IT Support and Hardware for Clinics
32.7K views | +2 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

How DNS is Exploited

How DNS is Exploited | IT Support and Hardware for Clinics | Scoop.it

The Internet is a global engine of commerce today, but it was never designed with such grandiose applications in mind. In the underlying architecture of the Internet, hostility was never a design criterion, and this has been extensively exploited by criminals, who capitalize on the Domain Name System infrastructure - the map of the Internet - which is indispensable for the Internet as we know it to function.

"Right now the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole," says Internet pioneer and DNS thought leader Dr. Paul Vixie, CEO of Farsight Security, a provider of real-time passive DNS solutions that provide contextual intelligence to threat and reputation feeds.

The Internet was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal, he says. But the DNS is proving essential to both the good guys and the bad guys - almost a unifying field theory.

"Everything you need to do on the Internet requires DNS - regardless of intent," says Vixie, who is also the principal author of version 8 of BIND, the most widely used DNS software on the Internet. "I think this makes DNS an interesting place to look for criminals and signs that criminals must leave," he says.

In part one of an exclusive two-part interview with Information Security Media Group (transcript below), Vixie talks about DNS and the impact it has on the Internet's security landscape. He shares insights on:

Part two of this interview will feature Vixie's views on the evolution of the Internet as an ecosystem that has evolved to make crime easier.

Vixie, CEO of Farsight Security, previously served as president, chairman and founder of the Internet Systems Consortium. He has served on the ARIN board of trustees since 2005, where he served as chairman in 2008 and 2009, and is a founding member of the ICANN Root Server System Advisory Committee and the ICANN Security and Stability Advisory Committee. He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored about a dozen Request for Comments, a publication of the principal technical development and standards-setting body for the Internet, the Internet Engineering Task Force - mostly on DNS and related topics. He was named to the Internet Hall of Fame in 2014.

Varun Haran: How are criminals exploiting DNS infrastructure to perpetrate crime today?

Dr. Paul Vixie: One main area where DNS is facilitating crime is denial-of-service attacks, where the purpose may be economic or ideological to prevent the victim from being able to use the Internet. This is achieved by filling their Internet connection with unsolicited traffic so that they cannot use their connection for good traffic.

Now, unfortunately, the Internet was designed by scientists and engineers to work in a completely friendly environment. Hostility was never one of the design criteria for the Internet. What that means is it is trivial to send packets forging someone else's address as the source. Which means that if you direct the packets forged with a victim's address towards a powerful server, a lot of response traffic will go to your victim. And because the victim did not solicit it, they cannot turn it off. This is a very popular attack, and anytime that you hear that Google or Spamhaus has been hit with a 400 Gbit/s DDoS attack, it is the exact same method being employed - IP source forgery.

This is not only something the Internet was designed without, it is something that the current Internet economy is resisting fixing, because in order to fix this problem, an ISP has to turn on some new features in their Internet routing equipment. Those features need to be tested, there needs to be documentation, there has to be monitoring, so there is a small cost - there may even be a performance cost in the routing equipment if you turn on this feature.

The cost is trivial, but not zero. The benefit that the operator will see, in exchange for that investment will be measurably zero, because what they are doing is protecting the rest of the Internet against their customers. So if an ISP does this, it is only for the greater good and it is very difficult to get an ISP - who has investors, shareholders, board of directors, management chain etc. - to act for the greater good at their own expense. It simply does not make good business sense to fix this problem.
Internet Vulnerabilities

Haran: The Internet wasn't designed for all the purposes it's being put to today. What are some of the security issues that the current nature of the Internet, in terms of infrastructure and architecture, gives rise to?

Vixie: I gave you one example, which is the lack of source address validation. But there are other admission control problems also. For example, there are control packets that you can transmit that can potentially interrupt other people's conversations. Various TCP and ICMP packets can be transmitted toward parts of the network that will respond by denying other people the ability to communicate for a few seconds.

This comes from when the Internet was just a collection of universities and government contractors. Everybody on the Internet for the first 10 years had a contract with the U.S. government. None of them had any incentive to transmit damaging traffic. The nature of the Internet took that into account. It was a very fragile network, which was intended only for mature computer science professionals to interact.

So, if we turn our attention now to spam, the email system has no admission control. Anyone can send an email to anyone. That was, in fact, an important design criteria to avoid central clearinghouses and make email an end-to-end activity. But what that means is that spammers are also endpoints and have the same right to transmit email to anyone. There is no differentiation, there is no privilege required.

Add to that the fact that, just like IP packets can have their sources forged, even email sources can be forged. And unless you are a technology expert or have a high-end email firewall appliance, you won't be able to tell the difference. This works at scale. Right now, the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole. The Internet is the backbone of global commerce today, and yet it was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal.
The Internet's Map

Haran: You have said that DNS is like a unified field theory between the good guys and the bad guys. Can you elaborate? How indispensable is DNS to the structure of the Internet?

Vixie: If the Internet were a territory, the DNS would be its map. We who have grown up in a world that is completely mapped, completely discovered, find it impossible to conceptualize the idea of a territory without a map. Without DNS, the Internet would be a trackless wild, where things would exist but you wouldn't know how to get there or the cost of admission. So I mean it when I say that all Internet communication begins with a DNS transaction - at least in order for the initiator to discover the responder and to find out where to send the packets that will represent their conversation.

But there may be other things as well, such as looking up a key, so that they can build a secure conversation by sharing key-in information or for looking up directory servers for authentication and authorization. Pretty much everything you need to do on the Internet is going to be a TCP/IP session. And every TCP/IP session is going to begin with one or more DNS transactions. This is true regardless of your intent. You intent might be to create wealth, to innovate, to make the world a better place, or it could be that your intent is criminal and you want to lie, cheat, take, force, defraud and you have purposes which would be seen as evil in the eyes of your fellow man. Your intent does not matter - you are not going to be able to do anything on the Internet without DNS. And it is that that I think makes DNS such an interesting place to look for criminals and signs that criminals must leave.
DNS Response Rate Limiting

Haran: You are a strong advocate of DNS Response Rate Limiting, which is something that you have worked on yourself. What can you tell me about DNS RRL?

Vixie: In DNS, there are many different kinds of DNS agents. Some only ask questions and receive answers and some only provide answers. It is that second type that concerns rate limiting, because a server in the DNS - the so-called authority server, which is where DNS content comes from - must be very powerfully built, having a lot of capability. Otherwise, if someone sends you a DDoS, they will make your content unreachable because your network pipe would be full of attack traffic.

It is common to buy an extra-large connection to your authority servers and to buy not just one authority server, but maybe a dozen and put them behind load balancers, with redundant power and so forth, because you want to make sure that no matter what happens, you can address queries and your content is reachable.

The difficulty that this presents to the rest of us is that in DNS, a response is larger than a request and that means that you are a potential amplifier. And if you are hearing a question that was forged - the IP address used by the attacker is forged to become the IP address of their intended victim - then you as a very powerful content server would be willing to help that attacker DDoS that victim simply because you are a powerful content server, and you have to be powerful for reasons of your own.

So when we designed response rate limiting, it was to allow those servers to differentiate between attack flows and non-attack flows so that they would be not as usable as an amplifier of third-party attacks. The tricky part is that you have to be very careful not to drop legitimate queries. So there is a little bit of mathematical trickery involved in the DNS RRL system that helps to make sure that you can stop most DDoS attacks without causing collateral damage.

more...
No comment yet.
Scoop.it!

Sizing Up the Impact of Partial DHS Shutdown

Sizing Up the Impact of Partial DHS Shutdown | IT Support and Hardware for Clinics | Scoop.it

The expansion of some major federal government cybersecurity initiatives would be suspended if Congress does not fund the Department of Homeland Security by week's end, triggering a partial shutdown.

Initiatives to expand the Einstein 3 intrusion prevention and continuous diagnostic and mitigation programs to a number of federal civilian agencies would be placed on hold if Congress fails to come up with the money by Feb. 27, when a temporary DHS appropriation ends.

"A shutdown would prevent us from bringing aboard those [programs] and essentially stop those agencies from receiving the protection that they need from the cyberthreats out there," says Andy Ozment, DHS assistant secretary for cybersecurity and communications.

About 43 percent of the staff at the National Protection and Program Directorate - the DHS entity that oversees its cybersecurity programs - would be furloughed if Congress fails to enact funding legislation that President Obama would sign, according to an estimate by the Congressional Research Service. Ozment says that furlough figure includes 140 employees from the National Cybersecurity and Communications Integration Center, the DHS unit that coordinates cyberthreat information sharing with federal agencies; local, territorial, tribal and state governments; the private sector and international organizations.

Will Systems Be at Risk?

Although Ozment, in testimony earlier this month to a House panel, said the furloughs would have an adverse impact on the government's cybersecurity activities, he stopped short of saying federal IT systems would be placed at risk by a partial shutdown.

"Without these staff, the NCCIC's capacity to provide a timely response to agencies or critical infrastructure customers seeking assistance after a cybersecurity incidents would be decreased and we would be less able to conduct expedited technical analysis of cybersecurity threats," Ozment testified at a Feb. 12 hearing of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Funding DHS's cybersecurity initiatives - which has widespread support from among Democrats and Republicans in Congress - is caught up in a highly partisan political battle over President Obama's executive order to shield millions of illegal immigrants in the United States from deportation. The House in January passed a DHS appropriations bill that would fund most department programs, including those for cybersecurity, but withholds money from initiatives that would support Obama's executive action on immigration. With a threat of a Senate filibuster by Democratic members, as well as a presidential veto, the House bill has stalled in the upper chamber.

Lamentable But Not Perilous

Jason Healey, a cybersecurity expert at the think tank The Atlantic Council, says he doubts the failure to fund DHS cybersecurity initiatives would create significant risk to either government or critical private networks. "That seems like it's a lamentable thing that they can't continue [funding], but it doesn't worry me too much," he says, adding that other federal agencies work to help safeguard government networks and critical IT systems in the private sector, including the FBI.

Besides the temporary suspensions of the Einstein 3 and continuous diagnostic and mitigation programs, also known as continuous monitoring, Ozment said a partial shutdown would halt development of new programs to secure IT. "We would be unable to continue planning our next generation of information sharing capabilities that are necessary to make our information sharing real-time and automated in order to enable us to combat highly sophisticated cyberthreats," he said.


more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.