The Syrian Electronic Army (SEA) has claimed recent attacks on the New York Times, Washington Post, Twitter and other sites. The attack worked by making changes to the Domain Name System. But how does DNS work? And why does compromising it let the SEA take over whole websites?
Q: What is DNS?
A: Every computer on the Internet (more or less) is identified by a numeric address. For example, the New York Times’ Web server is located at 184.108.40.206. But remembering addresses like 220.127.116.11 is inconvenient. So in the 1980s, people developed the Domain Name System (DNS). It acts as a directory system, automatically translating domain names into IP addresses. DNS is why you can type www.washingtonpost.com into your browser to reach the website instead of having to use 18.104.22.168.
Q: So someone hacked into the New York Times’s servers, right?
A: Thae attack that took down the New York Times’ site likely didn’t require compromising the site’s servers at all. Instead, the hackers gained control of the site by changing information in the DNS database. When someone tries to go to nytimes.com, the DNS should point them to 22.214.171.124. The attack changed that entry to point elsewhere on the Internet. You can tell this was an attack against the DNS instead of the’ servers because through the attack it was possible to reach the’ website if you knew the IP address.
Q: How did they change the DNS information?
A: To register a domain name, website operators use a site called a registrar. The Times, Twitter and other major websites use a registrar called Melbourne IT to register their domain names. David Ulevitch, the CEO of OpenDNS, says that the attackers appear to have compromised Melbourne IT’s website, allowing them to change DNS records for any Melbourne IT customer. Melbourne IT confirmed that one of its resellers was responsible for the attack.
Q: What kind of mischief can you cause by tampering with DNS entries?
A: Gaining control of a site’s domain is not as powerful as hacking into a site’s servers. If you gained control of Times servers, you could change the contents of articles, read Times employees’ old e-mails and even install malicious software on the servers. Domain hijacking doesn’t let you do any of that.
But Ulevitch says that compromising a domain name can still cause serious problems. “When you hijack peoples’ DNS, it’s a total transfer of much of the authority that’s been allocated in the identity of that organization,” he said. For example, the New York Times is “no doubt e-mailing confidential sources all the time. Someone could intercept that e-mail” by changing the DNS record telling where to deliver it.
Q: Is there anything we can do to make the system more secure?
A: For years, DNS gurus have been pushing for broader adoption of DNSSEC, an encrypted version of DNS. But Ulevitch says DNSSEC wouldn’t have prevented today’s attacks. DNSSEC uses cryptographic signatures to prevent anyone from intercepting DNS requests and replying with forged information. But a registrar like Melbourne IT has the authority to issue new, cryptographically signed DNS records. “DNSSEC literally would do nothing for this” kind of attack, Ulevitch said. On the other hand, Ulevitch argues that OpenDNS, which runs its own DNS servers, was able to offer automatic protection to his own customers.