A Survey of DNS Security: Most Vulnerable and Valuable Assets

The following provides and introduction to a study by Venugopalan Ramasubramanian and Emin Gun Sirer, called "Perils of Transitive Trust in the Domain Name System". The paper presents results from a large scale survey of DNS, illustrating how complex and subtle dependencies between names and nameservers lead to a highly insecure naming system... "It is well-known that nameservers in the Domain Name System are vulnerable to a wide range of attacks. We recently performed a large scale survey to answer some basic questions about the legacy DNS." more»

Worm Propagation Strategies in an Ipv6 Internet

A recent paper called "Worm Propagation Strategies in an IPv6 Internet", written by Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick, examines whether or not the deployment of IPv6 will in fact provide a substantial level of barrier against worms. Shared below are the introductory paragraphs from this paper. "In recent years, the internet has been plagued by a number of worms. One popular mechanism that worms use to detect vulnerable targets is random IP address-space probing..." more»

Phishing: Competing on Security

The UK today is one of the main attack targets by phishing organized crime groups, globally. Phishing damages will amount to about two billions USD in 2006 worldwide -- not counting risk management measures such as preventative measures, counter-measures, incident response and PR damages. In most cases, phishing is caused by the fault of the users, either by entering the wrong web page, not keeping their computers secure or falling for cheap scams. Often this is due to lack of awareness or ability in the realm of Internet use rather than incompetence by the users... more»

Behind the Smoke Screen of Internet and International Infrastructure

In my recent write-up I start by discussing some recent threats network operators should be aware of, such as recursive DNS attacks. Then, a bit on the state of the Internet, cooperation across different fields and how these latest threats with DDoS also relate to worms and bots, as well as spam, phishing and the immense ROI organized crime sees. I try and bring some suggestions on what can be done better, and where we as a community, as well as specifically where us, the "secret hand-shake clubs" of Internet security fail and succeed. Over-secrecy, lack of cooperation, lack of public information, and not being secret enough about what really matters. more»

Internet Attacks Against Georgian Websites

In the last days, news and government web sites in Georgia suffered DDoS attacks. While these attacks seem to affect the Georgian Internet, it is still there... Up to the Estonian war, such attacks would be called "hacker enthusiast attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a political nature seems to get the "information warfare" tag. When 300 Lithuanian web sites were defaced last month, "cyber war" was the buzzword. Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine... more»

Ready or Not… Here Come the IRC-Controlled SIP/VoIP Attack Bots and Botnets!

A story... ZZZ Telemarketing (not a real name) is locked in a heated fight with their bitter rival, YYY Telemarketing (also not a real name), to win a very large lead generation contract with Customer X. Customer X has decided to run a test pitting the two companies against each other for a week to see who can generate the most leads. The ZZZ CEO has said to his staff that it is "do or die" for the company. If they fail to win the contract, they will have to shut down -- they need to do "whatever it takes" to win over YYY. A ZZZ staffer discovers that part of why YYY has consistently underbid them is because they are using SIP trunks to reduce their PSTN connection costs. But the staffer also discovers that YYY is using very cheap voice service providers who run over the public Internet with no security... more»

Defending Networks Against DNS Rebinding Attacks

DNS rebinding attacks are real and can be carried out in the real world. They can penetrate through browsers, Java, Flash, Adobe and can have serious implications for Web 2.0-type applications that pack more code and action onto the client. Such an attack can convert browsers into open network proxies and get around firewalls to access internal documents and services. It requires less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. Everyone is at risk and relying on network firewalls is simply not enough. In a paper released by Stanford Security Lab, "Protecting Browsers from DNS Rebinding Attacks," authors Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh provide ample detail about the nature of this attack as well as strong defenses that can be put in place in order to help protect modern browsers. more»

Turkish Hacker Group Strikes Again, This Time Victims are ICANN and IANA

The same Turkish Hacking Group, NetDevilz, responsible for the hacking and defacement of the popular photo sharing site, Photobucket, has been reported to have briefly succeeded in accessing ICANN and IANA domain names yesterday, June 26, 2008, and redirecting them to a page containing the message: "You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"... more»

Discussion at the Internet Governance Forum in Geneva

While travelling home from Geneva, I was thinking quite a lot on the relationship between a ccTLD (registry) and a Country. This is because many countries are starting to talk louder and louder about the responsibilities Countries have on critical infrastructure, or (possibly more important) the management of the critical infrastructure. Will for example any (none?) of ccTLD operators (servers) sustain a denial of service attack of a scale similar to the attack on the root servers? What can ccTLD operators do to resist the malicious attacks? Should this be discussed? more»

Hackers Spreading Malicious Code Using Typosquatted Domains

Finjan Inc., a web security company, has released reports today on hackers and cyber-criminals using typosquatted domain names to infect visitors to legitimate websites and increase the lifecycle of cyber-attacks. Leveraging the similarity to legitimate and frequently used domain names is successfully enabling these attackers to go unnoticed by webmasters and security solution providers. more»

New Report Warns Against "DNS Forgery Pharming" on BIND 9

In a recent report released by Trusteer, security researcher Amit Klein has cracked BIND's random number generator and demonstrated a new attack affecting most Internet users. In this "DNS Forgery Pharming" attack fraudsters can remotely force consumers to visit fraudulent websites without compromising any computer or network device. more»

DNS Attack Code Has Been Published

As warned by Dan Kaminsky, Paul Vixie, and numerous other experts experts, it was just a matter of time before an exploit code for the now public DNS flaw would surface. An exploit code for the flaw allowing insertion of malicious DNS records into the cache of target nameservers has been posted to Metasploit, a free provider of information and tools on exploit techniques. According to reports Metasploit creator, H D Moore in collaboration with a researcher named "|)ruid" from Computer Academic Underground, created the exploit, dubbed "DNS BaliWicked Attack", along with a DNS service created to assist with the exploit. more»

Mitigating Spoofed Attacks Using IPv6 Address Space

Timothy D. Morgan's recent paper titled, "IPv6 Address Cookies", seeks to apply the fundamental shift in resource availability brought about by the vastly increased Internet address space in IPv6 to develop a novel, lower cost solution to mitigating spoofed attacks. "Spoofed denial of service attacks have plagued the Internet for a number of years, and show no signs of abating. Research into mitigation techniques has apparently not led to a financially viable solution, and new attacks have been discovered in the wild without being widely anticipated". The following provides an introduction to this paper. more»

VoIP/IP Telephony in Estonia: Disrupted by Botnets?

With my post earlier this month about the possibility of SIP botnets [also featured here on CircleID], I've had a number of people asking about more information and wondering about the possible impacts. And while I will write more on botnets in general, as far as the potential impact of "botnets" in general, one need only look over at the current situation in Estonia... Now, perhaps Russia is behind the attack... perhaps not. There are obviously much larger political issues going on between the two states. more»

Anycast Technology Effectiveness in Recent DNS Attack

During the attack, which lasted almost eight hours, six of the 13 root servers that form the foundation of the Internet's DNS were targeted, ICANN said. However, only two were noticeably affected. These two did not have Anycast installed because the technology was still being tested, ICANN said.

"With the Anycast technology apparently proven, it is likely that the remaining roots--D, E, G, H and L--will move over soon," ICANN said. The letters refer to the five of the 13 official root DNS servers that do not yet have Anycast installed. more»