The Domain Name System (DNS) vies with the Border Gateway Protocol (BGP) for the title of “Achilles heel of the internet.” If you want to take down large swathes of the internet in a single event, DNS and/or BGP are how you’d go about it. Over the past few decades, there have been innumerable security incidents involving both technologies. In this blog, I’m going to focus on a few standout DNS-related events.
The internet isn’t a safe place, largely due to the fundamental technologies allowing it to function. The internet was never designed to be secure; it was designed to allow a carefully vetted group of academics and military institutions to exchange data. It was a simpler time, but we’re all paying for those design choices today.
DNS is a classic example of a technology evolving a great deal to remain relevant. Indeed, after more than a decade of concerted effort to secure the DNS, there are still more categories of attacks working in the real world than can be reasonably discussed in a single blog.
A fully modern, fully up-to-date DNS server with all of the security features developed so far can withstand many of the known attack types, but not all. Simply keeping DNS servers online and functional against the torrent of abuse the internet throws at them requires the deployment of numerous technologies not directly related to DNS to mitigate the flood of attacks. DNS servers not implementing all of the latest technologies are simply catastrophes waiting to happen.
Consider the recent “2019 Global DNS Threat Report” conducted by IDC. In it, IDC states 82% of companies have faced a DNS attack over the past year. Despite the widespread nature, DNS attacks cannot be dismissed as simply “a cost of doing business.” For some companies, DNS attacks can cost them the entire business.
The canonical example of this is Blue Security. Blue Security was a controversial anti-spam provider hit by a Distributed Denial of Service (DDoS) attack in May 2006. Spammers were upset by the company’s approach to preventing spam and launched a DDoS against Blue Security’s DNS servers. Blue Security couldn’t cope with the resulting attack, and less than two weeks later it was out of business.
Securing any infrastructure is inherently an iterative process. Hackers examine the infrastructure looking for weak points, attack them, and are eventually repelled. Technologists then design defenses against similar attacks, and the process repeats anew.
DNS, being a technology designed without security in mind in the first place, has had a bit of evolving to do. If the Blue Security incident was a wakeup call, the Kaminsky Bug of 2008 was a nuclear warning siren.
Fortunately for all of us, the Kaminsky bug was more akin to the Y2K bug than anything else. It was potentially catastrophic in scope, but the nerderati of the day caught it in time to mitigate it before everything went pear-shaped. We haven’t always been so lucky.