Just weeks after The Washington Post had our own run-in with the Syrian Electronic Army (SEA), the New York Times is down, and the SEA is claiming responsibility. Other sites, including Twitter, have also been attacked.
The attack worked by making changes to the Domain Name System. But how does DNS work? And why does compromising it let the SEA take over whole Web sites? Read on for details.
What is DNS?
Every computer on the Internet (more or less) is identified by a numeric address. For example, the New York Times's Web server is located at the address 22.214.171.124.
But remembering addresses like 126.96.36.199 is inconvenient. So in the 1980s, people developed the Domain Name System (DNS). It acts as a directory system, automatically translating domain names into IP addresses. DNS is why you can type www.washingtonpost.com into your browser to reach the Washington Post's Web site instead of having to use our IP address, 188.8.131.52.
So someone hacked into the New York Times's servers, right?
The attack that took down the New York Times's site likely didn't require compromising the site's servers at all. Instead, the hackers gained control of the site by changing information in the DNS database. When someone tries to go to nytimes.com, the DNS should point them to 184.108.40.206. The attack changed that entry to point elsewhere on the Internet.
You can tell this was an attack against the DNS instead of the Times's servers because through the attack it has been possible to reach the Times's Web site if you know the IP address. Try it: just type 220.127.116.11 into your browser and you'll reach the New York Times Web site.
How did they change the DNS information?
To register a domain name, Web site operators use a site called a registrar. The New York Times, Twitter and other major Web sites apparently used a registrar called Melbourne IT to register their domain names. David Ulevitch, the CEO of OpenDNS, says that the attackers appear to have compromised Melbourne IT's Web site, allowing them to change DNS records for any Melbourne IT customer.
What kind of mischief can you cause by tampering with DNS entries?
Gaining control of a site's domain is not as powerful as hacking into a site's servers. If you gained control of Times servers, you could change the contents of articles, read Times employees' old e-mails and even install malicious software on the servers. Domain hijacking doesn't let you do any of that.
But Ulevitch says that compromising a domain name can still cause serious problems. "When you hijack peoples' DNS, it's a total transfer of much of the authority that's been allocated in the identity of that organization," he argues. For example, the New York Times is "no doubt emailing confidential sources all the time. Someone could intercept that email" by changing the DNS record telling where to deliver it.
Indeed the Internet may have been lucky. The attacks appear to be little more than a publicity stunt. The attackers don't seem to have attempted more ambitious and potentially harmful attacks.
Has this happened before?
Yes, it's a fairly common tactic. For example, yesterday hackers defaced the Web site of Google Palestine, replacing the search engine with an anti-Israel, pro-Palestinian message. Google says its own servers weren't hacked. Rather, the DNS entry for google.ps was modified to point to a web server controlled by the hacker.
A couple of months ago LinkedIn suffered a similar fate.
Is there anything we can do to make the system more secure?
For years, DNS gurus have been pushing for broader adoption of DNSSEC, an encrypted version of DNS. But Ulevitch says DNSSEC wouldn't have prevented today's attacks. DNSSEC uses cryptographic signatures to prevent anyone from intercepting DNS requests and replying with forged information. But a registrar like Melbourne IT has the authority to issue new, cryptographically signed DNS records. "DNSSEC literally would do nothing for this" kind of attack, Ulevitch says.
On the other hand, Ulevitch argues that OpenDNS, which runs its own DNS servers, was able to offer automatic protection to his own customers. "We already knew the IP addresses the SEA was using," he says. As a result, when the SEA changed the nytimes.com domain to point to an SEA-controlled address, OpenDNS's servers automatically rejected the change, preventing the SEA from impersonating the New York Times to OpenDNS customers.
The Internet is a complex system, and keeping it secure will require both well-designed software and quick thinking by network administrators. When I reached Ulevitch, he said he was in a chatroom with other senior Internet figures who were helping coordinate a global response to the attacks.
Update: Melbourne IT confirms that one of its resellers was responsible for the attack. Here is the company's full comment:
The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems.
The DNS records of several domain names on that reseller account were changed - including nytimes.com.
Once Melbourne IT was notified, we:
- changed the affected DNS records back to their previous values
- locked the affected records from any further changes at the .com domain name registry
- changed the reseller credentials so no further changes can be made
We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies.
We will also review additional layers of security that we can add to our reseller accounts.
For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com - some of the domain names targeted on the reseller account had these lock features active and were thus not affected.