As our faithful readers know, Renesys monitors routing on the global Internet in real time and uses that information in a variety of ways. For example, we can instantly let you know which networks a hurricane has disabled or even tell you when a war has left things pretty much as they were. In short, we keep an eye on the Internet, the entire Internet, but this is all done at the level of IP addresses and the paths they follow.
The recent attack on Twitter got us thinking. Maybe we should be keeping an eye on a few more things? While your IP addresses and routes to them might be completely stable, the average user doesn’t know about those. In other words, when was the last time you typed …
instead of …
into your browser?
What if someone manages to point your domain name to some other IP addresses? You would still be operational as far as the Internet routers were concerned, but no humans would probably be reaching you. And that’s the problem we’ll briefly consider in this blog.
Of course, none of this is new. DNS cache poisoning has been with us a long time, but security researchers are devising increasingly clever ideas to defend DNS from these sorts of attacks. Unfortunately, securing one part of the Internet, simply sends the miscreants to less well defended avenues. With respect to state-of-the-art DNS servers (admittedly probably a small set), the weakest link may now be via some of the many domain name registrars. These are the folks who are ultimately responsible for how your domains get associated with IP addresses and you generally keep this information current yourself via an online account at the registrar. But what if hackers compromised your login credentials, say by guessing your password or using a poorly designed password reset functionality or maybe by a little social engineering? They could then point your domain anywhere they wanted. No need for a sophisticated attack against a hardened DNS server when a simple username and password will do.
So do we really need to worry about this or was the Twitter attack a one-time event? We didn’t have to wait long for the answer. According to Alexa, baidu.com, the “Google” of China, is the 8th most popular site in the world and, not surprisingly, the top site within China. And it too seems to have had its registration compromised. From our queries around this time, www.baidu.com most commonly resolved to 188.8.131.52 and a few other IPs in the 184.108.40.206/24 prefix. These IPs are actually routed via the larger 220.127.116.11/19 prefix, originated by AS 23724, a China Telecom “Internet Data Center”. From there, these IPs reach the rest of the Internet via any one of five global providers, as depicted below.
But then something funny happened, on January 11th at 23:09 UTC, we received our first answer with a very different IP address, namely, 18.104.22.168, which resolves to pink2.warez-host.com. This IP is routed via the prefix 22.214.171.124/24, originating from the hosting provider, Interactive3D (AS 49544) in the Netherlands. Interactive3D, which we first observed in the routing tables on 24 October 2009, owes its connectivity to the providers shown below. And this new IP did not host the Baidu web site, but rather a page for a group claiming to be the Iranian Cyber Army. (Interestingly, there are several other domains with “warez” in the title hosted at Interactive 3D.)
To reduce the load on DNS servers, every DNS response comes with a TTL or “Time to live”. This value tells the receiver how long to cache the response before troubling the server again with the same request. Small TTLs allow the site administrator to change servers quickly at the expense of more frequent queries. For the operators of baidu.com, they seem to have been typically using a TTL of 14400 seconds or 4 hours, a perfectly reasonable value. Whoever took over their domain left that value unchanged when they misdirected the site. If they had increased it, servers around the world could have retained the bogus baidu.com IP address for this domain for a very long time.
Within about 2 hours, we started seeing the return of the 126.96.36.199 address. As of this writing, all of the DNS servers for this baidu.com domain are reporting a TTL 1200, or 20 minutes. Better safe than sorry, I guess. But before everything had settled down, at 02:35:59 UTC on January 12th, about two and half hours after we saw the first misdirected response, we starting seeing responses of 127.0.0.1 with a TTL of 300, which went on for about 20 minutes. This is the the loopback IP address, or the IP address every computer on the Internet uses for local communications. Clearly this was an error or perhaps a misguided attempt to clear out caches.
The moral of the story here seems to be that regardless of how well run and secure your network may be, you depend on the goodwill of others to be reachable on the Internet. If someone hijacks your IP space altogether, as happened to YouTube in 2008, or your registrar is compromised and your domain is pointed elsewhere, as with Twitter and now Baidu, the best you can sometimes do is watch and wait. And then react to the attacks when they occur, as quickly as your monitoring system allows.