The blog of Xeno, a slightly mad scientist
… The attack that took down the New York Times’s site likely didn’t require compromising the site’s servers at all. Instead, the hackers gained control of the site by changing information in the DNS database. When someone tries to go to nytimes.com, the DNS should point them to 184.108.40.206. The attack changed that entry to point elsewhere on the Internet.
You can tell this was an attack against the DNS instead of the Times’s servers because through the attack it has been possible to reach the Times’s Web site if you know the IP address. Try it: just type220.127.116.11 into your browser and you’ll reach the New York Times Web site.
How did they change the DNS information?
To register a domain name, Web site operators use a site called a registrar. The New York Times, Twitter and other major Web sites apparently used a registrar called Melbourne IT to register their domain names. David Ulevitch, the CEO of OpenDNS, says that the attackers appear to have compromised Melbourne IT’s Web site, allowing them to change DNS records for any Melbourne IT customer. (Melbourne IT did not immediately return our call and e-mail seeking comment.)
What kind of mischief can you cause by tampering with DNS entries?
Gaining control of a site’s domain is not as powerful as hacking into a site’s servers. If you gained control of Times servers, you could change the contents of articles, read Times employees’ old e-mails and even install malicious software on the servers. Domain hijacking doesn’t let you do any of that.
But Ulevitch says that compromising a domain name can still cause serious problems. “When you hijack peoples’ DNS, it’s a total transfer of much of the authority that’s been allocated in the identity of that organization,” he argues. For example, the New York Times is “no doubt emailing confidential sources all the time. Someone could intercept that email” by changing the DNS record telling where to deliver it.
Indeed the Internet may have been lucky. The attacks appear to be little more than a publicity stunt. The attackers don’t seem to have attempted more ambitious and potentially harmful attacks.
Has this happened before?
Yes, it’s a fairly common tactic. For example, yesterday hackers defaced the Web site of Google Palestine, replacing the search engine with an anti-Israel, pro-Palestinian message. Google says its own servers weren’t hacked. Rather, the DNS entry for google.pl was modified to point to a web server controlled by the hacker.
A couple of months ago LinkedIn suffered a similar fate.
Is there anything we can do to make the system more secure?
For years, DNS gurus have been pushing for broader adoption of DNSSEC, an encrypted version of DNS. But Ulevitch says DNSSEC wouldn’t have prevented today’s attacks. DNSSEC uses cryptographic signatures to prevent anyone from intercepting DNS requests and replying with forged information. But a registrar like Melbourne IT has the authority to issue new, cryptographically signed DNS records. “DNSSEC literally would do nothing for this” kind of attack, Ulevitch says.
On the other hand, Ulevitch argues that OpenDNS, which runs its own DNS servers, was able to offer automatic protection to his own customers. “We already knew the IP addresses the SEA was using,” he says. As a result, when the SEA changed the nytimes.com domain to point to an SEA-controlled address, OpenDNS’s servers automatically rejected the change, preventing the SEA from impersonating the New York Times to OpenDNS customers.
The Internet is a complex system, and keeping it secure will require both well-designed software and quick thinking by network administrators. When I reached Ulevitch, he said he was in a chatroom with other senior Internet figures who were helping coordinate a global response to the attacks….