| Email not displaying correctly? View it in your browser. |
|
 Rogue DNS Servers: Malicious or Misconfigured? An interesting study was just published by a number of researchers at Georgia Tech and Google. The researchers studied the prevalence of DNS resolution path corruption – that is, computers that have been compromised to utilize “rogue," open resolving DNS servers that return incorrect results for valid domain lookups. So what did they find? First, the study identified many sources of DNS-changing malware that alters the DNS settings on PCs to point to attacker-controlled open resolvers. Studying the problem from the other direction, the study also found over 17 million open resolving DNS servers on the Internet, of which an estimated 291,500 responded with incorrect answers to common queries. So are these lying DNS open resolvers truly malicious or just misconfigured? Well, both. Many of the rogue, open resolvers respond with incorrect answers to domains that do not exist, but this is not an uncommon practice among service providers, who redirect users looking up non-existent web sites to search sites in order to generate advertising revenue and improve the user experience. Is this malicious? It may be undesirable from a purist point of view, but is not malicious. Other sites responded with incorrect answers just slightly off from the correct one – probably an indication of a misconfigured server. That’s the good news. The bad news is that the authors found 68,000 servers, or 0.4% of the total population of open resolving servers, that returned incorrect answers for common “phishable” domains like banks, anti-virus, e-commerce or search engines. And the motivation behind these redirections appears to be financial. The surprising news is that they found over 17 million open resolving DNS servers on the Internet, and that the authors theorize that there has been a dramatic rise of several million open resolving DNS servers in the past year, a rise for which they could not find plausible, harmless explanations. That’s a little bit scary. What are all these servers doing? For the interested reader, the complete report can be found here: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority For those of you that would like a little more detail without reading all twenty pages, here is a summary of the study. Finding evidence of DNS-changing malware The study consists of three parts. In the first part, the authors looked for evidence of corruption of resolution paths on hosts connected to the Georgia Tech network. To do this, they identified 8 samples of DNS changing malware and 2107 web pages on 605 domains that perform “drive-by” alternation of the hosts name server registry key. By analyzing the behavior of this malware and these URLs, they were able to identify known rogue DNS server IP addresses. They then monitored all of the inbound and outbound traffic to the university over a period of two months, looking for evidence of communication to these known, rogue DNS servers. They found what they were looking for – evidence that numerous hosts on the network were communicating with these rogue DNS servers. This part of the study concluded that, despite the small number of malware samples that alter DNS setting that they identified, there were numerous infected individuals on campus, suggesting that the problem may be more widespread. Identifying open-resolving DNS servers The second part of the study focused on identifying all of the open-resolving DNS servers on the Internet. The authors sent recursive DNS queries to the entire IPv4 address space, for a record in a domain under the authors’ control, recording which IP address provided a response. The authors found over 17 million unique IP addresses acting as open resolvers. Why so many open resolvers? The authors asked this same question, and looked for harmless reasons why they might see so many open revolvers (for example, some might be home hobbyist machines or open source DNS servers used by small businesses, home networking equipment running a DNS server, or misconfigured authoritative servers). They tested each of these theories, but none of them could explain the large number of open resolving servers. Apparently, answering this question will have to be the focus of another study. Servers that lie Do these open resolvers lie? This is the final part of the study, which involved sending queries for records from a variety of well known banks, social networking sites, anti-virus sites and other domains likely to be the subject of a phishing attack to a sampling of the open resolvers. Of all of the resolvers queried, 2.4% of them returned one or more answers that were incorrect. Based on this error rate and the sampling size, the authors extrapolated to estimate that there are 291,528 hosts on the Internet providing malicious DNS service. However, this does not mean that the 2.4% are malicious servers set up by attackers. The vast majority of this 2.4% are considered rogue because they answer authoritatively for non-existent domains, a practice that is not uncommon among certain commercial DNS service providers that derive advertising revenue from the redirection. Some of the responses were likely misconfigured to incorrectly permit DNS queries over the Internet, and some were simply buggy – returning answers slightly off in one octet from the correct answer. An estimated 68,000 of these rogue DNS servers, however, actually redirect users from legitimate web sites like Ebay, Amazon and Google to other web sites. These fraudulent web sites included parked domains, proxied google pages, Chinese splash pages and Comcast pages. All of these pages could potentially act as a man in the middle for all transactions. The estimate of 68,000 malicious DNS servers is not found in the original study, but rather in the presentation that the authors made at the NDSS conference: Presentation A case for DNSSEC The authors concluded that DNSSEC provides a solution to this problem, providing that end-to-end validation of the response is permitted (meaning that the validation must be done by the stub resolver or application running on the client initiating the query, not the intermediate resolving DNS server, which cannot be trusted). With 68,000 malicious DNS servers out there, we may truly be just one large robbery away from a real push to adopt DNSSEC.
Commercial IPAM Solutions: Time to Take Another Look? Perhaps you need to meet new regulatory requirements. Maybe your network has just grown up. Or possibly, you just don’t have the time or inclination to manage your name and address space by hand any more. No matter what the reason, now may be a good time to relook at commercial IP Address Management systems. When commercial IP address management (IPAM) solutions were first introduced in the late 90s, licensing was typically based on the number of IP addresses in the customer’s address space. For enterprises and service providers with large address spaces at their disposal, this translated to license fees that were easily in the six figures. Given the associated costs, a large proportion of organizations found it more cost-efficient to develop IPAM solutions in-house. Over the last 10 years, the usage of organizations’ address space has been undergoing a gradual yet fundamental change. While static IP addresses used to be the norm, organizations now have an increasing number of dynamic, mission-critical resources in their networks such as VoIP and WLAN clients. IT departments that utilize scripts or Excel spreadsheets are having a hard time keeping an accurate account of the address space with these homegrown solutions initially designed for static rather than dynamic network environments. This makes network planning a somewhat complicated process due to lack of transparency and limited visibility on the actual usage of subnets, address blocks and individual IP addresses. At the same time, emerging networking standards such as IPv6 and DNSSEC set another challenge for homegrown IPAM solutions. Although these solutions have typically required relatively little development since their inception, new networking standards coupled with IP everywhere, increasing number of dynamic clients, and always-on requirements are gradually making the existing solutions outdated. If IT departments do not have a clear view of the existing network resources and their real usage, network planning and development becomes a time-consuming and an error-prone exercise. Today, commercial IPAM solutions are offered either as software or as an appliance and the pricing model has evolved to offer more affordable solutions. Some of these solutions simply manage the name and address space, while others also offer DNS and DHCP server configuration management. To meet the evolving IPAM requirements, organizations can either develop their existing IPAM solutions further or switch to commercial solutions designed to handle the complexity of today’s growing networks. Considering how much the IPAM market space has matured since the late 90s – both in terms of licensing models and functionality – IT departments would be well-advised to investigate commercial IPAM solutions before making the investment decision to modify existing solutions. In addition to saving time and money, a commercial IPAM solution can create new efficiencies in network planning processes.
Have comments or questions about the content you've read? Please feel free to contact me.
Jeff Ryan |
||||||||||||||||
|
||||||||||||||||
| Secure64 Home | Products | Technology | News & Events | Company | Contact | ||||||||||||||||
