DNS Flaw has Users Seeing Ghosts

Tuesday, February 21, 2012 @ 03:02 PM gHale

By manipulating the web’s Domain Name System (DNS), malicious domains may be able to stay up and running for a longer period of time, even after they end up revoked.

A weakness in the cache update logic of widely used DNS servers creates the potential to establish ghost domains, according to a recent study by a team of researchers from universities in China and the U.S.

Malnets a Constant Moving Target
Inexpensive, Effective Whitelisting
New Software Cuts Costs, Risk
Struggle to Secure Mobile Devices

These DNS servers are critical to the running of the Internet. They convert human-readable domains into numeric addresses that networking kits can understand in order to route page requests to the right websites.

In their paper “Ghost Domain Names: Revoked Yet Still Resolvable,” researchers – Kang Li of the University of Georgia, Jun Li of the University of Oregon Carlos III University of Madrid, and Jian Jiang, Jinjin Liang, Haixin Duan and Jianping Wu, all of Tsinghua University – explain:

“Attackers often use domain names for various malicious purposes such as phishing, botnet command and control, and malware propagation. An obvious strategy for preventing these activities is deleting the malicious domain from the upper level DNS servers.

“In this paper, we show that this is insufficient. We demonstrate a vulnerability affecting the large majority of popular DNS implementations which allows a malicious domain name to stay resolvable long after it has been removed from the upper level servers.

“Our experiments with 19,045 open DNS servers show that even one week after a domain name has been revoked and its TTL expired, more than 70 percent of the servers will still resolve it.”

The researchers found DNS server implementations by BIND, Microsoft, Google and OpenDNS are all potentially vulnerable. There’s evidence the vulnerability has undergone exploitation, and the prevalence of the flaw makes the possibility of attack far from theoretical.

“This vulnerability can potentially allow a botnet to continuously use malicious domains which have been identified and removed from the domain registry,” the team said.

The team offered different approaches to mitigate the problem. Independent experts in the field agree that ghost domains pose a risk but disagree about how much danger it poses or how difficult it might be to fix.

Jack Koziol, a director at the InfoSec Institute, a Chicago-based security company, said cyber criminals may use ghost domain DNSes to keep malicious domains alive and resolvable for much longer, perhaps even indefinitely. On top of that Koziol thinks the flaw might be difficult to fix.

“Now, with this ghost domain exploit, malware authors can keep their domains alive indefinitely, because of the vulnerability described, deleting domains at the TLD level isn’t going to work any longer. It vastly complicates the effort behind getting bad domains off the Internet.”

Cricket Liu, a DNS book author, and vice-president of architecture at DNS appliance firm Infoblox, agreed that ghost domains posed a potential threat, but said this issue was neither particularly severe nor hard to prevent.

“It is a threat, but I think it’s worth pointing out that it’s relatively simple to prevent,” Liu explained. “By only restricting recursive queries to authorized clients with an (Access Control List), you’d prevent malicious folks on the Internet from refreshing their delegation.”

Leave a Reply

You must be logged in to post a comment.