The Romanian domain names of Google, Yahoo, Microsoft, Kaspersky Lab, and other companies were hijacked on Nov 27, 2013, and were redirected to a hacked server in the Netherlands. The hijacking occurred at the DNS level, with attackers modifying the DNS records of the targets’ sites. The sites were fully restored shortly afterward, and it was confirmed that no customer information was compromised.
The following Romanian domains of international companies were hijacked:
The hacker redirected the domains to a server in the Netherlands. The server’s information is:
- IP Address: 184.108.40.206
- Reverse Domain Name: server1.joomlapartner.nl
However, the server responsible for serving the hijacked site also appears to have been hijacked. Attackers normally do this to avoid being traced.
It is believed that the hijacking of the DNS record was done using a cache poisoning attack on the Romanian top-level domain registry servers (TLD servers). This service is also known as the RoTLD domain registry, which manages the authoritative DNS servers for the entire .ro domain space.
After scanning the .ro domains, it appears that the only sources of poisoned entries were Google’s public DNS servers, 220.127.116.11 and 18.104.22.168. This suggests that the attackers performed a cache poisoning when those servers attempted to look up the victim domains and inserted the malicious entries in the cache of those servers. Consequently, other caching servers that were using the affected servers got the malicious domains, and so on.
Note that due to the wide usage of the Google’s public DNS servers, the malicious entries managed to propagate to a significant number of clients.
The attack in Romania follows a similar one that occurred a week prior to this attack in Pakistan and affected the .pk domains of Google, Microsoft, Yahoo, PayPal, and other companies. The security breach was traced back to PKNIC, the .pk domain registry.
How existing security defenses are circumvented
Cache poisoning is a war of numbers. The key to preventing it is to keep the number of brute force attempts needed so high that a successful attack is not feasible. Most vulnerabilities that allow cache poisoning do so by reducing the brute force search space and therefore making an attack easier to carry out. Over time, several new methods have been discovered to allow for a successful cache poisoning attempt. Devices and/or services that do not keep up with these new methods can become target of attackers.
How Infoblox can help protect against this attack
Many cache poisoning attacks can be prevented on DNS servers by being less trusting of the information passed to them by other DNS servers and ignoring any DNS records passed back that are not directly relevant to the query.
In addition, the following best practices in DNS service implementation can help prevent these attacks:
- Use source port randomization.
- Use cryptographically secure random numbers, which will keep attackers from guessing the next random value in a sequence.
- Ensure that routers and gateway devices such as firewalls do not do an insecure Port Address Translation, or PAT, which could eliminate the security gained by source port randomization.
- Use Secure DNS (DNSSEC) extensions to sign domain data.
- Use the latest version of Infoblox DNS software/devices and ensure they are patched with latest updates. For example, Infoblox provides certain defenses against cache poisoning in releases 6.10 and above.
- Use end-to-end validation, such as using SSL certificates.
Infoblox Advanced DNS Protection provides robust defense against cache poisoning by adding a security processing layer in addition to the above described base defenses. All DNS responses are processed and dropped to minimize attackers ability to try random attempts to cache poisoning.
Infoblox DNS Firewall is an application run on an Infoblox DNS server. It will disrupt malware communication by not resolving DNS queries for botnets and CnC servers. All resolved DNS queries are compared to a continually updated table of ‘bad’ domains and IP addresses with which communication should not be allowed. Resolved DNS queries to malicious domains and IP addresses are either blocked or redirected.
DNS Firewall Subscription Service updates DNS Firewall servers every 2 hours with updated information on domains and IP addresses (networks) that make up the server1.joomlapartner.nl infrastructure.
If the Infoblox DHCP and Reporting server is installed, network administrators can pinpoint the infected devices by IP and MAC address, device type (DHCP fingerprinting), Host name (if configured) and DCHP lease history (on/off network).
- Google.ro and other RO domains, victims of a possible DNS hijacking attack, by Secure List
- Attackers hijack the .ro domains of Google, Microsoft, Yahoo, others, by PC World
- Attackers Compromise Romanian Domains For Google, Yahoo in DNS Attack, by Security Week