The Syrian Electronic Army (SEA) has claimed recent attacks on the New York Times, Washington Post, Twitter and other sites. The attack worked by making changes to the Domain Name System. But how does DNS work? And why does compromising it let the SEA take over whole websites?
Q: What is DNS?
A: Every computer on the Internet (more or less) is identified by a numeric address. For example, the New York Times' Web server is located at 170.149.168.130. But remembering addresses like 170.149.168.130 is inconvenient. So in the 1980s, people developed the Domain Name System (DNS). It acts as a directory system, automatically translating domain names into IP addresses. DNS is why you can type www.washingtonpost.com into your browser to reach the website instead of having to use 208.185.109.100.
Q: So someone hacked into the New York Times's servers, right?
A: Thae attack that took down the New York Times' site likely didn't require compromising the site's servers at all. Instead, the hackers gained control of the site by changing information in the DNS database. When someone tries to go to nytimes.com, the DNS should point them to 170.149.168.130. The attack changed that entry to point elsewhere on the Internet. You can tell this was an attack against the DNS instead of the' servers because through the attack it was possible to reach the' website if you knew the IP address.
Q: How did they change the DNS information?
A: To register a domain name, website operators use a site called a registrar. The Times, Twitter and other major websites use a registrar called Melbourne IT to register their domain names. David Ulevitch, the CEO of OpenDNS, says that the attackers appear to have compromised Melbourne IT's website, allowing them to change DNS records for any Melbourne IT customer. Melbourne IT confirmed that one of its resellers was responsible for the attack.
Q: What kind of mischief can you cause by tampering with DNS entries?