Back to the campaign of attacks on domain names

Late February, a number of media mentioned a campaign of attacks against domain names. While the security problem behind these attacks is real, understanding the issues by the general public was sometimes challenging. This article by Afnic puts the chronology, impact and means of prevention back into perspective. The first publication on the campaign of attacks seems to have been that of Talos on November 27, 2018.

On January 9, 2019, FireEye Corporation released a report which triggered a certain amount of interest among industry professionals. Finally, on February 19, 2019, Brian Krebs published a long and detailed article, backed up by a number of specific facts.

So what is it all about? The attack campaign (which seems to attributed to a single group) targets domain names. The attacker (hijacker) connects to the Web interface of a targeted registrar or DNS hosting provider and modifies technical information on all or part of the registrar’s domain name portfolio^[1] .

By specifying nameservers other than the legitimate ones, or by putting rogue IP addresses, the hijacker can divert the traffic to compromised domain names, towards servers under their control.

How was the attacker able to connect to the Web interfaces, which are usually protected by a password? We do not know, but there are many possible techniques: using passwords that are too weak and thus easy to guess, being victim of phishing for lack of awareness for example, social engineering methods, etc. In some organizations, the domain name is “the weakest link” in security, often overlooked, compared with other assets.

This type of attack targeting, not an Internet server, but the domain names that lead to it, is nothing new: the New York Times in 2013, Météo France and Canal+ in 2016, Wikileaks in 2017 … were all victims. One of the novelties of the more recent campaign is that at least two major players on the Internet had some of their services successfully hijacked.

The two firms manage some of the .fr name servers. Thanks to the specific way in which the latter are named and used for .fr, the .fr was not affected. In addition, using the published compromise indicators (the IP addresses of the hijackers’ servers), Afnic has checked that, to the best of our knowledge and at this stage of our investigations, no .fr domain name has been affected.

Note that another precaution was taken by .fr: the use of DNSSEC technology means that, even in case of the total compromise of one or more authoritative servers for .fr, the insertion of false information is not possible. It is then an opportunity to recall the extreme importance of deploying DNSSEC, both at the level of the resolvers and the authoritative servers. However, it should be noted that DNSSEC would not have prevented all of the name hijacking attacks.

Security is based on the combination of a number of good practices. We might remind readers of the importance of the FR Lock system which locks a domain name against quick changes that may be suspicious or fraudulent. But, above all, quite apart from a specific technique, it is important to emphasize the value of good practices in terms of digital hygiene, such as the rigorous management of passwords, or ensuring the vigilance of employees who manage domain names. And promote the use of 2-factor authentication on access accounts when it is available – which has become quite common – whether for professional or private use.

More detailed information on the security of domain names

• Issue paper “Securing the management of domain names”
• Guide “Best current practices for acquiring and using domain names” 
• Issue Paper ‘DNS: Types of attacks and security techniques