While much attention is given to website attacks, domain name hijacking and attacks on the Domain Name System (DNS) are often overlooked. The Canadian Internet Registration Authority (CIRA) tracks and monitors trends on the Canadian and global Internets and provides technology for organizations to help protect their online presence.
This talk will provide an overview of domain name and DNS security risks before delving into how domain names are hijacked and the DNS exploited. Presenters will help administrators understand the technology that can be used to help combat hackers, including:
- Best practices for securing a domain name portfolio and preventing domain name hijacking
- Analysis of typical DNS configurations seen across Canadian municipalities and their associated risks
- Methods for strengthening the DNS using Anycast technology
- Case studies from recent attacks, describe how they were mitigated, and how they could have been avoided altogether.
7. 94% of
Higher education websites
are
exposed to DNS outages
100% are candidates for DNS hijacking
8. WHO IS CIRA?
• The Canadian Internet Registration Authority (CIRA) manages a 100%
up time service - the .CA domain name registry for over 2.4 million
domains
• Provide DNS for .CA, answering 3 billion DNS queries per month
• CIRA is a non-profit member-driven organization of 75 employees and
an elected 12-person board
• CIRA supports the growth of a strong and reliable Internet for all
Canadians by investing in Internet projects, and helping to represent
Canadian Internet interests around the world
The organization responsible for a critical part of the
Internet infrastructure, is expanding its services to help
organizations secure their DNS systems in Canada
9. In short
Manage the .CA domain
Provide infrastructure and services
Do good things for the Internet
10. Agenda
• Best practices for protecting your domain
name
• Best practices for protecting your domain’s
DNS
• What is happening with new gTLDs
(and why it matters to your domain)
12. Domain Hijacking
• Domain hijacking could be the act of a hacker
using social engineering to trick the technical
support workers at a registrar (like GoDaddy,
Webnames, Domains at Cost, etc.) into
making critical changes to the DNS.
• OR…It can be done by the malicious act of
someone within your organization
15. Recent Domain Name Hijackings
• The dancing banana appeared on the City of Ottawa
website (apparently) in response to the arrest of a
person who had been arrested for SWATting and other
nuisance cyber crimes
• The smoking lizard appeared on Air Malaysia’s website
just as it was trying to recover from two high profile
crashes.
What is common with these? They are not traditional
targets. They aren’t Microsoft, they aren’t e-commerce
sites and they aren’t banks.
16. The responsibility for locking the domain
rests with the IT Administrator
• Domain locking is a manual process
in a cloud world because it provides
the highest level of protection
– Not an application
– Not a vendor
• Highest security Lock Flag placed on
your domain that prevents any
changes. Turned on and off by CIRA
(or other Registries).
17. Registry Lock
• When Registry Lock is applied to a domain name, no
attributes of the domain are changeable and no
transfer or deletion transactions can be processed
against the domain name, with the exception of
renewals. .CA, .com, and others all offer this service.
• If the Registrant wishes to make any changes to
their domain, the Registrant must first work with
their Registrar, who will in turn work with the .CA
Registry.
• The .CA Registry will respond to any lock and unlock
requests in under one hour (typically under 5 mins),
on a 24x7 basis, so accessing your .CA domain
name is not an administrative burden.
Registrant
Requests unlocking
Registrar
Key contacts use
admin protocols to
authenticate with
CIRA
CIRA
Unlocks the domain
for the proscribed
period of time
18. Four top tips for managing your domain
1. Conduct a good domain name audit
2. Know your Registrar(s)
3. Keep your .CA contact information
current
4. Don't lose control: Renew your domain
name
We learn a lot by managing a technical support desk. These tips are
based on the hundreds of calls we field every day.
20. Other Tips and Tricks
1. Don’t let a supplier register your domains
2. Select the right Registrant and
Administrative Contacts
3. Avoid free email services
4. Password selection and storage
5. Use security tools provided by your
Registrar
6. Whitelist the domain names for your
service providers (eg GoDaddy)
These sound simple, they are important, and they cause problems to
somebody every single day
22. What does the DNS mean to an Education
IT Administrator
DNS
website
email
courses
schedules
accounting
maintenance
E-learning
Assignment
submissions
conferences
Researcher
profiles
Coop programs
Faculty
microsites Satellite
campuses
23. EXTERNAL DNS IS VULNERABLE
• Failures – equipment, network, power etc.
• DDoS attacks – 10% of all attacks are directed at the DNS
– DNS resources can be flooded in any type of attack
• High latency – global lookups, local DNS servers
Authoritative external DNS infrastructure is vulnerable to
failures, attack and performance issues
24. DNS IS MISSION CRITICAL
• During a DNS outage websites, web applications, and email are down
• DNS outages result in brand damage and/or lost revenue
– Losses range from hundreds to millions of dollars per hour
– Damage to reputation is another cost
• DNS lookups contribute to website performance
– 40% of people abandon a website after only 3 seconds
– Amazon calculated that a 1 second increase in page load time would
result in $1.6 billion in lost revenue per year
– Google calculated 400ms delay in returning search results would
result in 8 million less searches per day
DNS is a mission critical service that requires 100% uptime
and low latency
25. STRENGTHEN DNS
WITH ANYCAST
Unicast – Traditional DNS
deployments
• Nameservers are
implemented on single nodes,
each with a unique IP address
Anycast – Adding resiliency
to your DNS
• Nameservers are
implemented on a multiple
geographically distributed
nodes that share a single IP
address
• Layer 3 routing sends packets
to the geographically nearest
nameserver
• Built in redundancy, failover
and load distribution
UNICAST
ANYCAST
26. CHALLENGES WITH ANYCAST
Anycast is expensive to setup and operate
• High capital expense, high operating expense, complex to manage
• Commercial offerings are available as a service
• CIRA saw that no commercial organizations were providing a solution
for Canada’s Internet
27. A GLOBAL ANYCAST DNS SERVICE THAT PUTS
CANADA AND CANADIAN TRAFFIC FIRST
Location Cloud
Miami, FL 1
Los Angeles, CA 1
London, UK 1
Hong Kong, CN 1
Calgary, AB 1
Montreal, QC 1
Toronto, ON 1
Winnipeg, MB 1
Location Cloud
Vancouver, BC 2
Montreal, QC 2
Toronto, ON 2
Halifax 2
29. Summary on Anycast DNS
• If you aren’t currently using anycast, then it is worth an
investigation
• CIRA delivers an anycast solution called D-Zone that
several Canadian universities have added to their
infrastructure
• We are on the show floor and interested in getting
every institution in this room on board – it takes less
than ten minutes to set up and if it saves one outage,
“the service pays for itself many times over”
30. In summary
• Follow-the tips and tricks to avoid administrative headaches and
mitigate the risk of bad actors bringing down your applications or
embarrassing your institution
• Unicast is old. Get an anycast DNS solution to improve the
performance, resilience, and DDoS protection for your site
Protecting your domains and websites requires the
consistent application of best practices – like parenting
31.
32. D-ZONE Anycast DNS
• Contact Mark Gaudet or Shawn Beaton for more information on
participating in an enterprise trial of D-Zone Anycast DNS.
Mark Gaudet
Manager, Business Development
Canadian Internet Registration Authority ( CIRA )
Tel: (613) 237-5335 x 223
Cell: (613)-799-5789
www.cira.ca
CIRA is inviting CANHEIT participants to evaluate D-Zone
Sign up today and receive wireless Bluetooth headphones.
(no commitment)
Editor's Notes
Many of you are familiar with CIRA the Canadian Internet Registrarion Authority. We are the registry for Canada’s top level counry domain .CA. There are approximately 2.4 million doman names.
As part of running the registry we provide 100% uptiime DNS for .CA and answer approximately 3 billion queries per month.
1) Conduct a good domain audit
Many organizations hold a lot more domains than they know. They can be ordered by the marketing department, individual professors, departments, etc. Each one needs to be managed and each one is a potentially embarrassing situation for the organization if they are hacked.
2) Know your Registrar – all modifications to your .CA domain name happen through your Registrar
The domain registry is maintained by .CA,but all .CA websites are managed through commercial providers called Registrars. Registrars are your main point of contact for the registration and management of your .CA. domain. It is a good idea to consolidate your domains with one or two registrars to make management easier.
Not sure who your Registrar is? You can check at http://whois.cira.ca/.
3) Keep your .CA contact information current
Keeping your .CA registration information current is extremely important so you can continue to receive notices about your .CA domain name. Up-to-date contact information identifies the holder of a .CA domain name. Ensuring your contact information is complete helps safeguard your .CA registration, guaranteeing that changes to your .CA can only be initiated by you. Learn more about how to manage the contact information for your .CA.
4. Don't lose control: Renew your domain name
Your .CA domain can be renewed any time prior to its expiry date. Alternatively, many Registrars offer an auto-renewal service to automatically renew your .CA domain name on its expiry date. Ask your Registrar if it offers this service.
In 2010 the Dallas Cowboys forgot to renew their domain name – the same day they were announcing the firing of head coach Wade Phillips.
There are other examples including India’s largest travel site that lost tens of millions in business and lost a partnership with the State Bank of India for a custom credit card deal.
A US bank with over 1700 branches and 2400 ATMs lost their domain and so no customers could do online banking.
Waaay back, Microsoft forgot to renew passport.com – critical to all their online applications. The buyer was very nice and gave it back to Microsoft who rewarded him with a $500 cheque - which he then auctioned on ebay with the proceeds going to charity.
1. Always register your domain name yourself
Registrants should always complete their own domain name registration. Do not allow third parties such as web design firms to complete the registration on your behalf. This ensures the domain name is registered in the right name and that you have access to your account to manage the domain.
Why is this so important?
Some companies will register domain names for clients and do so in their own names. This becomes a problem when the clients and companies part ways and clients discover they no longer have access to the account managing their domain name. This leaves the company who registered the domain in control of the domain name, with the ability to deactivate the website.
2. Select the right Registrant and Administrative Contacts
When you register your domain name, you will be asked to provide contact information for that registration. The most important of these are the administrative and Registrant contact.
CIRA and your Registrar only communicate with the Registrant and the administrative contact. Correspondence is sent to the email addresses you provide for those contacts. If the person listed is not the individual responsible for administering the domain name registration, or if the email address is incorrect, expiry and renewal notifications from CIRA or the Registrar will not be received. These notices are critical to ensure continued access to your .CA domain name.
3. Avoid free email services
When providing an email address to list on your domain name and Registrar account, avoid using free email services such as Hotmail or Yahoo. Typically the level of security you receive when using an email address provided by your ISP or hosting company will exceed that of a free email service.
4. Password selection and storage
Select a password for your Registrar account that you haven’t used for any other system or service. It is also recommended you use a strong password (minimum six characters, containing at least one upper case character, one lower case character, a number and a special character). Never provide this information to third parties, including your hosting company. The password should be changed on a regular basis. If you receive an email from your Registrar that contains your password do not store this email in your email client. Passwords should be stored in password keeper software.
5. Use security tools provided by your Registrar
Many Registrars have tools to help you manage your domain name securely, such as setting security questions for your account. These tools are often optional but can help keep your account more secure. Auto-renewal is another tool offered by many Registrars which will help ensure your domain name remains registered and active. Auto-renewal provides your Registrar with the authorization to automatically renew your domain name when it is due for renewal, helping to avoid issues where a domain name is accidentally allowed to expire.
6. Whitelist the domain name for your service providers
Add your Registrars and other service providers, such as your hosting company’s domain name, to your email whitelist or friends list. This will prevent anti-spam software from filtering important messages regarding your domain name.
DNS based DDOS
Taking down an DNS server removes and business from the internet
DDOS attacks can be aimed at a DNS server and/or use DNS as the attack vector
DDOS attack stats on the rise
Random subdomain attacks – new type of attack where a random list of subdomains is requested from a name server
Solution – capacity, bandwidth, monitoring
Adding high query capacity makes a DDOS attack harder
Monitoring what is going on with the DNS, is required to know when an attack is happening to allow for
Prolexic Quarterly Global DDOS Attack Report
Shift from application based attack to attacks using network infrastructure protocols such as DNS, NTP
Easy to do and lots of tools, misconfigured
External DNS refers to the authoritative name servers that answer queries for public facing websites.
During an external DNS outage you basically disapper from the internet.
A DNS outage results in brand damage and lost revenue. Here are some examples of big losses.
DNS lookups contribute website performance.
Some interesting facts about website performance.
The bottom line is that External DNS is a mission critical network service.
Anycast is a great technology for strengthening DNS. Why isn’t used more.
Implementing an anycast DNS infrastructure is not practical from a cost or complexity of management for most organizatioons.
Fortunately there are commercial offerings that are increasing in adoption.
CIRA has recently launched a commercial anycast DNS service.
We were upgraded our DNS infrastructure for .CA and decided to make the service commercially available. At the time there weren’t any Canadian Anycast Services and this fits within our CIRA mandate of making the Cdn internet safe an secure.
I’ll use D-Zone as an example