March 30, 2007

Putting Some Circuit Breakers Into DNS To Protect The Net

There are a lot of bad, but smart, people out there on the net.

They are quick to find and capitalize on vulnerabilities, particularly those vulnerabilities in mass market software.

These bad folks are quite creative when it comes to making it hard to locate and shutdown the computers involved.

For example, a virus that takes over a victim's computer might communicate with its control point, or send its captured/stolen information, by looking up a domain name.  Normally domain names are somewhat static - the addresses they map to don't change very frequently - typically changes occur over periods measured in months or longer.

What the bad folks are doing is to change the meaning of those domain names very rapidly, from minute to minute, thus shifting the control point.  They rapidly change the contents of DNS records in the authoritative servers for that domain.  They couple this with low TTL (time-to-live) values on DNS information, thus preventing cached information from surviving very long and thus erasing one source of audit trails and covering their tracks.

To restate this perhaps more clearly - the bad people are not changing the domain name itself but rather they are rapidly changing the address information that the domain name represents.

The bad folks go even further by using the same technique to jump the name servers used for the domain.  This makes it even harder to get a handle on the attack and suppress it.

So what we may hear being proposed soon is the need for a domain name based circuit breaker for the internet.  This is not my idea; it comes from others who are on the front lines fighting against the increasing number of distributed network viruses and botnets.

This circuit breaker would be an emergency removal of a domain name, such as example.com, from the top level zone file.  In the case of example.com this would mean that "example" would be removed from the .com zone.

This would prevent this rapid shifting of A and NS records.  In fact it would make the domain not resolvable at all (except via cached information, which would rapidly fade out of view because of the short TTL values.

The circuit breaker would be triggered when a second level domain name, e.g. example.com, is found that is being manipulated in this pathological way in support of a net attack and when no responsible party can be found who would take control of that domain and make the appropriate repairs.

The mechanism of the circuit breaker would be for the registry for the top level domain involved to pull the name from its zone file, essentially putting that domain offline.

Because the delegation records from a TLD to a second level domain typically have relatively long TTLs, it might take a while, several days, for the delegation to entirely fade out of view.  However, because typical TLD contents are rather large, it is unlikely that more than a small percentage of resolver caches will continue to believe that the revoked domain name is still there until their cached records time out.  So, even though the circuit breaker would be imperfect, it would still act as a very strong supressant.

Revoking a name, even if only on a temporary basis, is a significant act that is not only capable of causing a lot of harm to innocent internet bystanders, but it is also a mechanism, like the stop cord on a train, that could be used as a denial-of-service mechanism.  Consequently the handle on this circuit breaker would, much like the button that launches nuclear missiles, need to be extremely well protected against accidental, mistaken, or unilateral use.

It seems to me that it would be useful for our internet DNS infrastructure to have such a mechanism.  This is the kind of thing that squarely falls into ICANN's job of protecting internet stability.  And it is the kind of thing that ICANN could deploy via its contractual relationships with the top level domain registries.

Posted by karl at March 30, 2007 11:29 PM