The looming threat of pharming

The vulnerable spot is DNS software -- typically the widely used BIND (Berkeley Internet Name Domain) -- and the hack is called pharming. Pharming is more insidious than the better-known phishing scam because a pharm redirects a user's request for a legitimate URL to a phony Web site. Whereas phishing requires the user's complicity in responding to a bogus e-mail, a user can be pharmed without doing anything out of the ordinary.

Pharming is possible because all URLs have to be translated into IP addresses, which is the job of the DNS. A hacker who poisons a DNS server will cause that server to answer a correct URL request with a phony IP address and hijack a user's Web interaction, usually for nefarious purposes.

It doesn't take long. A typical pharm would redirect your request for your bank's Web site and send it to a phony site. These sites tend to look quite legitimate, as anyone who has clicked on a phish link knows -- after all, it's simple enough for hackers to suck down all the graphics from a popular Web site where money changes hands and build a home page that looks almost exactly like the real thing.

When the victim arrives at the sham site, he or she enters an ID, password, and PIN in the usual manner. A pop up then explains that the password is invalid. Victims think they have miskeyed and start over. By that time the hapless user has been shunted back to the real Web site, but the hackers have what they want: access to your account.

Ploughing vulnerabilities

A series of high-profile pharms in March and April raised alarms across the Internet. Johannes Ullrich, an analyst at the SANS Institute, says the first of these involved a firewall/DNS server from Symantec, which attached extra IP addresses, sometimes called "glue records", to legitimate requests.

"It is typical for a DNS server to send back additional information," Ullrich explains, "especially if the request is for a very popular site like Google. There may be as many as a dozen legitimate Google servers with different IP addresses, and so the server may return some of the alternate addresses. In this case the server returned bogus addresses for [Symantec's] entire dotcom domain."

Bad glue records generally reside in a DNS server's cache memory; hacking into the cache and adding those records is called DNS "cache poisoning". According to both Ullrich and a Symantec representative, Symantec fixed the problem promptly. "We released a patch in March to stop the addition of glue records to DNS requests," says Oliver Friedrichs, senior manager of security response at Symantec.

Microsoft was hit by a similar attack in April. An in-house Microsoft DNS server forwarded requests that it could not resolve to a hacked DNS server outside the firewall at an ISP. This forwarding arrangement is typical, SANS Institute's Ullrich says. "If the ISP is running an older version of BIND [pre-Version 9], it can also return malicious IP addresses," he explains. Older BIND software can't filter for glue records, such as bogus .com IP addresses -- and Windows DNS can't do it either. "Microsoft still says the external DNS servers should do the filtering," Ullrich says.

Gerhard Eschelbeck, CTO of Qualys, a vulnerability management company, says Microsoft DNS servers can be a liability. Paul Mockapetris, the man who invented DNS, agrees. "Several of the Microsoft DNS default configurations leave you wide open to DNS poisoning," he says. Microsoft refused to comment on vulnerabilities in their DNS servers.

Perhaps the most notorious pharming attack of all occurred in January, when the domain name for a New York ISP, Panix, sent users to a Web site in Australia. But such high-profile pharms may be misleading because simpler desktop pharming scams are very likely behind the bulk of these malicious redirects.

Building a defence

So what can you do? To prevent DNS poisoning, analysts and security experts are unanimous in saying the first, best defence is to make sure you have all the latest DNS software and all security patch updates in place. The best, most succinct advice: if you're running BIND, upgrade to Version 9 because it's pretty much impossible to poison compared with earlier versions.

Unfortunately, many DNS soft spots are maintained by ISPs, outside the domain of enterprise administrators. "There is a lot of old BIND software out there," Symantec's Friedrichs says. "Your ISP may still use Version 4 or 8."

You could eliminate this vulnerability by pulling all your DNS in-house, but opinion is divided on the wisdom of doing this. Sam Curry, vice president of eTrust security management at Computer Associates, recommends it. "Typically your ISP gets DNS information from higher up in the hierarchy, where it is much more difficult to poison the cache." Curry argues that talking directly to the DNS top layer reduces your exposure. Jim Stickley, CTO and co-founder of TraceSecurity, a company that helps clients comply with strict security requirements, agrees. "If you lock down all your servers and make sure they are only pulling off root cache servers, it is going to be very difficult for a hacker to pharm you," he says.

These root servers live at the top of the DNS hierarchy. "You can trust the root servers," says Dan Golding, an analyst at Burton Group. "There are 13, and they are all run by various governmental, educational, and commercial entities around the world." Moreover, VeriSign handles security for all the dotcom and dotnet root servers. Ken Silva, CSO of VeriSign, says these have never been compromised.

The trouble with the do-it-yourself approach is that locking down DNS communications all the way to the root-level servers means taking on a lot of responsibility. "You are stuck with all the maintenance and DNS can be very complex," SANS Institute's Ullrich says.

According to Michael Hyatt, CEO and president of BlueCat Networks, DNS is a black box that many prefer not to open. "[DNS] is arcane. Configuring BIND is not something you do with a nice GUI. You have to use an ugly, old, and unforgiving language," he says.

BlueCat makes the Adonis 1000, a network appliance that eases the pain of DNS configuration and management and makes it more secure, while doing double duty as a DHCP server. "IT people should not have to mess with manual updates to BIND and kernel configurations," Hyatt says. "You need a simple way to propagate DNS changes throughout your network. That is one of the things we do."

Unbreakable DNS?

There's an ultimate solution to DNS pharming attacks -- one that has been around for a long time. Most experts agree that DNSSEC (DNS Security), the DNS security protocol hammered out by the IETF 10 years ago, would make DNS close to bulletproof. "DNSSEC encrypts and signs DNS data," Burton's Golding says. "It turns a DNS server into a trusted entity."

That's the theory. Unfortunately, the practice has less appeal. "DNSSEC is horrendously complex," Golding explains. "To make it work, you would need to set up a trust relationship between all DNS servers from the root to the enterprise."

This would mean implementing a PKI on a massive scale, something not likely to happen. "DNSSEC is a great concept," SANS Institute's Ullrich says. "But this is not a practical solution. I tried a small-scale implementation and gave up. It is very complex."

That leaves IT with work to do, not the least of which is getting to know DNS, which many prefer to avoid. Everyone running a DNS server should upgrade to BIND Version 9 and check the configuration of Microsoft DNS servers to ensure that some default mode has not opened up vulnerabilities. Those brave enough might want to bring DNS in-house, but, at the very least, enterprise IT needs to know what sort of DNS infrastructure their ISP is running and how to hold the ISP accountable if pharming occurs. These steps will go a long way in protecting against DNS poisoning.

The distributed structure of the Internet and the current state of DNS make it virtually impossible to stop all pharming. But Burton's Golding says there is no need to panic. For one thing, pharming is a difficult and expensive hack. "I think the pharming attacks are being somewhat overhyped by the security vendors who want to sell products."

On the other hand, complacency would be a mistake. "Pharming has not really taken off yet," TraceSecurity's Stickley says. "But I think it will for a simple reason: If you look hard enough, you can almost always find a vulnerable DNS server."

Join the newsletter!

Error: Please check your email address.

More about Black Box Network ServicesBurton GroupCA TechnologiesGoogleIETFIT PeopleMicrosoftNetAppQualysSANS InstituteSymantecThe SANS InstituteVeriSign Australia

Show Comments