Skip to main content

ICANN Situation Awareness 2009-07-13 Potential attack against ccTLD Registration Systems

Towards the end of April, security staff was made aware that DNS configuration information associated with certain Pacific and African domains had been subjected to forms of hijacking attacks. Attackers have recently targeted ccTLD operators. In the reported incidents, the attackers were able to obtain the user account credentials (logins and passwords) for a number of high profile domain names, by using data insertion exploits (primarily, SQL injection methods) to provide the attacker with privileged access to the registrars' applications or server operating systems. Reports further indicate the hackers then used the domain name credentials to modify the DNS configuration of domains and re-delegate names to web sites hosting unauthorized content (political agendas or personal messages).

This trend is worrisome and we encourage the DNS community to monitor domain registration attacks for suspicious activities during registration account login attempts, stay informed, share information with other TLD operators and to consider whether it is appropriate to adopt additional measures to protect against unauthorized access to registration accounts.

What's at stake?

Attackers appear focused on high profile domains. Beyond the costs of response, registration service providers or TLD operators will have to bear, the organizations affected by the attacks will also incur monetary losses, loss of business opportunities, embarrassment and harm to brands. The DNS community at large also will suffer from several second order affects, including the loss of user confidence in the DNS infrastructure and registration services, and reputational harm to TLD operators. Moreover, even in circumstances where the attack is discovered and resolved quickly, the incorrect DNS information can continue to propagate for some considerable time due to replication and TTL lifetimes.

Why am I reading this?

Registration services have become attractive targets for hacker groups, who share exploit information quickly. Unauthorized access to registration accounts has numerous benefits to attackers beyond web defacements: once an attacker gains control of a domain's DNS configuration, he can use seemingly legitimate name resolution service to support fast flux networks and botnets, or he can redirect any critical business application of the targeted organization (mail, voice, intranet) to malicious or impersonation sites.

What can you do?

The security staff at ICANN will continue to share information on breaches or compromises brought to our attention. Open collaboration and incident information sharing among registry and registrar operators may help prevent similar incidents from occurring in CCTLDs that have not yet been targeted

We'd like to ask your consideration to the following practices to reduce or mitigate the current hijacking threat.

  • Consider whether making an Incident Response point of contact available 24x7 to your customers to receive incident reporting, could provide opportunities for early detection and remediation
  • If you have not already made Incident Response point of contact details available to your customers, consider doing so now.
  • Consider how registries might identify and share best practices, e.g., forming or engaging in some form of social networking where registries can exchange ideas and built trust relationships among peers
  • Treat the frequency and diversity of attacks against other CCTLDs as an early warning and an opportunity to review your current methods of protecting registration account logins
  • Educate your customers. Make them aware of the threat and suggest that your customers include some periodic form of domain name and DNS monitoring in their network administration, as well as risk assessment, and disaster recovery planning (Consider whether this might be an enhanced service opportunity for your operation.)
  • If you do not already include web applications in your security auditing, consider doing so now. Many best practices and analysis tools for securing web applications are available and several in particular focus on methods to assess and mitigate data insertion exploits. ICANN security staff are available to share information about these with any TLD operator or registrar who is interested.

For more information

ICANN's Security and Stability Advisory Committee (SSAC) is planning to release SAC040, "Measures to Protect Domain Registration Services from Exploitation and Misuse" approximately 21 July 2009

We encourage you to share information (in confidence) regarding suspicious activities with ICANN security staff and ask to alert your colleagues (again, in confidence) if you suspect or are aware of an on going attack.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."