Security news that informs and inspires

ICANN Warns of ‘Ongoing and Significant’ Threat to DNS

By

An ongoing series of attacks on parts of the Internet’s core infrastructure have both government agencies and Internet governing bodies warning that the network is facing an imminent threat.

The Internet Corporation for Assigned Names and Numbers (ICANN), which coordinates the assignment and maintenance of namespace, has followed up a recent bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) with a warning of its own, saying that the campaign targeting DNS systems is a significant risk to the security and stability of the Internet. The ICANN warning cites a growing pattern of attacks using different techniques in order to hijack traffic through DNS modifications and compromises. The group advocates for the full deployment of DNSSEC as a mitigation against the attacks.

“Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use,” the ICANN advisory says.

“DNSSEC is a technology developed to protect against such changes by digitally 'signing' data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.”

The DNSSEC extensions are designed to implement a layer of security on top of the DNS system by providing authentication of responses from DNS servers. DNSSEC has been deployed in a variety of large networks and all of the major top-level domains (TLDs) have been signed and linked to the DNSSEC root. The system can help defend against some attacks on the DNS system, including those that involve DNS cache poisoning, but it’s not a panacea by any means.

The ICANN warning comes several weeks after CISA detailed a series of DNS-hijacking attacks that targeted federal government agencies in the United States during the government’s recent shutdown. Those attacks involved the use of stolen, legitimate credentials to access systems with access to an agency’s DNS records, which the attackers would then modify in order to shunt traffic to servers they control. That kind of attack can have long-lasting effects on the victim organization.

“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings,” the CISA warning said.

DNS hijacking is a constant on the Internet, and because of the way the attacks work, they often go unnoticed by victim organizations.

DNS hijacking is a constant on the Internet, and because of the way the attacks work, they often go unnoticed by victim organizations as well as individuals. They can be effective tactics for attackers to gain access to large volumes of traffic, and nation states have been known to employ DNS hijacking in the past. Governments often are the targets of DNS hijacking campaigns, too, and in November the Cisco Talos Group uncovered a campaign that targeted government agencies in both Lebanon and the United Arab Emirates. The campaign used a custom piece of malware called DNSpionage that allowed the attackers to communicate covertly with compromised machines.

“Our investigation discovered two events: the DNSpionage malware and a DNS redirection campaign. In the case of the malware campaign, we don't know the exact target, but we do know the attackers went after users in Lebanon and the UAE,” the Talos analysis says.

“It is clear that this threat actor was able to redirect DNS from government-owned domains in two different countries over the course of two months, as well as a national Lebanese airline.”

ICANN plans to hold an open session during its meeting next month in Japan to discuss the threats to the DNS system. The group said that while DNSSEC doesn’t address all of the threats, it can help protect against some of the more prevalent attacks on DNS.

“Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called ‘man in the middle’ attacks where a user is unknowingly re-directed to a potentially malicious site,” ICANN said in its statement.