DNSSEC: Security for Essential Network Services
DNS has been a major security hole since it was first deployed, but until recently, not much had been done to patch the network service's security vulnerabilities. Beth Cohen reveals the largest DNS security holes, explores how you can protect your network from them, and introduces the IETF's new DNSSEC standard designed to prevent potential future catastrophic attack.
In July 1997, Eugene Kashpureff, founder of AlterNIC, took advantage of an inherent security vulnerability in DNS (Domain Name Service) and carried out the first DNS spoofing attack. "It's all done with standard MIME code, right out of the box. The only thing the bot does is make a couple of interesting small queries on a public name server," Kashpureff quipped.
Five years later, the security issues have become much more visible -- and problematic. On October 21, 2002, in an attempt to bring down the Internet, a group of hackers from South Korea and the U.S. flooded the thirteen domain name root servers using a common DDoS (Distributed Denial of Service) attack. Seven of the thirteen servers completely failed to respond to legitimate DNS requests, and two failed intermittently. And just last month, another DNS spoofing attack rerouted traffic intended for the Al Jazeera website to an American pro-Iraqi war site instead.
Fortunately, in all cases, the top-level server administrators were able to successfully counter the attacks, but all are in agreement that they might not be so lucky next time. Clearly the DNS infrastructure has major unaddressed vulnerabilities. What is the Internet community doing to improve DNS security? Fortunately, they're not sitting around idly, as the IETF (Internet Engineering Task Force) is drafting a new standard, DNSSEC (DNS Security Extensions), to combat the threats by providing end-to-end authenticity and integrity.
How can DNSSEC be implemented to prevent potential future catastrophic attack, and why has it not been widely deployed by the Internet community to date? What are the largest DNS security holes and how can you protect your network? Let's take a look at the answers to these and other burning DNSSEC questions.