Homeless in Vancouver: Google’s public DNS server pwned by hackers

    1 of 2 2 of 2

      Last Saturday (March 15), Google’s publicly available domain name system (DNS) server was commandeered for 22 minutes. Hackers apparently harmlessly redirected traffic from networks in Brazil and Venzuela to BT Latin America’s networks. Harmless, maybe—but they made a point.

      DNS servers perform the vital behind-the-scenes task on the Internet of directing traffic to it’s proper destination. Taking control of a DNS server means, among other things, you can direct traffic to an improper destination, such as a fake bank website instead of the real one, without the computer user knowing. The practice is called DNS poisoning.

      Do we put our trust in security or insecurity?

      There are encryption systems built into the web designed specifically to ensure the security of credit cards transactions and the authenticity of websites. These systems are ultimately, like the entire Internet, built on trust—trust in the SSL certificates that assure your browser its dealing with a legitimate ecommerce site and trust in the browsers themselves.

      The question is what can we trust? There are known cases where the authorities that issue SSL certificate have themselves been subverted.

      And experts have warned for some time that mobile phone apps in general have not been subjected to the years of rigourous security debugging like desktop web browsers and that holes will inevitably be found. It's a prediction borne out by the recently revealed goto fail security flaw—since fixed—in Apple’s latest iOS, which apparently allowed SSL/TLS encrypted connections to be spied upon.

      Even if the secure encryption system works DNS poisoning can still allow criminals to acquire passwords and other sensitive data.

      Public DNS servers—unsafe at any speed?

      Google’s 8.8.8.8/32 DNS server is used by millions of computer users every day. It’s considered faster and, up until now, possibly more secure than the anonymous DNS servers networks aoutomatically provide to Internet users.

      Google introduced its Public DNS at the end of 2009 in an effort to make surfing the Internet faster and more secure. In March 2013, Google added more security in the form of Domain Name System Security Extensions (DNSSEC) validation.

      The security feature is designed largely to address the growing use of DNS servers in distributed denial of service (DDoS) attacks.

      DDoS attacks attempt to shut down a website by overwhelming it with incoming data traffic—so much and so quickly, that it crashes or at the very least can no longer accept legitimate incoming traffic. Either way the website is closed for business, hitting targets right in the pocketbook.

      DDoS attacks are now a 24/7 feature of the Internet. Increasingly, attackers are exploiting weaknesses in the older built-in Internet systems, like DNS servers, to craft ever-larger DDoS attacks.

      Taking advantage of the Internet’s trusting nature

      DNS servers, as it turns out, were never designed for security; they were designed to answer any computer’s request for information.

      Not only that—and what really makes DNS servers useful for DDoS attacks—but their answer can be longer than the question and the answer can be redirected to another computer that didn’t ask the question.

      The effect of asking a question of thousands of DNS servers and redirecting the resulting stream of answers at one unsuspecting computer system is known as DNS reflection. The largest such attack was last year’s 300Gbps tsunami against the website of the anti-spam company Spamhaus.

      The Spamhaus DD0S was followed earlier this year by an even larger 400Gbps reflection attack using another old Internet system, the network time protocol. Over 4,500 of the trusting and chatty NTP servers were used to carpet bomb the servers of a content delivery provider named CloudFlare. I wrote about it but there is more current information available.

      The need for speed

      By default, computers are configured to use the DNS server chosen by whatever system is providing your access to the Internet. I use a mixture of both free Wi-Fi and a cellular Internet stick—each will be using a different DNS server.

      Wouldn’t you know it, last week, in a bid to speed up my Internet experience, I went in to my network settings and specified which Internet DNS server my computer should use. It’s easy to do (and undo) for any platform. Here are instructions for Windows 8.

      I chose the fastest and closest public DNS server I could find using NameBench, an open source DNS benchmarking utility available for Mac OS X, Windows, and Linux.

      The result was a noticeable improvement in webpage loading and no more buffering of YouTube videos.

      In DNS we trust?

      The domain name system defines, controls, and keeps track of how the “things” people access on the Internet, such as websites, are named.

      Every uniquely addressable thing on the Internet automatically get a numeric IP address—when you use a Wi-Fi hotspot even your computer is assigned a temporary IP address for the duration of your connection to the Wi-Fi network. IP addresses are what computers use to go places on the Internet.

      However, it’s easier for people to remember names than numbers so the domain name system was created to give the humanly accessible parts of the Net—like websites—easy-to-remember nicknames.

      But everything, including websites, still has an IP address. That’s what your computer wants to know and that’s where DNS servers come in; they’re are all over the Internet and hold a record of domain nicknames and their coreponding IP addresses.

      For example, the Guardian newspaper’s main website has a domain name we remember (theguardian.com/uk) and a corresponding IP address a computer uses to get us there: 77.91.251.10 (paste it into the address bar of your browser and hit enter!).

      So where, as an Internet user does all this leave me? Confused and concerned, with almost no expectation of privacy and feeling less secure than ever.

      Gosh, even on the Internet, I feel homeless.

      Stanley Q. Woodvine is a homeless resident of Vancouver who has worked in the past as an illustrator, graphic designer, and writer.

      Comments