DNS hack attack mutilates multiple Web sites

DNS hack attack mutilates multiple Web sites

Summary: Many popular Web sites, such as the Coca-Cola, UPS, and the Register, had their Web addresses hijacked over the weekend by a Turkish hacker.

SHARE:
20

When I first heard that The Register, a popular United Kingdom, technology news site had been hacked, I was doubtful that the site itself had actually been cracked. The first headline I saw read, The Register Hacked. That isn't what I saw. To me, it looked like a typical Domain Name System (DNS) hijack attack. I was right. What I didn't know at the time, though, that more than a hundred Web sites, several of them major ones, were having their addresses redirected to the wrong location.

So, when you went to The Register, or sites such as Coke-Cola, UPS, or the Telegraph newspaper, you were dumped to a black page stating "TurkguvenLigi" and "4Sept. We TurkGuvenLigi declare this day as World Hackers Day- Have fun;) h4ck y0u". The message changed several times, but it usually just displayed a similar nuisance message, rather than any attempt to steal information from unwary site visitors.

It appears, according to Zone-H, a site that monitors Web site attacks, that at least 186 Websites were attacked. In addition to the ones I already mentioned, other companies that were affected included Adobe, Dell, Microsoft, Harvard University and, oh the irony, security companies BitDefender, F-Secure, and Secunia.

The fact that even security companies were hit by this attack underlines the point though that while you can secure your own site, you can't secure the Internet. You need to make sure your Internet partners--ISPs and DNS providers--also have their security act together before you can assume that your customers and clients will be able to safely reach your site.

Here's the broad outline of what happened. DNS is the master address list database system for the Web. With it, instead of writing out an Internet Protocol (IP) address like "http://209.85.135.99/," one of Google's many addresses, we type in "http://www.google.com" and we're on our way to the site. But, if someone cracks a DNS server, they can assign the human readable Uniform Resource Locator (URL) address to whatever IPv4 address they want.

The sites themselves were fine. Indeed, in attacks like this, they're usually not touched at all. All that's happened is when your Web browser looks up a site's IP address it's going to get the wrong information.

What all these Web sites had in common was that they were registered through NetNames. The domain registry claims to be a "leader in its field, providing strategic advice and a management service that is second to none. Whatever the size of your organization, wherever the location and regardless of industry sector, if you are serious about protecting your strategic and operational presence online, NetNames is here to help." Oh well, it sounded good.

In a statement sent to customers NetNames states:

At approximately 2100BST on Sunday 4 September 2011 a very small number of customer domains were redirected to an unauthorized domain name server (DNS server). This was done by placing unauthorized re-delegation orders through to the registries via our provisioning system. These orders updated the address of the master DNS servers responsible for serving data for these domains. The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded TurkGuvenLigi. The unauthorized orders were added by using a SQL injection attack to gain access to a number of our customer accounts.

The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems. NetNames considers the security of its systems and the data within to be of paramount importance. While no-one can completely defend against such sustained and concentrated malicious attacks we will continue to review our systems to ensure that we provide our customers a solid, robust and above all secure service.

NetNames customers are not happy. Although the DNS records have been corrected and the attacks appear to have been more mischievous than malicious, the fact remains that for several hours numerous important Web sites were, for all practical purposes, off the air.

This is not the first such major DNS attack to happen recently. Only a few weeks ago, the South Korean domain registrar Gabia was attacked in a similar manner. In that episode more than 100,000 Web sites had their addresses mis-directed.

This is not acceptable. Check with your own DNS providers and make sure that they're adequately protecting their DNS services and associated Web-based applications. In addition, if your DNS provider and ISP haven't adopted Domain Name System Security Extensions (DNSSEC) yet, find one that does.

Related Stories:

DNS hack hits 200 major websites: Vodafone, UPS, Acer, Microsoft sites affected

Epson, HSBC Korea, domain registrar hacked: 100,000 domains affected

Anonymous claims DNS attacks against Symantec, Apple, Microsoft

Practice Safe DNS

Topics: Networking, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Interesting what was left out of your article

    We constantly hear that Unix / Linux runs the Internet.<br><br>Except when it gets hacked. Then that fact is conspicuously left unmentioned.
    toddybottom
    • RE: DNS hack attack mutilates multiple Web sites

      @toddybottom Maybe Linux wasn't hacked. It may have been Bind or another app.
      ulyssesr@...
      • RE: DNS hack attack mutilates multiple Web sites

        @ulyssesr@... It was a SQL injection, just like the last time. Just like most of these hacks. It's not due to the OS or the DNS server. It's due to sloppy programming.

        http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
        Scott Raymond
      • SQL Injection

        @Scott Raymond
        You are probably correct.

        But this article is by the same blogger (I refuse to call him a journalist) who thinks a <i>network connectivity issue</i> in a hardware device (London Stock Exchange) is <u>of course and without doubt</u> the fault of Windows.

        SJVNs hypocritical double-standard needs to be called out. I believe that was what toddybottom did.
        honeymonster
      • RE: DNS hack attack mutilates multiple Web sites

        [i]But this article is by the same blogger (I refuse to call him a journalist) who thinks a network connectivity issue in a hardware device (London Stock Exchange) is of course and without doubt the fault of Windows.[/i]

        Wouldn't surprise me.

        [i]I believe that was what toddybottom did.[/i]

        Is he one of your sockpuppets? ;)
        ScorpioBlue
  • Criminals plain and simple.

    Round 'em up and string 'em up with piano wire.
    Dietrich T. Schmitz *Your
  • DNSSEC?

    How would DNSSEC have helped NetNames thwart this attack?
    BerganL
    • RE: DNS hack attack mutilates multiple Web sites

      @BerganL It wouldn't. If you can fake being the owner you can do whatever you wish.
      Natanael_L
  • Message has been deleted.

    joshuawilliam
  • RE: DNS hack attack mutilates multiple Web sites

    Nothing is impossible, especially if sloppy programming caused the vulnerability which enabled an SQL injection attack. If we look at the bigger picture, this type of hacking tool is just another form of malware. We offer that Ether2 will enable a path to ensemble computing, where according to Intel research, we will have a higher sensitivity to malware, stronger neighborhood trust models leading to self configuration, and the ability for servers to collaborate in order to defend the network. Secondarily, if it was a DoS attack designed to take the server down by overflowing the buffer, then the fact that nodes can share compute power (basically giving any LAN supercomputing cluster capabilities) would allow load balancing between servers at the edge of the network so the attack couldn?t take hold, and the offending IP addresses could be red flagged, ports blocked, etc. The question about how they got in must be answered. If they sneaked by the session border controller in an encrypted media packet for say a VoIP of video flow, we?ll be running a proprietary watermarking technique to render the executable code inoperable. Then there is the issue of deep packet inspection getting overloaded at the gateway, and Ether2 is 100% distributed so the DPI load would also be running in distributed network chips, as opposed to gateway flooding. In short, we take a more global view on the security issues in networks, and when the network architecture resembles cable TV, it will be a paradigm shift for security.
    JonathanGael
    • RE: DNS hack attack mutilates multiple Web sites

      @JonathanGael "If they sneaked by the session border controller in an encrypted media packet for say a VoIP of video flow, well be running a proprietary watermarking technique to render the executable code inoperable."<br><br>Well, I call BS. Who's gonna watermark it? The legit client that's connecting? If the client is hacked they'll be getting in anyway.<br>And DPI can only find attacks using known exploits, you have to know what too look for. That's of course unless you know *exactly* how your network connections should look like, but hardly anybody does (it's predictable for a network connected CCTV, not for a computer - and absolutely not predictable enough for an entire corporate network!).

      Edit: I'm not saying your product won't work, maybe it does. I'm just saying it's hardly going to make anything 100% secure.
      Natanael_L
  • RE: DNS hack attack mutilates multiple Web sites

    I don't think this is as much a DNS issue as it is a SQL issue. Haven't most SQL injection attacks been mitigated? Is the reason for this hack just a lazy administrator who doesn't keep his server up to date?
    swmace
  • DNS is irreparably broken, the free internet is dead

    Thank the big corporations (just another name for mafia btw) and their stooges in government and security and military. You say you are a hacker - I say you are a stooge for the big boys, willing to bend over for a job somewhere down the track. Follow the money boys and girls - why doesn't Ballmer/Jobs/etc ever get hacked, ever!
    They can obviously have secure internet, secure computers, secure comms - why can't we? Don't tell me to secure my computer BECAUSE NO-ONE WILL TELL ME HOW! How do the moguls stay secure when we, who ostensibly use the same infrastructure, don't? The answer is obvious - the moguls are the ones ultimately responsible for the hacking, they make all the money from it! All the others - the script kiddies, the white/black/grey/blue(hah!) hats, the 'intellos' (hah!!), the RBN's are just TOOLS, - STOOGES for the moguls.
    walkerjian@...
    • RE: DNS hack attack mutilates multiple Web sites

      @walkerjian@...

      Nobody can help you, if you are not willing to learn.

      Internet, including DNS, can be as secure as you yourself make it. If you depend on someone else for 100% of your computing experience, this is what you get -- 100% dependence on someone else's wish for your Internet experience.
      danbi
  • RE: DNS hack attack mutilates multiple Web sites

    This is all the result of the "me too" attitude and business model for running DNS registries/registrars.

    Of course, it is sloppy programming, no security auditing of the registration software and procedures and primitive/inadequate credentials checks. But the primary problem is the business model.

    This was not an DNS attack and DNSSEC would have made no difference.
    danbi
  • Thank you

    Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I???m just now working on, and I have been at the look out for such information.
    [url=http://www.reversephonelookupsearch.com/]reverse lookup[/url]
    reverse110
  • ommented I clicked

    When I originally commented I clicked the -Notify me when new surveys are added- checkbox now whenever a comment is added I buy four emails with similar comment. Is there by any means you possibly can remove me from that service Thanks!
    [url=http://www.cellphonelookuped.com/]cell phone directory[/url]
    johnnieey
  • of people got

    ???A whole lot of people got trouble with their loans, hope you don???t discover the same question???
    [url=http://reversecellphonelookup.me/]reverse cell phone lookup[/url]
    reverse3012
  • information on

    Loving that the information on this website , you have done outstanding job on the articles .
    [url=http://www.prlog.org/11261550-phone-number-lookup-catch-cheater-quickly.html]phone number lookup[/url]
    johnmacks393
  • Only a smiling

    Only a smiling visitor here to share that the love , btw outstanding layout.

    [url=http://www.ourmidland.com/voices/community/article_3abc5302-931f-11e1-ac26-8f9c10b62f96.html]reverse cell phone lookup[/url]
    donaldsjones