Last October's denial-of-service attacks against the Domain Name System (DNS) were only the opening salvo in what will inevitably be far more sophisticated attacks against the Internet's core addressing system, according to Paul Mockapetris, one of the designers of DNS. With the 20th anniversary of DNS coming in April, Mockapetris this week talked about some of the new dangers facing the DNS infrastructure and measures that are being taken to better protect against them.
Was (cybersecurity czar) Richard Clarke right when he identified the DNS and Border Gate Protocols (BGP) as the two major vulnerabilities in the Internet infrastructure? Yeah. I refer to them as the traffic signals and the street signs of the Internet. If you are able to subvert (them), you can bring the Internet to its knees.
Is the DNS infrastructure secure enough today for commercial-grade applications? The initial system was good enough for host addressing and maybe for mail routing. But in the future, if you want to be able to handle transactions for everybody and you want to be able to put things that involve real money over the Internet, you'd like to be able to have something that is a little bit more secure.
How will future attacks be different from those we have seen directed at DNS? Attacks in the future will be directed at things that are not as easily defended as the root servers (attacked in October). I think attacks of the future are going to come against things like dot-com (name servers), which have 30 million entries, so you are not going to be able to replicate it easily. I think the next level of hacker attacks is forgery or identity theft. If you take a look at the way people dealt with the (October) attacks, they just filtered out ICMP (Internet Control Message Protocol) packets.
What if somebody did a DNS attack with just DNS queries? You can't filter that out. We recently found out that just like e-mail can carry (lethal) attachments, there is DNS data that can actually cause applications to crash if they reference it. There is a bunch of these things coming along.
So what's being done about it? The DNS stack is an add-on to the original DNS that the IETF (Internet Engineering Task Force) is working on. Basically what it does is put a digital signature on the information out of the DNS and verify if that information is (legitimate).
Why is this important? Because right now there are a lot of opportunities for people to basically put forged data into the DNS, and (digital signatures) will eliminate that possibility.
What can companies do? You probably want to make sure that you have hardened the way that you get access to that DNS information, typically within your intranet and maybe with your external partners. (Also) what you can actually do is get a copy of the root server data and sort of remove your reliance on root server operators. There are probably 200 million names in the DNS right now, and there are probably only a few thousand of them that you really desperately need. So you can take steps to make sure that data is available (by copying it).
Is the whole cyberterrorism thing overblown? I think most corporations wonder if there is anything they can really do about it or what the real day-to-day problems are going to be out of the hacker community. People are either attacking them for financial, political or just for random vandalisation. That is the thing that is really visible to them. A lot of people leave the cyberwarfare to the government.