This sends a unique code to your mobile phone that must be used in conjunction with the password reset link you get in your e-mail.

In this case you have the convenience of resetting your password if you forget it, but a attacker would also have to compromise your mobile phone to be able to get into your managed DNS account.

Lock-outs to stop script attacks

Some attackers just want to brute force script an attack to guess your password. A best practice standard is to deploy lock-outs for failed login and password reset attempts. Afilias sets its threshold fairly low at just 6 attempts.

If you lock yourself out, you always have phone support to reset your password — better safe than sorry!

Written by John L. Kane, Vice President, Corporate Services at Afilias.

About Afilias

Afilias

Afilias is the world's second largest domain registry, with more than 20 million names under management. Afilias powers a greater variety of top-level domains than any other provider, and will soon support hundreds of new TLDs now preparing for launch. Afilias' specialized technology makes Internet addresses more accessible and useful through a wide range of applications, including Internet domain registry services, Managed DNS and mobile Web services like goMobi® and DeviceAtlas®. (Learn More)

Related topics: Cyberattack, Cybercrime, DDoS, DNS, Email, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

Non-English "IDN Email" Addresses Are Finally Working!

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Dyn Acquires Managed DNS Provider Nettica

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics