[DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings

Dan York <york@isoc.org> Thu, 06 March 2014 23:09 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4D51A01BE for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:09:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLk578902Rkm for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:09:40 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0237.outbound.protection.outlook.com [207.46.163.237]) by ietfa.amsl.com (Postfix) with ESMTP id 057601A01AF for <dnsop@ietf.org>; Thu, 6 Mar 2014 15:09:40 -0800 (PST)
Received: from BLUPR06MB243.namprd06.prod.outlook.com (10.242.191.154) by BLUPR06MB370.namprd06.prod.outlook.com (10.141.25.141) with Microsoft SMTP Server (TLS) id 15.0.893.10; Thu, 6 Mar 2014 23:09:35 +0000
Received: from BLUPR06MB243.namprd06.prod.outlook.com ([169.254.2.224]) by BLUPR06MB243.namprd06.prod.outlook.com ([169.254.2.196]) with mapi id 15.00.0888.003; Thu, 6 Mar 2014 23:09:34 +0000
From: Dan York <york@isoc.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings
Thread-Index: AQHPOZEi/BTBGmopKkm+Pr+HucwzoA==
Date: Thu, 6 Mar 2014 23:09:33 +0000
Message-ID: <CF3EB0AB.69171%york@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.101.4]
x-forefront-prvs: 0142F22657
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(428001)(189002)(199002)(36756003)(90146001)(56816005)(83072002)(85852003)(51856001)(53806001)(93516002)(86362001)(46102001)(97336001)(97186001)(95666003)(80022001)(65816001)(63696002)(77982001)(59766001)(81342001)(79102001)(16236675002)(77096001)(81542001)(74706001)(50986001)(87936001)(47736001)(47976001)(81686001)(74876001)(87266001)(15975445006)(69226001)(83322001)(15202345003)(19580395003)(19580405001)(49866001)(81816001)(2656002)(80976001)(74366001)(76176001)(93136001)(74502001)(92726001)(95416001)(54316002)(54356001)(56776001)(76482001)(74662001)(94316002)(47446002)(92566001)(31966008)(15395725003)(85306002)(94946001)(4396001)(76796001)(76786001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR06MB370; H:BLUPR06MB243.namprd06.prod.outlook.com; CLIP:10.255.101.4; FPR:8C04FD09.6DE7B11.CBD63BA4.CC41F919.20281; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: isoc.org does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_CF3EB0AB69171yorkisocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/5lkxHboRMiI-i-qV5kXft_VDGGg
Subject: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 23:09:48 -0000

DNSOP members,

Given our session today talking about protecting DNS privacy, I found an interesting bit of synchronicity upon going back to my room and seeing this article in my feeds about a compromise of at least 300,000 small office / home office (SOHO) home routers  by a variety of attacks in which their DNS server values were changed and consumers were redirected to other pages as a result:

http://www.circleid.com/posts/widespread_compromised_routers_discovered_with_altered_dns_configurations/
(and http://www.circleid.com/posts/20140305_dynamic_dns_customers_check_your_router_settings/ )

The actual report from Team Cymru was announced just this past Monday - https://twitter.com/teamcymru/status/440488571666198528  and is available at:

https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf

Now, in this case the attackers compromised the local network devices and took over control of the local recursive resolvers.  In this case of the attacker controlling the recursive resolver, I don't know that any of the various solutions thrown around today would do anything to help with this.  I don't even see DNSSEC helping much here, either, given that the attacker could just strip out the DNSSEC info (unless, perhaps, the home computers were running full (vs stub) recursive resolvers that also did DNSSEC-validation).

I just thought it was an interesting example of a type of attack against DNS that is out there now.

Dan

--
Dan York
Senior Content Strategist, Internet Society
york@isoc.org <mailto:york@isoc.org>   +1-802-735-1624
Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/deploy360/