October 23, 2016

DNS Attack Targets Popular Websites: Daily Telegraph, The Register, UPS, Acer and Others

(LiveHacking.Com) – Several popular web sites including The Register, The Daily Telegraph, UPS.com and Acer.com suffered a DNS attack on Sunday evening that has resulted in visitors being redirected to third-party webpages.

Paul Mutton, a web security tester and tech author, got a screenshot of what visitors to The Register saw:

Other websites which have been affected by the DNS hack include National Geographic, BetFair and Vodafone. With a DNS attack, the websites themselves are not hacked, but rather the hacker attacks the DNS infrastructure and diverts web traffic to a different site.

The hacked sites share a common registrar, Ascio Technologies, and were registered through NetNames. Both NetNames and Ascio are brands of GroupNBT. Zone-h suggests: “It appears that the turk­ish attack­ers man­aged to hack into the DNS panel of Net­Names using a SQL injec­tion and mod­ify the con­fig­u­ra­tion of arbi­trary sites, to use their own DNS.”

Tim Anderson reminds us that “this kind of attack is more serious than simply hacking into a web server and defacing the content” as with DNS attacks the hacker can intercept not only web requests for the affected names, but also email.

Now, on Monday morning, it looks as if most (if not all) of the targeted sites are using the correct DNS settings.


Internet Infrastructure Supports DNSSEC Now

DNSSEC is now up and running in all of the internet root servers. Rod Beckstrom, president and CEO of ICANN, the governing body for Internet domains, at Black Hat 2010 conference made this announcement. Nine top-level Internet domains have also now been signed with DNSSEC, including in .uk, .org, and others.

“We expect another dozen or so to take this step over the coming weeks,” Beckstrom said. He says others should be DNSSEC-signed in the next 12 months.

What is DNSSEC?

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS. RFC 4398 describes how to distribute these certificates, including those for email, making it possible to use DNSSEC as a worldwide public key infrastructure for email.

DNSSEC records:

  • DS
  • NSEC

How it works?

DNSSEC works by digitally signing these records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party.

Please visit http://en.wikipedia.org/wiki/DNSSec for more information. This page has been used as a reference for this article.

[ad code=2 align=center]