Internet Identity

Part of IID's DNS Dojo series

We already know that the Domain Name System or the DNS is crucial to the structure of the Internet. It’s the DNS that tells our browser where to find a particular website online, by pairing the domain name we type into the address bar with the IP address that serves as the actual Internet location of the website. There is inherent risk involved in the DNS, as criminals seek to undermine and exploit the system that keeps the Internet online. Criminals continually seek out ever more effective attack methods, and the DNS doesn’t get a free pass. Cyber criminals understand the vital function of DNS resolution and the potentially enormous value it can have to them if they can redirect that resolution to their own chosen Internet locations.

What can DNS hijacking do to you?

In a recent example, the DNS resolution of the domain of shipping company UPS (along with others in a related attack) was hijacked and redirected away from UPS’s own servers. Instead of visiting the actual UPS.com site, unsuspecting visitors were redirected to a defacement page put in place by a politically motivated group of hackers. The redirection didn’t seek to imitate the actual UPS.com page, so visitors weren’t fooled into entering personal information into any part of the page thinking it was actually UPS.com, but that doesn’t mean no damage was done to the owner of the website, UPS. While the rerouting was in place, no traffic could get to UPS.com, UPS.com email addresses were non-functional, package tracking and all other domain-based customer tools were unavailable and the UPS API was unavailable to e-commerce sites. Although the attack itself lasted less than three hours, UPS was affected for 24 hours as the name servers cached the wrong information for the duration of a long Time To Live (TTL) imposed by the hackers.

More than just a website redirect

In effect, the result of this DNS hijacking was that UPS.com didn’t exist for UPS customers or employees for a full day - no communications, no transactions, no customer service. Similar attacks in the past few years have victimized high-profile companies like CheckFree, Comcast, Baidu, Twitter and even the international oversight body for domain names itself, ICANN. The CheckFree hijacking is a great example of what can happen when cyber criminals have malicious intentions. The hackers in that case redirected CheckFree customers to a website that automatically attempted to install malware. The hackers could have used the malware not just to access CheckFree’s 24 million customers’ vital data, but also to swindle information from the financial industry’s hundreds of transaction partners - better known as its extended enterprise.

A DNS hijacking event puts an entire extended enterprise in jeopardy; by exploiting connections through all levels of an extended enterprise, cyber criminals continually gain access to the core transactions that facilitate business. We’ll delve deeper into the idea of the extended enterprise in the next installment of our DNS Dojo series.

You can read more about the UPS.com hijacking event and its affects in the IID white paper Summary of DNS Hijack Event, September 4, 2011.