Domain Name System and Cyber Security Vulnerability
Domain Name System and Cyber Security Vulnerability
By Jon Stout
DNS- At the Heart of the Internet
It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.
In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google).
As the internet grew number strings became cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.
To simplify this process, a solution was developed based on a flat file that paired each IP address with a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.
By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today—a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network.
Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.
DNS is effective and works in the background of search activity. Internet users expect that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box.
Many commercial companies developed brand strategies based on this in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a .com or .net extension. The Federal government adopted a .gov or .mil extension.
DNS Brand Implications
The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.
An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry.
Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.
Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches.
Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success.
But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.
DNS is inherently Insecure
The original design of the*Domain Name System*(DNS) did not include robust security features; instead it was designed to be a scalable and open distributed system with backwards compatibility and attempts to add security*were rudimentary and did not keep pace with the skills of malicious hackers.
Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood nor appreciated.
In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.
Consequently, any commercial company that uses the Internet for sales, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.
As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem—whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates).
Enterprises and ISPs must protect their users and networks—sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism.
The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet.
Many Internet security mechanisms, including host access control and defenses against spam and phishing, implicitly or explicitly depend on the integrity of the DNS infrastructure and DNS Servers.
DNS Servers
DNS servers running the software known as BIND*for*Berkeley Internet Name Daemon, or sometimes*Berkeley Internet Name Domain, is one of the most commonly used*Domain Name System*(DNS) server on the*Internet, and still proclaims it to be so.
Presently, BIND is the **standard DNS server. It is a*free product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9.
BIND4 and BIND8 are now obsolete. BIND9 is a ground-up rewrite of BIND featuring complete*Domain Name System Security Extensions (DNSSEC)*support in addition to other features and enhancements. But even with the rewrite many consider BIND vulnerable.
The Internet Systems Consortium has also started development of a new version, BIND 10. Its first release was in April 2010, and is expected to be a five-year project to completion.
BIND 4 and BIND 8 have had a large number of serious security vulnerabilities over the years and as such their use is now strongly discouraged.*While BIND 9 was a*complete rewrite, it has still experienced several vulnerabilities.
Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on*http://www.kb.cert.org/vuls/
Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service
The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.
Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses.
Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, DNS protocol is intrinsically vulnerable to cache poisoning.
A*denial-of-service attack*(DoS attack) or*distributed denial-of-service attack*(DDoS attack) is focused on making a computer resource unavailable to its intended users. A DDoS *consists of the concerted efforts to prevent an*Internet*site*or*service*from functioning efficiently or at all.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile*web servers*such as government agencies, banks,*credit card*payment gateways, and even*root nameservers. The term is generally used with regards to*computer networks.
Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.
Read the full article here :
Domain Name System and Cyber Security Vulnerability
By Jon Stout
DNS- At the Heart of the Internet
It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.
In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google).
As the internet grew number strings became cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.
To simplify this process, a solution was developed based on a flat file that paired each IP address with a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.
By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today—a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network.
Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.
DNS is effective and works in the background of search activity. Internet users expect that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box.
Many commercial companies developed brand strategies based on this in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a .com or .net extension. The Federal government adopted a .gov or .mil extension.
DNS Brand Implications
The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.
An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry.
Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.
Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches.
Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success.
But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.
DNS is inherently Insecure
The original design of the*Domain Name System*(DNS) did not include robust security features; instead it was designed to be a scalable and open distributed system with backwards compatibility and attempts to add security*were rudimentary and did not keep pace with the skills of malicious hackers.
Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood nor appreciated.
In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.
Consequently, any commercial company that uses the Internet for sales, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.
As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem—whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates).
Enterprises and ISPs must protect their users and networks—sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism.
The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet.
Many Internet security mechanisms, including host access control and defenses against spam and phishing, implicitly or explicitly depend on the integrity of the DNS infrastructure and DNS Servers.
DNS Servers
DNS servers running the software known as BIND*for*Berkeley Internet Name Daemon, or sometimes*Berkeley Internet Name Domain, is one of the most commonly used*Domain Name System*(DNS) server on the*Internet, and still proclaims it to be so.
Presently, BIND is the **standard DNS server. It is a*free product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9.
BIND4 and BIND8 are now obsolete. BIND9 is a ground-up rewrite of BIND featuring complete*Domain Name System Security Extensions (DNSSEC)*support in addition to other features and enhancements. But even with the rewrite many consider BIND vulnerable.
The Internet Systems Consortium has also started development of a new version, BIND 10. Its first release was in April 2010, and is expected to be a five-year project to completion.
BIND 4 and BIND 8 have had a large number of serious security vulnerabilities over the years and as such their use is now strongly discouraged.*While BIND 9 was a*complete rewrite, it has still experienced several vulnerabilities.
Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on*http://www.kb.cert.org/vuls/
Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service
The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.
Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses.
Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, DNS protocol is intrinsically vulnerable to cache poisoning.
A*denial-of-service attack*(DoS attack) or*distributed denial-of-service attack*(DDoS attack) is focused on making a computer resource unavailable to its intended users. A DDoS *consists of the concerted efforts to prevent an*Internet*site*or*service*from functioning efficiently or at all.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile*web servers*such as government agencies, banks,*credit card*payment gateways, and even*root nameservers. The term is generally used with regards to*computer networks.
Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.
Read the full article here :
Domain Name System and Cyber Security Vulnerability
Megjegyzések
Megjegyzés küldése