I think the more likely theft will be of domain names. The biggest
so far was described in Panix recovers from domain hijack, John
Leyden, The Register, 17th January 2005,
<http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/>http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/
This was done by a con artist convincing a .com registrar that panix
was moving to Australia. This is ordinary fraud, nothing special to
the Internet. It is the same as convincing the phone company that
they should move phone service for a large corporation to some office
down the street.
As for "hacker" attacks on DNS, the best documentation I have found
is "A Threat Analysis of the Domain Name System" - RFC 3833
Of course, we will always have "man-in-the-middle" vulnerabilities
from anyone who has physical access to the equipment or wires. A
grad student at the University might get root access to the DNS
server for the entire campus, and do what he wants with all their
subdomains. This would not allow him to fake amazon.com, however.
Before getting involved in these email authentication efforts, I
spent some time studying claims that authentication was useless
because of these vulnerabilities. I concluded that the risks of
wiretapping, etc. were not something that ordinary spammers and
phishers would accept, and we should proceed full ahead with our
authentication efforts.
I would like to make this a separate thread, if I may, because it's just
as important.
The question is how easy it is to hijack a DNS record? In the case of
SPF, if one could replace an SPF record with -all with one that ends
with +all, this would allow a spammer to forge the domain in question
and use it's SPF-based-reputation to send spam.
I think something like this has the potentially of going unnoticed until
the domain's mail starts bouncing due to a falling reputation.
A few years ago I recall there were some websites that were hijacked by
poisoning some DNS caches. I don't recall the exact technical details,
but some very popular websites were diverted this way. I believe what
made this possible is a bug in BIND.
The incentive to hijack an obscure little website is not very high,
however the incentive to hijack an obscure domain's TXT record is much
higher, especially if they have a good reputation.
That version of BIND is likely still around and being widely used, and I
would hazard to guess that a lot of small domains use it, without much
caring.
Is this bug still something to consider, and are other DNS softwares
imune to attacks like this? How big of a potential problem is this?
Radu.