Skip the navigation

DNS expert: More sophisticated Internet attacks coming

March 21, 2003 12:00 PM ET

Computerworld - Last October's denial-of-service attacks against the Domain Name System (DNS) were only the opening salvo in what will inevitably be far more sophisticated attacks against the Internet's core addressing system, according to Paul Mockapetris, one of the designers of DNS. With the 20th anniversary of DNS coming in April, Mockapetris this week talked about some of the new dangers facing the DNS infrastructure and measures that are being taken to better protect against them.

Was [cybersecurity czar] Richard Clarke right when he identified the DNS and Border Gate Protocols (BGP) as the two major vulnerabilities in the Internet infrastructure? Yeah. I refer to them as the traffic signals and the street signs of the Internet. If you are able to subvert [them], you can bring the Internet to its knees.
Is the DNS infrastructure secure enough today for commercial-grade applications? The initial system was good enough for host addressing and maybe for mail routing. But in the future, if you want to be able to handle transactions for everybody and you want to be able to put things that involve real money over the Internet, you'd like to be able to have something that is a little bit more secure.
How will future attacks be different from those we have seen directed at DNS? Attacks in the future will be directed at things that are not as easily defended as the root servers [attacked in October] (see story). I think attacks of the future are going to come against things like dot-com [name servers], which have 30 million entries, so you are not going to be able to replicate it easily. I think the next level of hacker attacks is forgery or identity theft. If you take a look at the way people dealt with the [October] attacks, they just filtered out ICMP [Internet Control Message Protocol] packets. What if somebody did a DNS attack with just DNS queries? You can't filter that out. We recently found out that just like e-mail can carry [lethal] attachments, there is DNS data that can actually cause applications to crash if they reference it. There is a bunch of these things coming along.
So what's being done about it? The DNS Sec is an add-on to the original DNS that the IETF [Internet Engineering Task Force] is working on. Basically what it does is put a digital signature on the information out of the DNS and verify if that information is [legitimate].
Why is this important? Because right now there are a lot of opportunities for people to



Our Commenting Policies