-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 15 July 2004 02:23 pm, Nico Kadel-Garcia wrote:
Modifying ones that aren't yours is a separate story. That's partially
done by breaking into DNS servers (which is often feasible at poorly
secured, small sites), or even playing routing games by publish mutilated
BGP routing tables to route requests for certain DNS servers IP addresses
to your fake server, allowing you to create a fake DNS site unbeknownst
to the clients who've never bothered to examine the results of
traceroute. It's even more fun, and tougher to trace, if you can
blackhole the master server of a set of NS servers and get the other NS
servers to pull their slave zones from your fake master for a zone.
I won't comment on the BGP exploitation, I don't know enough about it.
However, I don know that securing your servers is your responsibility and
that's that. If your DNS servers are vulnerable, and you get H4X0R3D, then
it's your fault for leaving it open. Sure, the H4X0R gets a visit from the
police, he'll serve time when he gets caught, but you still have to protect
yourself and be vigilant, just like you have to do in the real world. IE,
you don't leave your car unlocked, you don't leave the keys in the
ignition, and you use measures appropriate to the neighborhood to protect
yourself - from Karate to mace or pepper spray, even to a sidearm or an
escort of highly-paid ex-US Marines.
It is inherent to modern implementations of BGP that the tables can be
hand-manipulated, allowing the big ISP's to hand-route things over
preferred connections for security or switchover planning reasons. This
capability carries with it the risk of falsely published routing
information: such routing is sometimes done, even by large ISP's for
political reasons such as blackholinig the www.samspade.org website
because its well-organized tools for tracking spammer's host and upstream
connectivity information leads to too many complaints against those ISP's
for them to tolerate, so they blackhole it.
I see. So the hacker has to gain control of a core internet router, and then
publish his own BGP records. If the hacker can get a hold of one of those
routers, we have bigger problems than spam.
DNS itself can be implemented in relatively secure ways to prevent this
kind of attack, but few sites actually go to the extra work.
It is my understanding that there have been no large-scale and successful
DNS attacks in recent history.
If it is still vulnerable, then we have bigger problems than spam.
- --
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA+C4aBFeYcclU5Q0RAhXWAJ9deqQTbupPZnj78zxFI1/X1XIHugCgxdP3
sjdTpbtLCjLIqRC+fx2oPec=
=Kkv1
-----END PGP SIGNATURE-----