ICANN Situation Awareness 2009-07-13 Potential attack against ccTLD Registration Systems
Towards the end of April, security staff was made aware that DNS configuration information associated with certain Pacific and African domains had been subjected to forms of hijacking attacks. Attackers have recently targeted ccTLD operators. In the reported incidents, the attackers were able to obtain the user account credentials (logins and passwords) for a number of high profile domain names, by using data insertion exploits (primarily, SQL injection methods) to provide the attacker with privileged access to the registrars' applications or server operating systems. Reports further indicate the hackers then used the domain name credentials to modify the DNS configuration of domains and re-delegate names to web sites hosting unauthorized content (political agendas or personal messages).
This trend is worrisome and we encourage the DNS community to monitor domain registration attacks for suspicious activities during registration account login attempts, stay informed, share information with other TLD operators and to consider whether it is appropriate to adopt additional measures to protect against unauthorized access to registration accounts.
What's at stake?
Attackers appear focused on high profile domains. Beyond the costs of response, registration service providers or TLD operators will have to bear, the organizations affected by the attacks will also incur monetary losses, loss of business opportunities, embarrassment and harm to brands. The DNS community at large also will suffer from several second order affects, including the loss of user confidence in the DNS infrastructure and registration services, and reputational harm to TLD operators. Moreover, even in circumstances where the attack is discovered and resolved quickly, the incorrect DNS information can continue to propagate for some considerable time due to replication and TTL lifetimes.
Why am I reading this?
Registration services have become attractive targets for hacker groups, who share exploit information quickly. Unauthorized access to registration accounts has numerous benefits to attackers beyond web defacements: once an attacker gains control of a domain's DNS configuration, he can use seemingly legitimate name resolution service to support fast flux networks and botnets, or he can redirect any critical business application of the targeted organization (mail, voice, intranet) to malicious or impersonation sites.
What can you do?
The security staff at ICANN will continue to share information on breaches or compromises brought to our attention. Open collaboration and incident information sharing among registry and registrar operators may help prevent similar incidents from occurring in CCTLDs that have not yet been targeted
We'd like to ask your consideration to the following practices to reduce or mitigate the current hijacking threat.
- Consider whether making an Incident Response point of contact available 24x7 to your customers to receive incident reporting, could provide opportunities for early detection and remediation
- If you have not already made Incident Response point of contact details available to your customers, consider doing so now.
- Consider how registries might identify and share best practices, e.g., forming or engaging in some form of social networking where registries can exchange ideas and built trust relationships among peers
- Treat the frequency and diversity of attacks against other CCTLDs as an early warning and an opportunity to review your current methods of protecting registration account logins
- Educate your customers. Make them aware of the threat and suggest that your customers include some periodic form of domain name and DNS monitoring in their network administration, as well as risk assessment, and disaster recovery planning (Consider whether this might be an enhanced service opportunity for your operation.)
- If you do not already include web applications in your security auditing, consider doing so now. Many best practices and analysis tools for securing web applications are available and several in particular focus on methods to assess and mitigate data insertion exploits. ICANN security staff are available to share information about these with any TLD operator or registrar who is interested.
For more information
ICANN's Security and Stability Advisory Committee (SSAC) is planning to release SAC040, "Measures to Protect Domain Registration Services from Exploitation and Misuse" approximately 21 July 2009
We encourage you to share information (in confidence) regarding suspicious activities with ICANN security staff and ask to alert your colleagues (again, in confidence) if you suspect or are aware of an on going attack.