High-profile security hacks – such as the Melbourne IT-linked DNS redirection attack that took down websites of Twitter, the New York Times and others overnight – highlight the lingering inadequacies in open-source network infrastructure that will progressively push Internet service providers (ISPs) towards more-secure alternatives, a DNS security expert has warned.
Hackers targeted Melbourne IT domain-name systems, apparently stealing credentials from a reseller and using its account to make changes that caused numerous Web sites to be redirected to the Russia-based Web page of the Syrian Electronic Army (SEA).
The DNS records of the highest-profile sites to be affected were restored to correct settings within hours and locked by Melbourne IT, but the fact that the attacks happened at all reflects the lingering insecurities in existing DNS models, Nominum’s Asia-Pacific regional sales director Carl Braden told CSO Australia.
“We’ve seen this time and time again with open-source DNS,” he said. “The criminals are smart enough to use their tools to understand its limitations, and then do an exploit. There was a day in the early days of the Internet that you could buy an open-source router, but I think the DNS open-source days are limited.”
Earlier this year, for example, researchers identified a vulnerability in the popular BIND DNS server software that would allow hackers to crash DNS servers. Open DNS resolvers were fingered in a 2012 HostExploit report that found they were increasingly being used to amplify DDoS attacks.
In April, Russian Web search firm Yandex launched a public DNS service that blocks adult and malware-bearing Web sites. Google this year moved to boost the security of its public DNS service through the introduction of DNS Security Extensions (DNSSEC) encryption that enables the digital signing of Web sites’ DNS records.
For its part, Nominum recently signed a deal with Sophos that will integrate Nominum’s DNS-security platform with Sophos’ URL-based content intelligence tools to improve filtering and avoidance of malicious Web addresses.
“It provides a broader and more comprehensive scope for leveraging the DNS platform,” Braden explained. “We’re able to provide a service that prevents customers going to sites known to be infected or hosting malware.”
Such functionality is going to become more and more common over time as security firms increasingly look outside of open-source structures, Braden said: “It’s a big step away from what we’ve seen in the past, but I think [such changes] are an acknowledgment that the open source model doesn’t allow the levels of investment that a commercial model allows to be invested in security and features.”
ISPs can also be expected to take a more proactive role in DNS security updates as they increasingly seek to lure and retain customers based on the idea of being a trusted service provider.
“ISPs are going to be competing with each other on the concept that is just emerging, which is trust,” Braden said. “If you don’t have trust in your network service provider, and feel like every time you’re online that you’re exposed, then your trust comes crumbling down and the good things built for the Internet become unusable.”