Big holes in net's heart revealed

[mulligan]

Quote:

Simple attacks could let malicious hackers take over more than one-third of the net's sites, reveals research. The finding was uncovered by researchers who analysed how the net's addressing system works.
They also found that if the simple attacks were combined with so-called denial-of-service attacks, 85% of the net becomes vulnerable to take-over.
The researchers recommended big changes to the net's addressing system to tackle the vulnerability at its heart.
Site seizing
When you visit a website, such as news.bbc.co.uk, your computer often asks one of the net's address books, or domain name servers, for information about where that site resides.
But the number of computers that have to be consulted to find the computers where that site is located often makes sites vulnerable to attack by vandals and criminals, found Assistant Professor Emin Gun Sirer and Venugopalan Ramasubramanian from the Department of Computer Science at Cornell University.
Professor Sirer told the BBC News website that, on average, 46 computers holding different information about the components of net addresses are consulted to find out where each dotcom site is actually hosted.
But, he said, this chain of dependencies between the computers that look after the different parts of net addresses creates all kinds of vulnerabilities that clever hackers could easily exploit.
"The growth of the internet has caused these dependencies to emerge," said Professor Sirer. "Instead of having to compromise one you can compromise any one of the three dozen."
All the information gathered and analysed by the researchers has to be publicly available to keep the net's addressing system working. The research analysed information about almost 600,000 computers.
The research also revealed that 17% of the servers that host the net's address books are vulnerable to attack via widely known exploits.



"Because of these dependencies about one-third of the net's names are trivially compromisable by script kiddies," he said.
One site vulnerable in this way was run by the FBI, said Professor. Sirer. Although the five computers that act as the first reference point for the fbi.gov domain were secure, one of the five that connect to these has yet to install a patch for a well-known bug.
That computer was fixed after the Cornell team reported its findings to the FBI, but hundreds of thousands of sites suffer from similar problems.
The most vulnerable net domain found by the survey was that of the Roman Catholic Church in the Ukraine.
Criminals such as phishing gangs would be interested in re-directing traffic from well-known sites so they can grab key login and personal details that would help them de-fraud web users.
If attacks via known exploits were combined with other attacks, said Professor Sirer, malicious hackers could open up enormous amounts of the net to attack.
For instance, he said, hackers could use denial-of-service attacks to overwhelm the net address books that are secure. This could leave users' computers with no choice but to look up website names via compromised servers.
By combining well-known attacks and denial-of-service attacks, 85% of the net's domains become vulnerable to take over, revealed the analysis.
He said: "They could already be doing it and we would hardly ever know."
The research had exposed a big problem that net administrators need to tackle, said Professor Sirer. Thought should be given to using a secure version of the system used to pass around information about net addresses.
"The domain name system has been incredibly successful so far but it is showing its age," he said. "We need to re-think the entire naming infrastructure of the internet."
The hierarchical structure of the net's address books could be replaced with a more resilient system, he said, that uses a peer-to-peer type structure that would be harder to compromise.

http://news.bbc.co.uk/2/hi/technology/4954208.stm

[yanni]

"The domain name system has been incredibly successful so far but it is showing its age," he said. "We need to re-think the entire naming infrastructure of the internet."


Uh-oh!

[Giant]

Quote:

Originally Posted by yanni

"The domain name system has been incredibly successful so far but it is showing its age," he said. "We need to re-think the entire naming infrastructure of the internet."

Uh-oh!

"naming infrastructure" can be changed, and it won't change the nature of names. Humans still need names, and names are still representing IPs. Even Puny Code is changed to Horse Code, the names we hold are still valid.

[Rubber Duck]

Quote:

Originally Posted by Giant

"naming infrastructure" can be changed, and it won't change the nature of names. Humans still need names, and names are still representing IPs. Even Puny Code is changed to Horse Code, the names we hold are still valid.

Got it in one. Sites need to be identified by computers using IPs. Domain Names are simply Aliases, but they are essential. If you change the IP address for techinical reasons you simply cannot update millions of users each time, so even if human could remember the IP address due to some chip implanted in their skull they would still need domain names. The only way to rationalise the domain name system would be to kick the extensions into touch as has been suggest by many of the intellectually challenged at DNFs. The fact is that would remove much of the scope for expanding an already tight domain structure, unless the names actually became the extensions and the domain owners became registries renting sub-domains. Sound like a recipe for disaster from where I am standing. No, the truth is the current naming system is about at good as it gets and legal ramnifications for changing it are unthinkable. The only alteration I can see of any note is the introduction of extensionless universal keywords that might be rented out in a similar way to Premium.tv.

The problem with this industry is that everyone follows the frothy news stories that come out every week, but most can see the very real changes that are going on almost unnoticed. They are much more interested in pixel marketing!

[jose]

This is hype. The unsecure dns servers must already be patched by now and you can't DOS ALL the other dns servers at the same time. Zombie networks are decresing in size due to the increase of computers with firewalls and winupdated.

And... in case of a sucessfull attack it would not last for long and they wouldn't be "taking over" anything, lol. Hype and more hype.