Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on November 20, 2006 6:22 PM.

The previous post in this blog was Wireless attacks, strong authentication and good security policies.

The next post in this blog is FUD and a Realistic Review of Your Enterprise Risk.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Wireless attacks, strong authentication and good security policies | Main | FUD and a Realistic Review of Your Enterprise Risk »

A BIG MESS: Spam, Denial of Service Attacks, Botnets, Recursive DNS and DNSSEC

This blog will outline the current mess the digital planet is in re botnets, spam, denial of service attacks, recursive DNS and DNSSEC. I will untangle some of the threads to indicate why, in the next two years or so, there are growing threats to enterprises and that there is no silver bullet in sight. To begin, I'll start with DNS (Domain Name Service).

When the internet was first invented and then rolled out, the inventors built a naming service that would translate a web address like www.acme.com to its resulting internet address like 61.112.232.131. The domain name service (DNS) maps the name to the address. The system has been successful since it scales well. Your computer looks for the nearest DNS cache which in turn looks for the DNS name server. Since there are many name servers, there is always ways of quickly resolving addresses.

What the inventors didn't consider was the fact that the DNS ID header could be easily spoofed. For a while, this wasn't a problem. Then along came the 1990's and the first signs of trouble appeared on the horizon with IP spoofing attacks. This was quickly adopted by email spammers.

Then as the late 1990's turned into the new millennium, there began to be the idea of taking malicious software (malware) and using this in emails to take control of people's computers. Thus began the age of botnets. Today it is estimated that up to 10% of all computers on the internet are infected. Some reports, from 2004, estimate that up to 90% of all computers have spyware running on them. For a more detailed discussion read this.

Fast forward to the last year when organized crime has taken hold of using the internet to make money. Organized crime gangs have millions of bots under their control. They have recently began to hide control of the bots from easy detection. They use a decentralized command and control. Further, they have also begun to change the code running the bots every 30 minutes.

The bots then provide organized crime with all sorts of attack vectors into enterprises, THAT CAN BE SPRUNG VERY QUICKLY. Let's look at how they're using the bots.

One growing trend is to create denial of service(DoS) attacks on enterprises. In this scenario, enterprises are either forewarned of an upcoming DoS attack by criminals and asked to pay them off beforehand or, they launch the attack and then threaten to keep up the attack and bring the enterprise to its electronic knees.

Readers should note how these attacks are constructed. The criminals spoof the ip address of the victim as the requestor. They then use their botnets to forward these requests to DNS servers who are set to do recursive searches. These are DNS servers who will respond to requests for domain names for which they are NOT authoritative. The DNS recursive server then responds to the requests. Because it is estimated that over 50% of all DNS servers are misconfigured to act as recursive servers, the attack magnifies. Today, many attacks have been documented to be over several gigabits per second. This is an amount that the average enterprise server's cannot cope with.

The US-CERT is so concerned by this amount of traffic that they worry that key portions of the internet could be brought down in expanded attacks. They have issued strong recommendations to the internet community about configuration of DNS servers. However, even with these strong recommendations, the millions of DNS server owners blissfully ignore it, since there is no immediate catastrophe facing them individually. In summary then, this attack uses the weakness in DNS IP headers to spoof an IP address and the poor configuration of DNS servers coupled with criminals botnet networks.

Another attack is spam email. It has been recently documented that spam now accounts for 91% of all internet email traffic! Let's examine how spam works.

The criminals send email using someone's email as if it was them. They then have their botnets download email lists to construct the spam. The malware is very sophisticated in it's ability to change rapidly. This is why, all of a sudden, you are experiencing all sorts of spam email passing through your anti-virus filters. There is no way that an anti-virus vendor can keep up with listing the different signatures used in email attacks since they change so rapidly.

Spam works. Approximately 5% of people in the UK have bought from spam emails. Thus botnets continue to expand as malware gets downloaded when the user clicks on a link. Since there is no way to actually authenticate the sender of the email, the botnets continue to bombard enterprises with spam.

Another attack is to redirect a user to a fake site even though they enter in the correct web address in their browser. Called "pharming", this attack uses something called DNS cache poisoning to make it happen.

The criminals intercept DNS request responsed from a DNS root server and a local DNS server. They interject their false IP addresses in the response, which the local server then caches. The next time the user enters in the web address for say Acme.com, the false IP address is used by the DNS cache and the user is directed to a false site (which most often exactly resembles the real site). Pharming attacks have also been increasing over the past two years.

As an aside it has been speculated that DNS traffic this spring might slow down the internet. The reasoning is that when Microsoft introduces Vista, it has the ability to run IPv6 and the oder versions of IP. The thinking is that Vista will do parallel inquiries on DNS servers. Microsoft says no and has apparently made some changes such that parallel inquiries will not be done. We will see come this spring.

Amongst all this mess, is there any solutions? The honest answer is NO NOT IN THE IMMEDIATE FUTURE.

One way to slow down the amount of spam and DoS attacks is to use some more advanced way of digitally authenticating a DNS lookup. About 10 years ago, it was proposed that digital certificates be used to sign DNS answers (DNS Security or "DNSSEC").

This attempt has bogged down since then for a number of reasons. These include:
* root key management
* root key rollovers
* no real economic reason for millions of DNS server owners to change their practice
* arguments that there are other methods higher up the stack which are better
* concerns over scalability
* concerns overs memory and performance when using digital certificates on high volume DNS server

A recent survey found that there is only 1 in 100,000 DNS servers which is DNSSEC compliant. Bottom line: There is likely no good news re deploying DNSSEC in the next one to two years (unless there is a huge internet outage caused by a DoS attack which would prompt everyone into action in adopting DNSSEC despite all its short comings).

Most experts agree that for the next one to two years the problems are going to get worse before they get better. Botnets will continue to proliferate. Malware will continue to quickly evolve and outstrip existing defense tactics. DoS attacks will continue to grow. Pharming will continue to grow. Spam will continue to be a big problem.

What can you do about it?

1. Configure your DNS servers properly. Significantly reduce the ability of your DNS servers to do recursive lookups.

2. Put in place a layered defensive system. Assume that even with best efforts your anti-virus, firewall, IPS and IDS systems will be successfully breached. Put in place internal increasingly strong authentication systems to contain the damage when a breach has occurred and someone is masquerading as your user with their uid and password.

3. Use transaction authentication from vendors like Bharosa and RSA for your most sensitive enterprise networks, applications and information. Assume that over the next two years that even strong authentication mechanisms can be breached. Use the computer hardware, IP address, geolocation, user profile, user history and time of day to validate a successful authentication request.

Start paying attention to the DNS layer of your enterprise. Deep down in the bowels of the internet there are some stomach aches happening that might come back to haunt you.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Note: In the first published version of this blog I erroneously stated that 20% of people in the UK have bought from spam. The story I was referring to stated that the click through rate was 1 in 20 or 5%. I have updated the blog accordingly.


Posted by Guy Huntington on November 20, 2006 6:22 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/47

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)