UW Computer Security Research and Course Blog

Network Solutions runs one of the largest domain registrars and DNS hosting providers in the world. It currently hosts more than 7.5 million domain names, including many of the most popular web sites on the Internet. The domain name servers hosted at Worldnic translate URLs into IP addresses, so if these servers are not operational, an otherwise functioning web site is effectively down.

With billions of dollars being shifted from retail to e-commerce every year, web site up-time has become mission-critical to many companies. Any sort of web site failure for even extremely small periods of time can directly affect a 21st century company’s bottom line. Network Solutions has the very important task of serving as the gateway between customers’ web browsers and companies’ web sites. As the man in the middle, they are a very clear target for attackers. A malicious user has a clear path to disrupt service without ever having to attack a customer or the company itself. This scenario makes top-level security imperative to Network Solutions and Worldnic. A single successful attack could disrupt millions of transactions across millions of web sites.

Assets/Security Goals

In the case of Worldnic, the security goals are more directly quantifiable than the assets. The company provides a service, and its assets are the ability to provide that service at all times and to provide that service accurately.

• The primary security goal of Worldnic is to keep attackers from disrupting their service. As mentioned in the summary, companies depend on a level of ‘9’s of up-time (e.g., 99.999%) for their websites. Even if these companies’ websites are functional this percentage of the time, Worldnic is responsible for providing at least this level of name-resolution service. To the user, down time due to name-resolution failure is no different than down time due to bugs or other functionality errors.
• A close second security goal is to maintain the integrity of the name resolution database. The pair-wise relationship of domain names and IP addresses is not secret and is not a direct asset to protect. The integrity of this mapping, however, is a serious asset, and protecting it is a huge security goal. If some of these mappings were changed, a legitimate domain name could be mapped to an evil website that attacked visitors.
• A major asset that lies in the hands of Worldinc is their customers’ good names. Companies spend millions of dollars in marketing and branding. They also spend a large amount of time and energy protecting their names in the form of trademarks and copyrights. If Worldinc was compromised and a companies’ URL was mapped to an evil website that attacked users or slandered users or slandered other companies or was otherwise offensive or objectionable, it is often impossible to disassociate this to consumers, even after the problem has been resolved. Often times no amount of explanation is good enough if a customer was thoroughly put off, and incidents to this extent could cost the victim company a customer for life.

Potential Adversaries/Threats

Most of the potential threats involve disabling Worldnic’s service or altering it somehow. Threats involving the theft of information are much less of a concern in this business model.

• A potential adversary could be a rival company. In the cutthroat world of business it is not unthinkable for a rogue company to try to sabotage another. The threats these adversaries pose include disabling the DNS service for a particular company or group of companies, or changing their translations to route to websites that harm the victim companies image or reputation.
• Another potential adversary could be a computer hacker seeking fame or some other personal satisfaction. Because of the widespread impact a successful attack would have across the internet, there is a lot of motivation to attack this service. The threat these adversaries pose are service disruption or changing translations to websites with malicious code.
• A third potential adversary could be an attacker looking to steal money or personal information. This type of attacker would not pose the threat of disrupting service, but would be focusing on changing domain name resolutions to point to web sites under their control. From here they could use phishing techniques to steal unsuspecting users’ passwords or private information, or to lure them into paying for items sold off of the real websites.

Potential Weaknesses

There are already several known attacks against DNS servers.
• The DNS cache poisoning attack proposed by security researcher Dan Kaminsky. Kaminsky’s DNS poisoning attack on DNS servers that involves sending specially crafted packets to DNS servers to trick them into improperly changing the name-to-IP binding discussed above, violating the fundamental trust and purpose of the domain name system. This attack can take place in as little as 10 seconds. Servers that have a patch applied to combat the problem fare better, but are still susceptible to a high-bandwidth attack, failing in as little as 10 hours.
• A Distributed Denial-of-Service (DDoS) attack to prevent domain names from resolving for most legitimate users, as took place recently against Network Solutions. Modern widely-distributed malware (such as the Storm bot net) can easily mount crippling attacks against the DNS infrastructure of a particular company, effectively bringing down the web sites of their customers.
• A combination of modern MD5-collisions and DNS cache poisoning exploits could even be used to transparently hijack an entire SSL-secured site, such as an online banking site or e-commerce site. By faking a certificate authority through an MD5 collision attack and changing the DNS entries, users could believe everything on “on the level” when visiting their online bank, even if each user was careful to check certificates and other indications of security. Quite simply, a combined attack like this could be indistinguishable from the real site, expect that passwords and account information would be stolen.

Potential Defenses

There are already several proposed defenses for protecting against DNS cache poisoning attacks. Protecting against denial-of-service attacks may be more difficult, however, because it is hard to tell legitimate queries from queries that are part of an attack, and denying legitimate queries is just as bad as failing due to being swamped by an attacker.

• To protect against DNS poisoning, DNS servers can apply a patch that randomizes the ports they use, making attacking the server much more difficult. However, servers are still vulnerable to a motivated attacker in as little as a matter of hours, so attacks must be recognized early and shut down using other methods to prevent poisoning.
• Clients and servers could switch to the DNSSEC protocol. However, DNSSEC has been around for a while and has not seen widespread adoption due to backwards-comparability issues, issues of compatibility between a large and diverse set of distributed clients and servers (including many operating systems and DNS server implementations).
• A new domain name resolution protocol could be developed from the ground up with a focus on security and usability. However, based on the lackluster adoption of IPv6 and DNSSEC, it may take a major security incident to sufficiently motivate enough parties on the Internet to achieve the critical mass necessary to the transition to another system.

Risks

• Brand name degradation via denial of service attacks
• Uptime targets for mission-critical services missed by no fault of the service provider
• Sophisticated phishing attacks using DNS cache poisoning and MD5 collisions
• A fundamental building block of the Internet is fundamentally flawed and susceptible to a variety of attacks

Conclusion

DNS cache poisoning attacks and Distributed Denial-of-Service attacks against DNS servers such as Network Solutions’ WorldNic pose some fairly major security vulnerabilities, but so far little has been done to address these issues. Fortunately, there have not yet been widespread attacks against the Internet’s DNS infrastructure; nevertheless, the risk remains and as time goes on and attacks become more sophisticated, the chances of an attack will only increase.

A collaboration with Vince Zanella