The time has arrived! Malware Monday, as some have labeled it. The FBI has shut off the DNS servers it maintained to allow those infected with the malware to continue to operate and provide additional time for cleanup. The malware re-directed web site requests to sites where the its authors could make money off of advertising — so called “click hijacking.” And make money they did — supposedly about $14 million USD.
Supposedly this malware infected not just personal systems, but also many operated by corporations and government agencies. That corporate and government network operators still get caught by such things is astounding. These types of misdirection attacks using DNS should have been easily thwarted at network boundaries. All DNS requests should be targeted at internal DNS servers, which in turn issue requests to DNS servers in a DMZ network that are allowed to interact with other DNS servers on the Internet. The only DNS requests allowed to leave the internal network should originate from authorized internal DNS servers, not resolvers on individual workstations or servers, and they should only be allowed to be directed at authorized DNS servers in the DMZ. The only DNS requests allowed to go outside of an organization’s network should be from authorized DNS servers in the DMZ, not internal DNS servers, and again, certainly not from DNS resolvers on individual workstations or servers. If an internal PC is infected with something that attempts to re-direct DNS requests, it should immediately break and not wait months for someone to figure out that there is a problem. DNS architecture, just like any other, has to be designed from both use cases and abuse cases. It’s not just a matter of making something “work” but also a matter of protecting it from being misused or even completely bypassed.
These types of problems emphasize the importance of DNSsec, of course, but adoption has been slow. Perhaps this type of incident will push things further in the right direction. Let’s hope so, or we’ll be relearning this lesson again.