Web Development optimize

Watch out for DNS sub-domain hijacking

Patrick Lambert cautions that DNS sub-domain hijacking is on the rise, especially for organizations that don't have DNS-handling in-house. Here's how to guard against the damage that could result.

Security has become ever-present on any IT worker's mind. With the amount of hacking going on out there, we've all become accustomed to securing our systems, servers and networks. We spend a lot of time and money on security solutions, and then monitoring is a key part of making sure no one gains unauthorized access. But there are still some areas that can fall through the cracks. One such area is DNS, which is often something that isn't handled in-house, especially for small and medium organizations. Lately, a new kind of hack has been spreading with alarming frequency, called DNS sub-domain hijacking, and according to a recent report from the Internet Storm Center, an initiative of SANS Institute, this affects many legitimate corporations, organizations, and government sites.

The initiator is simple. Bad guys out there want to sell cheap drugs, run Facebook scams, or otherwise trick users to click on links to malicious web sites. But people are becoming slightly more aware of these scams, and they keep an eye out for what URLs they connect to. So instead, hackers have started getting into DNS control systems of legitimate sites, and creating sub-domains for their own sites. For example, while you may have the legitimate www.example.com, if they can get access to that site's DNS, they can create cheap-drugs.example.com and payday-loans.example.com, pointing them to their own IPs and tricking users. They even benefit from SEO advantages because of the trusted domain name. So instead of causing damage right away to the organization they hacked, the hackers simply sit on these domain names, sometimes for years, and rake in profits.

According to the report, this happened to many, many sites. Some of the domains affected include apptech.com, cfi.gov.ar, eap.edu, fabius-ny.gov, haskell.edu, and many more. Typically, they are sites small enough to not host their own domain systems internally. They rely on external services, either their Internet providers, their hosting providers, or even some third-party web design company. The result of this is that access can be gained through the web, via a cPanel or other type of interface. That way, they don't even have to breach an internal network to gain access, and once they are in, chances are they can remain undetected, unless the organization makes it a habit of checking their own entries regularly. The worse thing is if the newly created sites are discovered, then that means the hacked organization is the one who will be blamed initially, and has to deal with the effects of whatever the bad sites were doing.

It's hard to know how hackers gained access to the 50+ sites that ISC uncovered, and the likely hundreds more that are hacked and haven't been found yet. It's almost certainly a combination of factors. Some panels allow users to try an unlimited amount of login attempts, so brute force is fairly easy to do. Others may use an older DNS installation, and be vulnerable to DNS poisoning attacks. There are even reports that some hosting companies allow anyone to add sub-domains for any domain that the site is hosting, regardless of who actually owns it, and as long as the sub-domain doesn't already exist. Obviously, that would be a big vulnerability and something you can easily test against. Either way, it's important to remember that your domain name is your company's identity online, and any time your organization outsources its DNS to someone else, they are trusting their identity to that provider.

Protecting yourself from sub-domain hijacks

The easiest way to secure yourself from these types of attacks, assuming bringing your DNS servers in-house isn't an option, would be to monitor for a known list of sub-domains. You can usually log into your provider's panel and check the listing to make sure it's up to date. A more automated way to do it is from any terminal, using dig to make a zone transfer, where you can get a listing of everything under your domain name:

dig @a.iana-servers.net example.com axfr

Simply replace the NS name and the domain name, and make sure zone transfers are authorized for your machine. Look especially for any entry that leads to IP addresses outside your normal range. Then of course the basic security measures still apply, like using strong passwords, and making sure you use a hosting service that's trustworthy. Unfortunately there's no sure-fire way to be completely safe from this type of hack, and it's likely to become more prevalent in the future. Since many of these infrastructures are handled remotely, by hosting companies, it's something that can easily be forgotten, and you then end up with a bunch of unauthorized sub-domains laying dormant for a long time.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

7 comments
jjustice
jjustice

If 20 years ago a billing system administrator can track down a $0.10 billing error and find a spy ring ("The Cuckoo's Nest" I believe is the name of the book) then why can't we find the bad guys today? It seems to me that we have logs that record a phonomenal amount of data and we don't use it to catch these guys. Even the protocols are designed to be able to locate the paths of messages (packets). Perhaps companies can offer bounties for finding, stopping, apprehending and successfully prosecuting of hackers. And then we have to figure out who can look at what data without giving away the farm. Maybe we just need to pay better attention to the alerts that issued by the equipment and software we run.

DrJimW
DrJimW

Would the author recommend a method using a Windows 7 equivalent to dig? I appreciate the suggestion about something from nicholas fong, but I don't like to download programs for unknown sources. Thanks, Jim

Clay_Glenn
Clay_Glenn

I just tried this, but Windows 7 doesn't seem to know what "dig" is.

Jeff Adams
Jeff Adams

Jim, You can obtain a version of dig that runs under Windows by downloading the Windows version of BIND at http://www.isc.org/sw/bind/. Put dig.exe and host.exe with the required DLLs somewhere in your path. -Jeff

HAL 9000
HAL 9000

I'm currently trying to work out which Banned Word I'm trying to use as I haven't been able to post to TR since last night. Col