DNS Fails the NYTimes

dns security August 27, 2013 at 08:50 PM Emin Gün Sirer

For some time today, the NYTimes web site was being directed to malicious servers that were serving malware.

At the moment, nytimes.com does not resolve at all for me. The NYT is off the web.

This is a collosal screwup.

This email sent to the dns-ops mailing list provides some insight into what may have gone wrong and illustrates some of the many things wrong with our current name resolution infrastructure.

from: david@from525.com

to: dns-operations@mail.dns-oarc.net

date: Tue, Aug 27, 2013 at 5:55 PM

subject: [dns-operations] Request To Clear Cache: NYTimes.com

All,

I am a DNS Administrator at NYTimes.com. Earlier today we had issues with our registrar updating our NS records on the root servers to a malicious site. The registrar has since locked our domain with the registry on our proper Name Servers. We have had reports that the malicious site that our domain was redirected to was infecting users with malware. It would be a great service to the internet if everyone could please clear their cache for NYTimes.com. I understand that several other large websites/domains are experience the same thing. I would not be surprised if several request like this come in over the list today.

Thanks, David Porsche Systems Administrator The New York Times

Some immediate observations and questions, taking the claims in the email at face value:

  • Why is the legitimate owner of a domain name unable to exert control over name resolution? Why is any registrar in a position to wreck this kind of damage in the first place?
  • How or why did the registrar decide to redirect the NYTimes nameservers to a malicious host? Was it the victim of social engineering, the result of a compromise, or an insider attack? If it was a compromise, did it take place on the registrar side or the client side?
  • Would DNSSEC have helped?
  • What operational procedures, if any, would allow a registrar to avoid this kind of an error? If the answer is "nothing at all," is it possible to devise alternative name resolution protocols that can limit the damage registrars can do?
  • Why is a desperate plea from the domain owner necessary to fix the problem? Why should a one-time, short-duration attack get amplified into a long-standing vulnerability, and require human intervention around the globe to fix?

Most of these questions are rhetorical, and everyone knows the rather depressing answers.

Edit

False flag.

The flag, it is false.

There are claims now that the problem stemmed from a malicious external attack by hackers working for the Syrian Electronic Army. They supposedly took advantage of vulnerabilities at MelbourneIT. It's funny how we have such few details on what precisely happened, yet we already know who to blame. And it's a politically convenient group.

Share on Linkedin
Share on Reddit
comments powered by Disqus