Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 120 +-   What Could You Do With a Bogus Root Name Server? on Sunday June 01 2008, @12:11PM

Posted by Soulskill on Sunday June 01 2008, @12:11PM
from the root-root-root-for-the-home-team dept.
security
networking
internet
it
Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."
story

Related Stories

Submission: What could you do if you pwn3d a root server? by Barlaam (699638)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

What Could You Do With a Bogus Root Name Server? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Its simple... (Score:5, Funny)

    by Indes (323481) on Sunday June 01 2008, @12:14PM (#23618303) Homepage
    .. do what we do every night.. try to take over the world!!

    (Seriously, Imagine borrowing every bank's front page in North America .... You could be cashing in big time..... )

  • Hmmm... (Score:2, Informative)

    by cp.tar (871488)

    ... so, you answer nearly all of them correctly.
    Except for the precious few, which, say, redirect you to almost exact copies of pages which take your credit card data.

    Or did I get it wrong?

  • i would redirect http://slashdot.org/ [slashdot.org] to http:///..org [..org]

    yeah how funny is it now that the joke is on the other foot biatches!

  • I've heard of this new technology... (Score:3, Interesting)

    by ZeroPly (881915) on Sunday June 01 2008, @12:20PM (#23618361)
    ... whereby you can actually "sign" digital data so that it's clear where it came from. If somehow they could incorporate that into this whole "DNS" system, maybe it would fix the problem?

  • Simple recipe (Score:5, Insightful)

    by canuck57 (662392) on Sunday June 01 2008, @12:22PM (#23618381)

    If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

    • You open up email to read todays email. You PC looks up pop3.yourisp.com.
    • DNS returns the IP of evil PC to your PC which will connect to it.
    • Next, evil PC will emulate your login, IP address and record the password. Could even be a /. password.
    • Evil pc now has the info needed to read/retrieve your email.

    Better yet, people often use similar IDs and passwords into other systems. Evil hackers can often use the email to figure out which banks, credit, stock brokers and on line e-tailers you use. Maybe change the home address of your Amazon account and order stuff, if the e-tailor isn't right on top of it.

    Root servers need to be secure, end of story.

    I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

    • Re:Simple recipe (Score:4, Insightful)

      by Joe The Dragon (967727) on Sunday June 01 2008, @12:31PM (#23618441)
      ISP can make so that pop3 only works from inside of there own network and force you to have a differnt web mail password not use the same login in system for web mail and pop3 mail.
      • ISP access restrictions on their servers won't do anything for a client unknowingly connecting to a 3rd party via DNS hijacking/poisoning.

    • Re:Simple recipe (Score:5, Insightful)

      by imipak (254310) on Sunday June 01 2008, @12:38PM (#23618469) Journal
      Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

      Think about it.

    • I always thought it would be a good security check for a computer and/or browser to notice if the IP or a DNS name chanted to an IP in a different netblock. You'd expect different IP's for the same website for large sites with distributed servers, but it would be very suspicious for the IP to jump to some entirely different block.
      • Ha, chanted -> changed. Funny typo!
        • For a second there, I thought you had just introduced me to a new technical term I had never heard before. :-) We now must find a networking meaning for "chanted" and start using it.

    • Re:Simple recipe (Score:5, Informative)

      by Vellmont (569020) on Sunday June 01 2008, @01:07PM (#23618723)

      If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

      Unless you happen to have SSL enabled pop or imap.

      A (revised) recipe for an SSL enabled mail host:
              * You open up email to read todays email. You PC looks up pop3.yourisp.com.
              * DNS returns the IP of evil PC to your PC which will connect to it.
              * Evil PC returns a forged SSL certfificate claiming to be pop3.yourisp.com
              * Your email client brings up an error message saying there's something wrong with this certificate (self signed, etc)
              * You hopefully get suspicious, (this never having happened before), and don't click through.
              * Attack fails.

      If you don't get suspicious, and just click OK, you're right. But the situation isn't quite as dire as you make it out to be. I'd never connect to a non-secure host for something like email.

        • Re: (Score:3, Informative)

          by grcumb (781340)

          Which email client brigns up an error message for a self-signed POP3 server certificate?

          Mail.app and Thunderbird, for two.

          Mail's error message actually characterises a self-signed cert with language to the effect of, "Couldn't connect to the server because of an untrustworthy certificate." When this was reported to me by a non-technical user, they repeated only the first two words: Couldn't connect.

          That's how things should be.

          I'm hoping that Firefox's improved handling of self-signed certificates ge

        • Re: (Score:3, Informative)

          by darthflo (1095225)
          I can confirm Outlook 2003, 2007 and any remotely recent version of The Bat!

    • Re:Simple recipe (Score:5, Informative)

      by MushMouth (5650) on Sunday June 01 2008, @01:28PM (#23618875) Homepage
      Amazon makes you re-enter the complete credit card number if you ship to a new address.

      • Amazon makes you re-enter the complete credit card number if you ship to a new address.
        What a horrible inconvenience! You should be able to buy it with one click!
    • All the more reason for protocols to start using real security. Imagine the attack with password authenticated key exchange [wikipedia.org]:
      • You open up to read email. Your PC looks up mail.yourhost.com
      • DNS returns the IP of the Evil Impersonator.
      • You connect to the Evil Impersonator and start the protocol.
      • Evil Impersonator runs PAKE protocol in question, impersonating mail.yourhost.com, based on a guess of your password.
      • Your client says "incorrect password". You try a few more times and get really suspicious.
      • Because

      • Re: (Score:2, Insightful)

        by jeiler (1106393)

        Instead of a MitM attack, would it be possible to do a "proxy-in-the-middle" attack?

        * User opens up to read email/connect to their bank account/something secure.
        * DNS returns IP of evil impersonator (EI) instead of Real Computer (RC).
        * User requests connection from EI. EI transparently proxies that connection to RC, while listening for the password that authenticates the key exchange.
        * Profit! Or would it be?

        I can't imagine this kind of hole not already being covered, but it seems like it would be fe

        • Re: (Score:3, Informative)

          by kvezach (1199717)
          No, because without a password, most password authenticated key exchange algorithm have the same security properties as Diffie-Hellman. In other words, even if you knew the password, you couldn't snoop the connection passively. The only way to thwart it is by an active attack, but for that you need the password, otherwise the two parties' keys won't match.

          See SPEKE [wikipedia.org], for instance, which is pretty much a Diffie-Hellman key exchange with the (fixed) generator constant replaced by a hash of the password. Snoo

  • break everything (Score:4, Insightful)

    by imipak (254310) on Sunday June 01 2008, @12:25PM (#23618405) Journal
    Then sit back cackling with glee whilst civilisation falls apart?

    Seriously, in the last decade the premise that the Net is always there has become a silent assumption underlying a lot of critical systems. No I'm not talking about nuclear power stations being online, I'm talking about basic logistics chain outages that mean there's no-one there to run the power station, because they've no fuel for their car, because the petrol tanker driver is off scavaging food for his kids. There are a number of scenarios that could knock out the net (or at least cause widespread depeering, so you'd be stuck on your provider's network and unable to get traffic to/from anywhere else); it would be... well, a bit too interesting for my liking to see how things would go with, say, a seven day outage. Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure, having a heterogenous mix of code for all critical functions, oh and and enforcing BGP security.

    • Maybe the geeks should go on strike.

      No patches; no tech support; no maintenance -- until things are organized properly.

      • How the hell is that supposed to happen without any geeks ?

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Better, we can go on a strike and then shut down the Internet. Then, when governments of the world come to us asking for us to repair whatever happened, we say: "ok, we can do that, but before we do we need, 10 million dollars, 3 bikini supermodels and a fast sport car of our choice, for each one of us.
        That would be sweet...
        *GO BACK TO THE BASEMENT, JOHNNY*
        *OK MOM! - Oh God, can't even dream in peace anymore...*
      • of course we'd first have to agree on how to define "properly"...

    • Re:break everything (Score:5, Interesting)

      by milsoRgen (1016505) on Sunday June 01 2008, @12:53PM (#23618617) Homepage

      Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure
      That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.

      • Re:break everything (Score:5, Interesting)

        by ColdWetDog (752185) * on Sunday June 01 2008, @01:02PM (#23618693) Homepage

        That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.

        Exactly. If you think the problem is bad now, wait until we've fixed it. (Arthur Kasspe). This should be the motto engraved on every Government departmental seal.

  • The solution is to maintain a series of flat-file or relational DBs locally for every host on the Internet. Periodically, you should be able to do an FTP or similar of the latest master file, and place it on your local nameservers or hosts. Its the only way to be sure.

  • Wrote about this in Feb 2006 (Score:5, Informative)

    by karl.auerbach (157250) on Sunday June 01 2008, @12:38PM (#23618473) Homepage
    Back in Febrary 2006 I wrote a note "What Could You Do With Your Own Root Server" at
    http://www.cavebear.com/cbblog-archives/000232.html

    My conclusions were that one could make money and cause trouble.

    One of the more interesting aspects was (and still is) that one could operate root servers and, using the Google model, pay ISPs and users to send their queries to your roots so that you could generate data mining revenues.

    That quality of data that is minded form root traffic would not be as good as that as from a top level domain server - and who has some large top level domains and also has root servers? Verisign.

    And ICANN's contract with Verisign explicitly permits data mining of query traffic.
  • It's sad that DNSSEC hasn't gotten wider adoption given that the problem of spoofing is getting bigger.

  • The heck with DNS (Score:3, Funny)

    by iminplaya (723125) <iminplayaNO@SPAMgmail.com> on Sunday June 01 2008, @12:40PM (#23618491) Journal
    Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing.

    It's a JOKE! Alright?

    • Re: (Score:2, Insightful)

      by eneville (745111)

      Time for you mental midgets to start remembering IP addresses. Do your own damn cacheing. It's a JOKE! Alright?
      Well, it's not such a silly idea. When I look at my firefox 3 smart book marks, there are maybe 5 pages that I go to regularly. Anything else I can see using google page cache. So what's the big deal, having those few sites in a local hosts file isn't so much of a task.

    • Time for you mental midgets to start remembering IP addresses.

      Only after we switch to IPv6.

  • Anything associated with the Bush Adminsitration and fundraising for Senator McCain would definitely be sent to some educational sites of my choosing. Government propaganda sites in China would also be re-directed to more educational sites. Sites for military contractors like Halliburton, Blackwater, Lockheed Martin, McDonland Douglass, and Northorp Gruman would be re-directed to sites that show war profiteering information and US General Sevices Administration no-bid or non-competitive contract abuses.

    • Look up an anarchist/comedy/anti-establishment group called "The Yes Men". They pulled a magnificent prank on the World Trade Organization by putting up a web site that people who didn't read carefully would assume was theirs.

      The slagging they gave the WTO was presented in such a fashion that those would would seek such a site out would be well into it before they realized they were being had.

      Being able to redirect by controlling DNS servers could raise the bar quite a bit, and you can bet that the o

  • hosts file (Score:3, Informative)

    by eneville (745111) on Sunday June 01 2008, @12:51PM (#23618589) Homepage
    216.34.181.48 www.slashdot.org
    208.65.153.253 www.youtube.com
    208.65.153.238 www.youtube.com
    208.65.153.251 www.youtube.com
    69.63.184.15 www.facebook.com
    81.110.242.129 www.s5h.net
    66.102.9.99 www.google.com
    66.102.9.104 www.google.com
    66.102.9.147 www.google.com
    Use google page cache for anything else
        • Sir, what are you doing?!? Perl is NOT meant to be readable. It the code MUST be all on one line!

          use strict; use warnings; use Net::DNS; my %hosts; sub lookup { my $res = Net::DNS::Resolver->new;my $query = $res->search( shift );if ($query) {foreach my $rr ($query->answer) {next unless( $rr->type eq "A" );return( $rr->address );}}else {warn "query failed: ", $res->errorstring, "\n";}}while( my $l = ) {if( $l =~ m!(http://.+?)\s! ) {print( "$1\n" );if( $1 =~ m!http://(.*?)/! ) {my $ip = loo

  • That's easy (Score:5, Informative)

    by bconway (63464) on Sunday June 01 2008, @12:52PM (#23618599) Homepage
    World-wide Rickroll?
  • ...and sell it to the Chinese government. The answer to all their desires... No, just kidding.

  • Obvious first move (Score:5, Funny)

    by PPH (736903) on Sunday June 01 2008, @12:55PM (#23618631)
    Goatse.cx lives!
  • Long gone are the days of digital 'graffiti', its all about hard cash now.

    i'm sure that would be worth something to someone.. Perhaps even enough to afford that shiny new powerbook pro :)
Search
New systems generate new problems.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.