Cyber-Attacks Exploiting Weakness
of the Domain Name System (DNS)
According to 2013 Cost of Cyber Crime Global Survey Report, 122 successful attacks occur per week. On average, 2 successful attacks are found in a company per week, taking 32 days to resolve an incident. Many attacks happened to Internet’s Domain Name System (DNS) which is one of the basic building blocks of the Internet to translate Web addresses into numerical IP addresses and serve as a phone book for the Internet.
DNS hacking has been increasing and is a popular way for hackers to obtain access to targeted websites. More critical infrastructure networks, financial institutions and private companies’ websites like Google , Baidu and Microsoft have been hit by cyber-attacks over the past years.
Threats to the DNS protocol can affect the security of Internet as a whole. It is a security loophole that companies should be aware of and get prepared for if they do not want to be the next targets of such attacks.
An extension to DNS has been developed to enhance its security. It stands for Domain Name System Security Extensions (DNSSEC) which helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It uses digital signatures to allow websites to verify their domain names and corresponding IP addresses. By creating a chain of digital signatures, the data sources at all levels of the domain name are validated, safeguarding the Internet against the attacks. For details of DNSSEC, please view its introduction at Wiki .
The insecure DNS servers are a pressing problem for the unhindered flow of information and commerce on the Web. Cyber-attacks can get costly for website owners. After falling victim to hacking attack, the company website may be inaccessible and user data may be lost or compromised. Consequently, the attack can cause brand damage, revenue loss, business disruptions and huge cost of recovery for infrastructure and equipment. Moreover, customers may churn faster as they are facing potential loss of the website access.
This, however, can be mitigated, because DNSSEC can improve reliability, trustworthy and quality of the DNS. It provides both end users and the service providers of domain name related services with the assurance that a domain name address is indeed correct and can be trusted.
Organisations implementing DNSSEC can greatly benefit from better protection on the DNS services. Instead of reluctantly implementing DNSSEC, companies should become pioneers and early adopters of DNSSEC, achieving higher customer satisfaction to win over others. The following points highlight potential business benefits and motivations for ISPs, registrars, service partners, hosting companies and participating organisations to adopt DNSSEC:
- Provide assurance to end users that domain name services are reliable and trustworthy
- Use DNSSEC service offering as a differentiator to gain competitive advantage
- Explore ways of increasing adoption rate as deploying DNSSEC might generate additional revenue
- Earn reputation in the DNS community by collaborating with others
As the custodian of a critical internet infrastructure in Hong Kong, HKIRC has to be forward-looking and be a first-mover in adopting technologies that enhance the usability and security of the internet, but may be new and relatively less known by the local community. DNSSEC is new in Hong Kong but has already been adopted by the ccTLD operators in many other countries such as the UK, the US, Canada, Netherlands, Sweden, Denmark, Thailand, and Taiwan.
HKIRC also understands that, for DNSSEC to be adopted by the local user community, support by local ISPs and web hosting companies is critical, especially if the full benefits of DNSSEC is to be fully realized. Nothing will happen if HKIRC is the only advocate for DNSSEC. Knowing that some local ISPs and web hosting companies are not familiar with DNSSEC and may be skeptical about its benefits, HKIRC has set up a DNSSEC Test Bed for other parties to trial out DNSSEC and become familiar with the technologies behind DNSSEC.
Use of the HKIRC DNSSEC Test Bed is free of charge. HKIRC is eager to assist registrars, ISPs and interested parties to establish their own DNSSEC capability and provide free testing, guidance and advice to them. Use of the DNSSEC Test Bed does not affect the existing DNS services and websites of the testing party.
The HKIRC DNSSEC Test Bed also provides an internet forum for testers to ask questions and share testing and implementation experience with other testers. Over time the forum will help build up a knowledge-base of hands-on implementation and operating experience of DNSSEC to be shared by the local technical community.
Community-wide technical coordination is needed for DNSSEC to be successfully deployed. By putting efforts together, we can benefit from a more secure Internet infrastructure while users can enjoy a safer and more reliable internet.