Print
Discuss
Send to friend
RSS feedsServers that administer the internet could be easy pickings for hackers because some DNS (domain name system) server administrators are not updating the Bind (Berkeley Internet Name Domain) software that directs traffic around the web.
DNS servers locate internet domain names and translate them into IP addresses. The Internet Corporation for Assigned Names and Numbers (Icann) handles the top level A class root server that controls .com, .net and .org domain names. Servers that deal with lower-level domain names are administered locally and are usually located at ISPs' websites. The administrator for all .uk domains is Nominet.
DeMorgan Security, which conducted a study of DNS servers, believes the system is insecure because up to 75 per cent of DNS servers worldwide are not running software that complies with IETF (Internet Engineering Task Force) recommended security guidelines.
Only last November, the IETF released an advisory that identified six security holes in Bind. It recommended that all DNS administrators install a Bind upgrade to 8.2.2-P3 "to correct the known security problems". But according to Craig Wright, DeMorgan's chief information officer, as few as 25 per cent of DNS servers run recommended versions of software that include security fixes.
Security holes
Wright said that the security flaws constituted "a major issue. By doing something as simple as a DoS [denial of service] attack on the A root server and spoofing its address, one could modify any record on the internet".
He pointed out that the vulnerabilities had already been exposed in 1998 when Eugene Kashpureff, of Internic copycat vendor Alternic, hacked the A class Internic DNS server and redirected all .com, .net and .org pages to his own site. Internic is Icann's database containing domain names.
Neil Barrett, technical director of security analyst Information Risk Management (IRS), said the vulnerabilities could be used to exploit a "cache poisoning" technique that would enable "any traffic on the internet backbone to be re-routed". The technique could be used to "effectively switch off a country", he claimed.
DNS server administrators often neglect to update their Bind software or apply security patches because the servers are always running, Barrett added. "The top-level DNS servers have been running since universities governed the internet and are never taken offline, so applying patches is problematic," he explained.
However, Gartner analyst John Pescatore said that many newly patched versions of Bind introduce new problems, "so DNS administrators were often reluctant to upgrade quickly - and many never did".
He added that many DNS servers are running vulnerable versions of Bind and have other security vulnerabilities, both technical and procedural. This means that at least one third of DNS servers are vulnerable to a low-level attack.
Administrative negligence
The DeMorgan study indicated that the main problems stem from administrative negligence. "DNS servers are usually ignored," said Wright. "A lot of effort is placed on the security of one or two web servers, but not much goes to maintaining the DNS."
Lower-level DNS servers, which route traffic to local domains, are usually hosted by local ISPs, he explained, "but most of these ISPs do not offer a security clause in any SLAs [service-level agreements] that they offer".
IRS' Barrett said: "ISPs will take no responsibility for DNS servers. It's very common to leave security clauses out of SLAs." A spokesman for domain name registrar Network Solutions said he is aware that domain name servers are vulnerable to attacks through Bind.
Barrett added that Icann's top-level root server A is also not running the most current version of Bind, but that it does include all the latest security patches. However, he said his company would only upgrade to a more recent version of Bind when testing has been carried out which guarantees the software's stability.
"Network Solutions has too much riding on the operations of the registry unit. We only put in patches once extensive tests prove the software is stable," he said.
From bad to worse
But Wright said the results of the study presented administrators with a grave warning. "If people don't start taking security seriously, things are going to get one hell of a lot worse than they are at the moment. If you don't care about the security of your own site, don't bother even thinking about hosting anyone else's site," he said.
Gartner's Pescatore added: "The DNS infrastructure will continue to be vulnerable to DoS and other attacks until a more secure underpinning is in place. [Security guideline] Internet RFC 2535 lays out security extensions to DNS mechanisms that will provide the increased security needed to make the internet business-strength."
Icann was unavailable for comment, but has previously acknowledged that there are problems with DNS software, although it claims that DNS root servers are safe. "At the root level, security is very robust," said an Icann spokesman. But he added: "This is a hierarchical system and there are leaves on the tree that are running Bind version 4 in some out of the way places. A decentralised system is not always up to the highest standard across the board."
Geoff Sissons, head of technical services at Nominet, the company responsible for the root servers running all domains ending in .uk, reassured users that all of its DNS servers are running the latest version of the Bind software, however, and that all of the relevant security patches have already applied.
del.icio.us
Digg this
reddit!
