Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings

"Hosnieh Rafiee" <ietf@rozanak.com> Thu, 06 March 2014 23:35 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713CC1A01A0 for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hz896A94tvM for <dnsop@ietfa.amsl.com>; Thu, 6 Mar 2014 15:35:06 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id A02751A00F5 for <DNSOP@ietf.org>; Thu, 6 Mar 2014 15:35:05 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 1658223E2D59; Thu, 6 Mar 2014 23:35:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ap_6ZMDZaCkO; Fri, 7 Mar 2014 00:34:56 +0100 (CET)
Received: from kopoli (f052010124.adsl.alicedsl.de [78.52.10.124]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 2CB6123E2D58; Fri, 7 Mar 2014 00:34:56 +0100 (CET)
From: "Hosnieh Rafiee" <ietf@rozanak.com>
To: "'Dan York'" <york@isoc.org>
References: <CF3EB0AB.69171%york@isoc.org>
In-Reply-To: <CF3EB0AB.69171%york@isoc.org>
Date: Fri, 7 Mar 2014 00:34:52 +0100
Message-ID: <011901cf3994$ace6bea0$06b43be0$@rozanak.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_011A_01CF399D.0EB056C0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGmIDcJBlNTlQv+pIA9FXZXOcLWo5sm5yGw
Content-Language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/pSHt_3Lb92f26g8B2XEXnY-LrrY
Cc: DNSOP@ietf.org
Subject: Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 23:35:09 -0000

Dan,

I guess you have to separate the problem of compromising device with the
case where we are looking for only confidentiality or privacy. IMHO, this is
somewhat out of scope. 

However, we cannot ignore it. In this special case, just the admin of that
recursive resolver needs to react to that attack and without that nobody can
understand what's going on there but the important thing is how to
re-establish the trust with all the other recursive resolvers that already
used that node.  I think this is important because it might not be clear how
many nodes already used this resolver but for the first case you can do
nothing except waiting for immediate action of rescue team.

 

Hosnieh

 

 

 

 

From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Dan York
Sent: Friday, March 07, 2014 12:10 AM
To: dnsop@ietf.org
Subject: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO
routers with compromised DNS settings

 

DNSOP members,

 

Given our session today talking about protecting DNS privacy, I found an
interesting bit of synchronicity upon going back to my room and seeing this
article in my feeds about a compromise of at least 300,000 small office /
home office (SOHO) home routers  by a variety of attacks in which their DNS
server values were changed and consumers were redirected to other pages as a
result:

 

http://www.circleid.com/posts/widespread_compromised_routers_discovered_with
_altered_dns_configurations/

(and
http://www.circleid.com/posts/20140305_dynamic_dns_customers_check_your_rout
er_settings/ )

 

The actual report from Team Cymru was announced just this past Monday -
https://twitter.com/teamcymru/status/440488571666198528  and is available
at:

 

https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharmin
g.pdf 

 

Now, in this case the attackers compromised the local network devices and
took over control of the local recursive resolvers.  In this case of the
attacker controlling the recursive resolver, I don't know that any of the
various solutions thrown around today would do anything to help with this.
I don't even see DNSSEC helping much here, either, given that the attacker
could just strip out the DNSSEC info (unless, perhaps, the home computers
were running full (vs stub) recursive resolvers that also did
DNSSEC-validation).

 

I just thought it was an interesting example of a type of attack against DNS
that is out there now.

 

Dan

 

--

Dan York

Senior Content Strategist, Internet Society

york@isoc.org <mailto:york@isoc.org>   +1-802-735-1624

Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org>

Skype: danyork   http://twitter.com/danyork

 

http://www.internetsociety.org/deploy360/