DNS Proves to Be Weak Link in Internet Chain

A series of high-profile events over the last few weeks has highlighted the fact that the DNS that is so critical to the Internet's operation is also one of its weakest links.

A series of high-profile events over the last few weeks has highlighted the fact that the DNS that is so critical to the Internets operation is also one of its weakest links.

Though many of the specific problems have only recently come to light, security experts and CIOs said they have known for years that the Domain Name System is full of holes and have been holding their breaths, hoping to avoid a major incident.

Last week, the CERT Coordination Center revealed that there are four vulnerabilities in two versions of BIND (Berkeley Internet Name Domain), the open-source software that runs more than 80 percent of the Internets DNS machines. Some of the vulnerabilities could allow a remote user to take control of a name server running BIND and redirect Web traffic to any domain.

That possibility nearly became a reality late last week. Two days after Network Associates Inc. released an advisory about the BIND vulnerabilities, an anonymous hacker posted to the BugTraq mailing list sample code allegedly designed to exploit one of the buffer overflow holes.

The code contained a hidden Trojan that, when executed, launched an attack on Network Associates DNS server.

Network Associates officials confirmed that the companys site did undergo a brief DoS (denial-of-service) attack last Wednesday but said it was never down completely and was back to normal within 90 minutes.

"BIND has had problems forever because it has to be an open system in order to do name look-ups," said Sean Swift, leader of the security practice at CoreTech Consulting Group Inc., of King of Prussia, Pa. "And DNS, in general, is pretty weak. One problem with DNS can have a lot of unintended consequences."

Thats a fact that Kevin Dunn, CIO and chief technology officer of EdExpress Inc., in Dallas, discovered firsthand last month. On the eve of a major ad campaign, Dunn discovered that traffic to the companys site had suddenly dropped to zero. After investigating, he discovered that EdExpress domains had mistakenly been assigned to another company.

It took more than three days to reverse the mistake, by which time the ad campaign had expired, leaving the company with nothing to show for a big outlay of money and time, Dunn said.

Two weeks ago, most of Microsoft Corp.s sites disappeared from the Internet several times over a period of days. Microsoft first attributed the problem to an employees configuration error on one of the companys DNS boxes.

Later, Microsoft acknowledged that one of its routers had been the victim of a sophisticated DoS attack.

The attack took advantage of what many experts called Microsofts poor network architecture and had the effect of preventing traffic from reaching the companys DNS servers, which were on the same subnet at the time.

Microsoft has since hired Akamai Technologies Inc. to maintain a set of backup name servers in several locations.

The good news, security experts said, is that many hackers consider attacks on the DNS to be too easy—as well as too risky—to bother with. Because changes to an existing domain are typically done via e-mail, the perpetrators are often easily traced.

Just the same, officials from Arbor Networks Inc., a company being launched this week, said its managed availability service, which is deployed at the Internet service provider level instead of the network level, would have caught the flood on Microsofts router before it got out of hand.

"You have to be at the core of the network in order to catch those events," said Ted Julian, chief strategist of the Waltham, Mass., company. "If youre at the edge of the network, youll never see that attack coming."

However, dont expect to see such attacks go by the wayside. On the contrary, many people predict the newly publicized BIND vulnerabilities will spark renewed interest in the DNS as a potential target.

"BIND has consistently been a target over the years, and BIND will continue to be a target," said Dan Ingevaldson, a member of the X-Force research team at Internet Security Systems Inc., in Atlanta. "Its now sort of a race between us and the hackers as they try to develop tools to take advantage of these holes."