« Internet Security Isn't a Battle: It's a Health Crisis | Main | Is this a hack or an attack? »

Friday, 03 February 2017

Protect your organization from expired name server domain threats

Matthew Bryant's recent post, Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target, describes attacks against authoritative name servers. These are the name servers that host DNS records for your domain name (A, NS, MX, CNAME, TXT...) and thus the definitive or authoritative sources for resolution, i.e., they host the database that applications use to resolve host names such as your web site name to an Internet address. 

Name server hijack example

Bryant's post describes scenarios where domain name resolution for an organization's domain name can be hijacked by an attacker. In one scenario,

(a) an organization has assigned authoritative name server hostnames from several domain names. This is an accepted best practice for name service redundancy. For explanation purposes, let's assume that the organization's domain is example.COM and the organization has hosted authoritative name servers at ns1.example.NET and ns1.example.TOP.

(b) through an error or oversight, the example.TOP registration expires and the organization fails to renew.

(c) the attacker discovers that example.TOP is available, seizes the opportunity to exploit the organization's error, and registers the expired domain name, example.TOP.

The attacker completes the registration process and provides a public IP address for a name server for example.TOP. The TOP registry publishes this in the TOP TLD zone. The attacker also creates a zone file for example.TOP and in this zone file the attacker creates an address record for ns1.example.TOP, the authoritative name server that the targeted organization uses. The attacker can now arrange that ns1.example.TOP resolves to an IP address the attacker controls, or can mimic the address records from ns1.example.NET and wait for an appropriate time to begin its attack.

Next, the attacker publishes bogus  zone data of his own composition at ns1.example.TOP; for example,  attacker may publish a wild card record that says "send all connections to any host name in the victimized organization's domain to an IP address that I control", where he can now host opportunistic content (e.g., pay per click advertising) or malicious content (malware, phishing).

There are now two different authoritative zone data sets: one that the organization publishes and controls at ns1.example.NET and one that the attacker publishes and controls at ns1.example.TOP. When users query any name in this now vulnerable zone, the user's computer will randomly use ns1.example.NET or ns1.example.TOP for authoritative name resolution and thus some users will visit the host the organization intended and others will visit the attacker's host.

Renewal Considerations for Domain Names, Revisited 

ICANN's SSAC wrote an advisory in 2006 to describe "incidents where, by choice or oversight, registrants allowed a domain name registration to expire, anticipating that no harm would come from allowing the registration to lapse".  At that time, the committee considered the incidents that illustrated how commercial risk, reputational harm or potential asset loss might ensue following non-renewals of domain names.

Matthew Bryant's post reveals a more nefarious non-renewal threat landscape, a hijacking of name service that allows an attacker to impersonate, deface, spam, or perpetrate fraud using the victim organization's web or other Internet services.

Fortunately, domain name registration protection practices recommended by ICANN's SSAC can help you mitigate threats of this kind.

Protect your organization from threats of this kind!

Consider implementing these recommended practices to minimize name server hijacking threats of the kind Matthew Bryant has discovered:

  1. Create complete and accurate copies of the domain name registration data (Whois) for all of your domain names and for all of the domain names that you use to assign your authoritative name server names Make certain that you create copies of your intended bindings of authoritative name server names to IP addresses as well.

  2. Gather abuse point of contact information for the sponsoring registrars of all of these domains and for any DNS hosting provider you use. You'll need these contacts for immediate notification, investigation and correction should you see unexpected changes.

  3. Monitor Whois for all your domain names and and all the domain names that you use to assign your authoritative name server names. You can easily write  and routinely execute a script using command line Whois executables and commands such as cron. Compare your routinely obtained Whois responses against your copies of the Whois you intended to publish. If they do not match, investigate immediately.

  4. Monitor the DNS to verify that the names of all of your authoritative name servers resolve to the IP addresses you expect to host your DNS information. Again, you can easily write and routinely execute a script to query NS resource records using command line executables such as dig or nslookup and commands such as cron. Compare your routinely obtained DNS responses against your copies of the responses you expect to receive. If they do not match, investigate immediately.

While you're mitigating this particular threat, consider adding domain name portfolio management as part of your organization's overall risk management program. Delegate the responsibility to manage all aspects of domain name registration to an individual or team, or choose from several DNS hosting or monitoring service providers who can do this for your organization. Whether in house or outsourced, staff assigned to this activity should manage approval, registration, brand protection, DNS hosting, monitoring and renewal for all domains you register directly. They should also monitor all domains that you depend upon for correct DNS operation of your domains as well.

Treat your DNS operations as a critical element of your online presence and you are likely to reduce your organization's threat landscape.

Related articles
Monitor DNS Traffic & You Just Might Catch A RAT
How to Protect Your Privacy When You Register a GTLD Domain Name

Posted at 08:30 AM in Domain names and DNS |

Tags: authoritative name service, defacement, dns, domain registration, fraud, hijacking, hosting, impersonation, name resolution, name server hijacking, renewal, renewal lapse

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories