When I first heard that The Register, a popular United Kingdom, technology news site had been hacked, I was doubtful that the site itself had actually been cracked. The first headline I saw read, The Register Hacked. That isn't what I saw. To me, it looked like a typical Domain Name System (DNS) hijack attack. I was right. What I didn't know at the time, though, that more than a hundred Web sites, several of them major ones, were having their addresses redirected to the wrong location.
So, when you went to The Register, or sites such as Coke-Cola, UPS, or the Telegraph newspaper, you were dumped to a black page stating "TurkguvenLigi" and "4Sept. We TurkGuvenLigi declare this day as World Hackers Day- Have fun;) h4ck y0u". The message changed several times, but it usually just displayed a similar nuisance message, rather than any attempt to steal information from unwary site visitors.
It appears, according to Zone-H, a site that monitors Web site attacks, that at least 186 Websites were attacked. In addition to the ones I already mentioned, other companies that were affected included Adobe, Dell, Microsoft, Harvard University and, oh the irony, security companies BitDefender, F-Secure, and Secunia.
The fact that even security companies were hit by this attack underlines the point though that while you can secure your own site, you can't secure the Internet. You need to make sure your Internet partners--ISPs and DNS providers--also have their security act together before you can assume that your customers and clients will be able to safely reach your site.
Here's the broad outline of what happened. DNS is the master address list database system for the Web. With it, instead of writing out an Internet Protocol (IP) address like "http://188.8.131.52/," one of Google's many addresses, we type in "http://www.google.com" and we're on our way to the site. But, if someone cracks a DNS server, they can assign the human readable Uniform Resource Locator (URL) address to whatever IPv4 address they want.
The sites themselves were fine. Indeed, in attacks like this, they're usually not touched at all. All that's happened is when your Web browser looks up a site's IP address it's going to get the wrong information.
What all these Web sites had in common was that they were registered through NetNames. The domain registry claims to be a "leader in its field, providing strategic advice and a management service that is second to none. Whatever the size of your organization, wherever the location and regardless of industry sector, if you are serious about protecting your strategic and operational presence online, NetNames is here to help." Oh well, it sounded good.
In a statement sent to customers NetNames states:
At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorized domain name server (DNS server). This was done by placing unauthorized re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenLigi. The unauthorized orders were added by using a SQL injection attack to gain access to a number of our customer accounts.
The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks we will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service.
NetNames customers are not happy. Although the DNS records have been corrected and the attacks appear to have been more mischievous than malicious, the fact remains that for several hours numerous important Web sites were, for all practical purposes, off the air.
This is not the first such major DNS attack to happen recently. Only a few weeks ago, the South Korean domain registrar Gabia was attacked in a similar manner. In that episode more than 100,000 Web sites had their addresses mis-directed.
This is not acceptable. Check with your own DNS providers and make sure that they're adequately protecting their DNS services and associated Web-based applications. In addition, if your DNS provider and ISP haven't adopted Domain Name System Security Extensions (DNSSEC) yet, find one that does.