Given all the hoopla surrounding yesterday’s Twitter outage, and the apparent source of the outage being the result of nothing more than some maliciously modified DNS resource records enabled by a simple password compromise of Twitter’s DNS administrator account with their DNS services provider, Dyn Inc., I’d like to again take this opportunity to share this public service announcement:
Your DNS is an asset folks, you best treat it like one!
I find it perplexing that such a huge amount of attention is garnered by things like DNS cache poisoning, DNS SEC deployment, and related operational DNS infrastructure insecurities (recursive servers, authoritative servers, etc..), while the simple stuff, the low hanging fruit, like administrative access account authentication mechanisms with registrant<>registrar or registrant<>DNS provider/internal systems remain insipid and neglected. Given, the sex appeal isn’t as apparent when considering these sorts of mundane things proactively, but contrast that with an embarrassing public dissection ofrincident postmortem that results from the exploitation of one of these trivial attack paths, and your perspective may sway a bit.
Millions (billions…) are invested in content serving infrastructure, network infrastructure, interconnections and bandwidth, DDoS attack detection and mitigation systems, intrusion detection and prevention systems and firewall abound, even DNS network infrastructure itself, yet the benefits of dropping anything more than $4.99/year on a domain name – an asset for which your entire Internet presence is wholly reliant, are oft overlooked. Furthermore, evaluating the associated policies and processes employed by registrars from which you obtain high-value domains, or ensuring some multi-factor authentication mechanism for registrar administrative account access, or DNS hosting providers administrative access (if employed as with Twitter), or internal authoritative DNS elements associated with critical properties or systems, these things are apparently rarely considered when developing risk profiles or performing attack surface analysis. Given that meat computers (registrants) are most always the weakest link, and static passwords for DNS provisioning elements are ripe for compromise, or if your registrar is hacked you’re fully exposed, you’d think this would be one of the initial components folks consider when evaluating operational security posture.
I suspect most organizations spend far more in a single day (at a single location) on coffee filters or toilet paper than they do annually on DNS provisioning function security, yet they throw millions at tape backups, site security, and all those sexier components, when what most matters [first] to keep their Internet presence functioning – the availability and integrity of that DNS provisioning data, is sorely neglected.
In August the Security and Stability Advisory Council published a report titled Measures to Protect Domain Registration Services Against Exploitation or Misuse, SAC040, available at the SSAC Reports and Advisories repository — I’ve been intending to plug this report here for a while. In preparing the report we studied several high profile incidents, as well as techniques that some registrars employ to help deal with these sorts of threats. In the report we provide several recommendations organizations should evaluate for applicability in their operating environment, mostly pertaining to registrant-registrar interactions, possible market opportunities for registrars to offer these sorts of services, and although not alluded to in the “Executive Summary”, some discussion exists regarding safeguarding administrative account access with DNS hosting providers, or internal authoritative DNS elements, as opposed to just on the registrar side.
If you’ve got a domain name or Internet presence you consider even remotely valuable, and you’re in some way responsible for your organizations availability and information security posture, you might well consider putting this report in your holiday bedside reading queue; Your DNS is an asset….