DNS expert: More sophisticated Internet attacks coming
Computerworld - Last October's denial-of-service attacks against the Domain Name System (DNS) were only the opening salvo in what will inevitably be far more sophisticated attacks against the Internet's core addressing system, according to Paul Mockapetris, one of the designers of DNS. With the 20th anniversary of DNS coming in April, Mockapetris this week talked about some of the new dangers facing the DNS infrastructure and measures that are being taken to better protect against them.
Was [cybersecurity czar] Richard Clarke right when he identified the DNS and Border Gate Protocols (BGP) as the two major vulnerabilities in the Internet infrastructure? Yeah. I refer to them as the traffic signals and the street signs of the Internet. If you are able to subvert [them], you can bring the Internet to its knees.
Is the DNS infrastructure secure enough today for commercial-grade applications? The initial system was good enough for host addressing and maybe for mail routing. But in the future, if you want to be able to handle transactions for everybody and you want to be able to put things that involve real money over the Internet, you'd like to be able to have something that is a little bit more secure.
How will future attacks be different from those we have seen directed at DNS? Attacks in the future will be directed at things that are not as easily defended as the root servers [attacked in October] (see story). I think attacks of the future are going to come against things like dot-com [name servers], which have 30 million entries, so you are not going to be able to replicate it easily. I think the next level of hacker attacks is forgery or identity theft. If you take a look at the way people dealt with the [October] attacks, they just filtered out ICMP [Internet Control Message Protocol] packets. What if somebody did a DNS attack with just DNS queries? You can't filter that out. We recently found out that just like e-mail can carry [lethal] attachments, there is DNS data that can actually cause applications to crash if they reference it. There is a bunch of these things coming along.
So what's being done about it? The DNS Sec is an add-on to the original DNS that the IETF [Internet Engineering Task Force] is working on. Basically what it does is put a digital signature on the information out of the DNS and verify if that information is [legitimate].
Why is this important? Because right now there are a lot of opportunities for people to
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!