Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecHas your domain been hijacked lately?
It happens more than you hear about. Just lately, many companies have suffered
through the surprise, and frustration of having their web and e-mail servers sitting idly
by, while all of the internet traffic intended for their network, ends up elsewhere. This
s.
ht
is known as domain hijacking. And companies such as Microsoft, Adobe, Nike,
Yahoo, and RSA Security, to just name a few, have all suffered through the agony of
rig
having their domains hijacked.
ull
DNS Basics
f
ns
To understand domain hijacking, first we must understand the basics of DNS.1 DNS
Key fingerprint
(Domain Name =Service),
AF19 FA27 2F94 998Ddatabase
is a distributed FDB5 DE3D F8B5domain
that maps 06E4 A169 4E46
names, or host
tai
names to IP addresses. This is much better than the old way of entering all hosts and
re
IP addresses into a locally stored hosts table manually. Dennis Fisher points out in his
article in eWeek February 5th, 2001 titled, “DNS proves to be weak link in Internet
or
Chain,”2 “That more than 80% of the DNS servers on the internet use BIND (Berkley
th
Internet Name Domain) open source software, to handle the DNS databases, and
Au
queries.” Unfortunately, BIND was not real secure in its early releases, but with BIND
v9 most of the major vulnerabilities have been corrected.
2,
00
DNS uses a hierarchical inverted tree structure, with a root node and seven subdomain
nodes below. These subdomain nodes, which are domains themselves, are the top-
-2
level domains and are controlled by ICANN, the Internet Corporation for Assigned
Names and Numbers (ICANN) is a non-profit, international corporation that was
00
formed in September 1998 to take over global responsibility for Internet Protocol (IP)
20
address space allocation, protocol parameter assignment, Domain Name System (DNS)
management, and root server system management functions. These services were
te
previously performed under U.S. Government contract by the Internet Assigned
tu
Numbers Authority (IANA) and other entities. IANA is now a part of ICANN.
sti
Network Solutions Inc. (NSI), is one of the more popular accredited Internet Domain
Name registrar’s under ICANN.
In
NS
SA
©
The 7 top level domains are: .com (commercial), .edu (education), .gov (US
governmental), .int (international), .mil (military), .net (network providers e.g. ISP’s),
Key fingerprint
and .org = AF19 FA27
(organizations).3
Then2F94
there998D FDB5 DE3Dthat
are subdomains F8B5 06E4off
branch A169
from4E46
the parent
domain, e.g. sans.org, or hhs.gov.
Mich ael_P atri ck_ GSEC.doc 1
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.When a host tries to go to a site on the internet, it needs to resolve a URL (Universal
Resources Locator), e.g. http://www.sans.org, it first queries its local host file, and then
will ask the DNS server for help. If the local DNS server has this information, it will
return the IP address to the requesting host, e.g. 167.216.133.33. If the local DNS
server does not know, it will issue a recursive query, which will search the tree of DNS
s.
servers until it finds an authoritative DNS server that has this information.1 Once the
ht
host gets the IP address of the URL, it contacts that host directly by IP address.
rig
Domain Hijacking
ull
Domain hijacking is when incorrect IP addresses get entered into the DNS database,
f
thereby pointing traffic destined for one domain to any domain the hacker chooses.
ns
Therefingerprint
Key are several techniques
= AF19 FA27used
2F94to998D
hijackFDB5
domains.
DE3D F8B5 06E4 A169 4E46
tai
re
1. DNS Spoofing: There is the technique of fooling the DNS server by spoofing
the DNS responses, and making the DNS server “think” it is talking to a trusted
or
server. For example, the spoofing host will then send a command to change the
th
IP address of www.sans.org to www.hackers.net in the DNS server’s local
database. Because it has fooled the DNS server into believing it is a trusted
Au
host, the DNS server allows this update. Now, all traffic that queries this DNS
server destined for www.sans.org, will get redirected to www.hackers.net.
2,
00
2. Cache Poisoning: Is another technique used to hijack DNS information. DNS
-2
servers cache all local zone files, and information for all zones the DNS server
is authoritative for, and also the history of all recursive queries it’s done. The
00
time it holds this information in cache is called the Time To Live, or TTL. It
20
caches this data to help speed up the time it takes the DNS server to respond to
a query. The cache gets poisoned when the DNS server gets an incorrect
te
mapping with a high TTL, which allows it to first change the “real” IP address
tu
it holds in cache, with a false IP address, and then give out that incorrect
information.
sti
In
3. E-mail Spoofing: Is another very successful technique used to hijack DNS
information. DNS names are registered with ICANN, and these transactions
NS
are usually done via e-mail. The authentication of the request is usually
verified by the return mail address. If that return address is spoofed, and it is
SA
confirmed, then the update occurs, causing incorrect IP address information to
get stored into the root DNS servers. It is confirmed by sending a confirmation
©
e-mail out to the return address. This e-mail is hijacked by the intruder, who
then floods the correct e-mail address to hide this change.4,5,6
4. Hack the DNS server: Make sure your DNS server is well protected, because
another =
Key fingerprint way to hijack
AF19 FA27 a2F94
domain
998Dis to hackDE3D
FDB5 into the DNS06E4
F8B5 server itself
A169 and make
4E46
the changes directly. This can also be accomplished by getting direct physical
access to the DNS server.
Mich ael_P atri ck_ GSEC.doc 2
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.5. Human Error: There is always the honest mistake of an administrator entering
the information into the DNS servers incorrectly.
s.
Case-in-Point
ht
rig
• As mentioned earlier, there have recently been several high profile companies
that have had their domains hijacked. Most notably is the case of Microsoft.
ull
This after the embarrassment of the recent security breach of the Microsoft
network, causing the potential loss of some of their source code. And
f
ns
Microsoft has now suffered through more problems with users having a
difficult=time
Key fingerprint AF19trying
FA27to 2F94
access998D
theirFDB5
network.
DE3DAccording to anA169
F8B5 06E4 article by Charles
4E46
tai
Babcock, from Interactive Week, titled “Microsoft Repels More Attacks,”7
re
Charles says their problems started Wednesday January 24, 2001, “when a
technician erroneously updated Microsoft’s Domain Name Service servers in a
or
move that prevented users from accessing the www.microsoft.com, and
th
www.msn.com sites, for approximately 22.5 hours.” And again on January 29,
2001, Microsoft had web, and e-mail servers sitting idly by. According to
Au
Microsoft CIO Rick Devenuti, “Someone attempted to block legitimate access
to our Web properties by flooding our network routers with large volumes of
2,
bogus requests.” Charles Babcock then goes on to say, “This attack was the
00
first of its kind, however, to bring down Web sites by targeting, not the Web
-2
servers, but the routers sitting in front of them.” Michael Warfield, a senior
researcher for the X-Force anti-virus team at Internet Security Systems said,
00
“Microsoft was vulnerable to such an attack because it had positioned a set of
20
routers serving its entire site on one network segment. The technician’s
mistake illustrated to the world that Microsoft had inadvertently created “a
te
single point of failure”, and someone found “a big, juicy target” too tempting to
tu
resist.”
sti
• Another of the high profile cases involved Nike Corporation. In the article
In
“Nike Blames NSI for site hijacking,”8 Ann Harrison points out “that the
hijacking of Nike’s Web site sparked an international argument over whether
NS
the footwear company or Internet domain-name registrar NSI, should bear
SA
responsibility for the temporary theft of Nike.com. The Nike hijack occurred
June 21, 2000 when a group calling itself S-11 redirected traffic from Nike.com
to servers at a Scotland-based Web-hosting company in a slap at both Nike and
©
the World Economic Forum. Greg Lloyd Smith, director of FirstNET Online in
Edinburgh, Scotland, said, “The wayward Nike traffic swamped his company’s
Web servers and impaired service to its real customers.” After unsuccessfully
trying to bill Nike for use of his servers, Smith said he’s preparing to sue the
Key fingerprint
company, = AF19 FA27 2F94
for allegedly 998D FDB5
neglecting DE3D
to secure F8B5 06E4
its Internet A169Nike,
domain. 4E46in turn,
said the responsibility lies with NSI. “Changes to Nike’s domain status are
supposed to be made only via NSI’s encrypted and password-protected security
system,” said Nike spokeswoman Corby Casler. “But NSI used a spoofed piece
Mich ael_P atri ck_ GSEC.doc 3
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.of e-mail from the S-11 group as authorization to change Nike’s registry
information without requiring a password,” she says. The impact on Nike
product sales made through Nike.com was minimal during the hijacking, which
lasted from six to 24 hours.”
s.
• Adobe.com is another of the recent hijacking cases. In the article “Adobe.com
ht
Falls Prey to Domain Hijacker,”9 Brian McWilliams says: “An attacker
rig
hijacked Adobe.com from its owner, Adobe Systems Inc., disrupting the big
software firm’s Web servers and e-mail service. Adobe Systems Vice President
ull
of Information Systems Gerrard Rutter confirmed that an as-yet unidentified
attacker was able to perform an unauthorized modification of the domain record
f
ns
for adobe.com. The attacker apparently tricked Network Solutions Inc. into
transferring
Key fingerprint the domain
= AF19 record
FA27 2F94 for FDB5
998D adobe.com
DE3D toF8B5
Paycenter,
06E4 an ICANN-
A169 4E46
tai
accredited registrar in China. Besides altering the domain’s contact
re
information, the name servers for the address were also modified. The DNS
changes caused connections to www.adobe.comto bring up Paycenter’s
or
homepage. In addition, Rutter said “Adobe employees were unable to receive
th
e-mail from outside the corporate network for most of the day.””
•
Au
RSA Security was another victim of Domain hijacking. In the article
“Something Old, Something New: DNS Hijacking,”10 Mark Joseph Edwards
2,
says: “In the case of RSA Security’s Web site hijack, someone diverted traffic
00
to a fake Web page after gaining access to an upstream DNS server out of RSA
-2
Security’s direct control. The intruder accessed the DNS server and
temporarily modified its DNS records so those queries destined for RSA
00
Security’s Web site would divert to the fake RSA Security Web Site. It’s that
20
simple. People thought they had landed on the real RSA Security site when, in
fact, they simply landed on a spoofed sited at another IP address.”
te
tu
Summary
sti
These are but just a few of the higher profile documented cases of DNS hijacking. In
In
light of the seemingly simple techniques hackers have used to carry out their evil ways,
there are a few things out there that are going to make their lives a little tougher. In the
NS
article “Registrar Examines Domain Hijacking Defenses,”6 by Steven Bonisteel, he
SA
points out: “There are three ways to request a change through NSI. Simple e-mail,
where the only verification is the “mail-from” address, the second technique uses an
encrypted password, or the third way is to use PGP, with a public/private key
©
encryption.”
One more of the emerging technologies to help in this area is DNSSec. In the article
“DNS security upgrade promises a safer Net,”11 by Carolyn Duffy Marsan, she talks in
depth about: “The new security mechanism, dubbed DNSSec, plugs a hole in the
Key fingerprint
Internet’s Domain= AF19
NameFA27 2F94
System 998D
that FDB5
hackers DE3D
have F8B5 to
exploited 06E4 A169
spoof Web4E46
sites.
DNSSec prevents these attacks by allowing Web sites to verify their domain names and
corresponding IP addresses using digital signatures and public-key encryption.
DNSSec is included in BIND v9.”
Mich ael_P atri ck_ GSEC.doc 4
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.So, in short, there are promising new technologies that will ultimately tighten up the
entire DNS structure to make it much more secure and reliable.
References
s.
1
Mockapetris, P. “Domain Names – Implementation and Specification.” RFC 1035
ht
November, 1987 URL: http://www.ietf.org/rfc/rfc1035.txt?number=1035 (2/14/01)
rig
2
Fisher, Dennis “DNS proves to be weak link in Internet chain” Feb 5, 2001 URL:
ull
http://www.zdnet.com/eweek/stories/general/0,11011,2681845,00.html (2/14/01)
f
3
Postel J. “Domain Name System Structure and Delegation” RFC 1591 March, 1994
ns
URL: http://www.ietf.org/rfc/rfc1591.txt?number=1591
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 (2/14/01)
06E4 A169 4E46
tai
4
re
Seifried, Kurt “DNS spoofing/registering/etc” Dec 31 1999 URL:
http://archives.neohapsis.com/archives/bugtraq/1999-q4/0545.html (2/14/01)
or
5
th
Vision, Max “Internic Domain Hijacking - "It Happens"” February 10, 2000 URL:
http://www.whitehats.com/papers/internic/ (2/14/01)Au
6
Bonisteel, Steven “Registrar Examines Domain Hijacking Defenses” June 6, 2000
2,
URL: http://www.info-sec.com/internet/00/internet_060700a_j.shtml (2/14/01)
00
-2
7
Babcock, Charles “Microsoft Repels More Attacks” January 29, 2001 URL:
http://www.zdnet.com/filters/printerfriendly/0,6061,2679418-35.html (2/14/01)
00
8
20
Harrison, Ann “Nike blames NSI for site hijacking” July 4, 2000 URL:
http://www.cnn.com/2000/TECH/computing/07/04/nike.v.nsi.idg/index.html (2/14/01)
te
9
tu
McWilliams, Brian “Adobe.com Falls Prey to Domain Hijacker” October 19, 2000
URL: http://www.internetnews.com/wd-news/article/0,,10_489731,00.html (2/14/01)
sti
In
10
Edwards, Mark Joseph “Something Old, Something New: DNS Hijacking” Feb 16,
2000 URL: http://www.ntsecurity.net/Articles/Print.cfm?ArticleID=8170 (2/14/01)
NS
11
Marsan, Carolyn Duffy “DNS security upgrade promises a safer Net” Oct 17, 2000
SA
URL:
http://www.cnn.com/2000/T ECH/computing/10/17/dns.security.upgra de.idg/index.html
©
(2/14/01)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Mich ael_P atri ck_ GSEC.doc 5
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: April 4th, 2019
Upcoming Training
SANS London April 2019 London, United Apr 08, 2019 - Apr 13, 2019 Live Event
Kingdom
Blue Team Summit & Training 2019 Louisville, KY Apr 11, 2019 - Apr 18, 2019 Live Event
SANS Riyadh April 2019 Riyadh, Kingdom Of Apr 13, 2019 - Apr 18, 2019 Live Event
Saudi Arabia
SANS Seattle Spring 2019 Seattle, WA Apr 14, 2019 - Apr 19, 2019 Live Event
SANS Boston Spring 2019 Boston, MA Apr 14, 2019 - Apr 19, 2019 Live Event
SANS Northern Virginia- Alexandria 2019 Alexandria, VA Apr 23, 2019 - Apr 28, 2019 Live Event
Northern Virginia- Alexandria 2019 - SEC401: Security Alexandria, VA Apr 23, 2019 - Apr 28, 2019 vLive
Essentials Bootcamp Style
Community SANS Houston SEC401 Houston, TX Apr 29, 2019 - May 04, 2019 Community SANS
SANS Pen Test Austin 2019 Austin, TX Apr 29, 2019 - May 04, 2019 Live Event
Community SANS New York SEC401 New York, NY May 06, 2019 - May 11, 2019 Community SANS
SANS Security West 2019 San Diego, CA May 09, 2019 - May 16, 2019 Live Event
Community SANS Annapolis Junction SEC401 Annapolis Junction, MD May 13, 2019 - May 18, 2019 Community SANS
Community SANS Omaha SEC401 Omaha, NE May 13, 2019 - May 18, 2019 Community SANS
SANS Northern VA Spring- Reston 2019 Reston, VA May 19, 2019 - May 24, 2019 Live Event
SANS New Orleans 2019 New Orleans, LA May 19, 2019 - May 24, 2019 Live Event
Community SANS Cupertino SEC401 Cupertino, CA May 20, 2019 - May 25, 2019 Community SANS
SANS Autumn Sydney 2019 Sydney, Australia May 20, 2019 - May 25, 2019 Live Event
SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event
SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event
San Antonio 2019 - SEC401: Security Essentials Bootcamp Style San Antonio, TX May 28, 2019 - Jun 02, 2019 vLive
Mentor Session - SEC401 Austin, TX Jun 01, 2019 - Jun 29, 2019 Mentor
SANS London June 2019 London, United Jun 03, 2019 - Jun 08, 2019 Live Event
Kingdom
Mentor Session - SEC401 Tysons, VA Jun 08, 2019 - Jul 13, 2019 Mentor
SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event
Community SANS Tampa SEC401 Tampa, FL Jun 10, 2019 - Jun 15, 2019 Community SANS
SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event
SANSFIRE 2019 - SEC401: Security Essentials Bootcamp Style Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive
SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event
SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event
SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event
Community SANS Ottawa SEC401 Ottawa, ON Jul 08, 2019 - Jul 13, 2019 Community SANSYou can also read
