DNS Attacks Take Out Google, PayPal In Romania

Romanian versions of Google, PayPal, Yahoo and a host of other sites were defaced today thanks to some DNS attacks.

An Algerian hacker took credit for the hits, leaving a portentous message: “To be continued…”.  Kaspersky and Microsoft sites were also affected, but it appears the DNS servers have been cleaned of malicious activity.

It now seems likely domain servers at the Romanian Top Level Domain Registry (RoTLD) have been compromised, Kaspersky said. Yet the security company was thankful the hacker did not redirect people to malware downloads or phishing pages.

“All this could have been much worse if the attacker had other goals in his mind than just becoming famous by defacing famous websites. Imagine how many accounts could have been compromised this morning if these websites were redirected to a phishing page, instead of a defacement page,” said Kaspersky Lab expert Stefan Tanase, in a blog post.

Rise in DNS attacks

These DNS attacks in Romania came in a month where hits at that level have been abnormally prominent. Another spate of defacements took place in Pakistan earlier this week when PKNIC, which manages part of the DNS for a variety of the country’s top level domains, was hit.

Furthermore, a host of Go Daddy customers were compromised earlier this week and had their DNS settings tampered with. This led to visitors to specially-crafted subdomains on Go Daddy-hosted sites being redirected to pages serving up ransomware. The malware locked users out of their machines and demanded payment to unlock their systems.

One major issue is DNS cache poisoning, which had initially been suspected as the cause of the Romanian incident today. DNS cache servers hold domain name resolutions, which are initially delivered from an authoritative DNS server, which translate URLs (e.g. TechWeekEurope.co.uk) into IP addresses (e.g. 1.2.3.4).

In an attack scenario, a hacker determines when a DNS cache server is going to erase memory of a domain name resolution. They then “poison” the cache server by telling it to resolve domain name requests to their own websites. This works if, firstly, they beat the authoritative DNS server to supplying the information to the cache server, and, secondly, they guess the right query parameters for a request.

Such problems could be fixed with implementation of DNSSEC, which comprises of various pieces of code, with the aim being to sign different stages of the DNS lookup process. This would mean that DNS servers would only process requests from trusted sources.

But, to date, DNSSEC has seen minimal uptake across the world.

Think you’re a security pro? Try our quiz!