Akamai Diversity

The Akamai Blog

Fresh Wave of DNS Record Hijacking Attacks Reported

Akamai has observed a fresh wave of DNS poisoning attacks, where web sites are hijacked and placed under the control of malicious actors.

It's a tactic Akamai has seen before, and there are ways for companies to defend themselves.

Anatomy of attacks
The Domain Name System (DNS) converts the text of a domain name (ie. akamai.com) to the server's IP address. Using DNS hijacking, a malicious user is able to update DNS records to resolve the domain to an IP that they own.

In most organizations, a limited number of people can make updates to their site's information with their DNS registrar. With most registries, updating records is as simple as logging in to a site with a username and password and changing the values of the DNS servers.

If an attacker is able to use social engineering or phishing to extract those account details, the attacker can then have the ability to redirect a domain to a different server. In some of the recent cases, this is exactly what happened.

Defensive measures
Companies should make employees aware of the threat and tactics used. Many times in these attacks, the username and password were successfully phished away from someone with the right credentials.

Companies can also lock their domains.

Domains can have locks at both the registry and registrar levels. The site owner can set and control registrar locks. These will prevent any other registrar from being able to successfully request a change to DNS for a domain. The locks that can be set at the registrar level by the site owner are:

  • clientDeleteProhibited
  • clientUpdateProhibited
  • clientTransferProhibited

The clientDeleteProhibited will prevent a registrar from deleting the domain records without the owner first unlocking the site. With the clientUpdateProhibited lock set, the registrar may not make updates to the domain and with the clientTransferProhibited set, the registrar may not allow the domain to be transferred to another registrar. The only exception to these is when the domain registration period has expired. These locks can be set and unset by the site owner and many registrars will allow these locks at no cost.

A second level of locks can also be put in place and these are set at the registry level. These are controlled by the registry and setting these can incur a cost to the domain owner. These locks are:

  • serverDeleteProhibited
  • serverUpdateProhibited
  • serverTransferProhibited

These locks operate similarly to the registrar locks in what they prevent, however they offer increased security in that they will require a phone call from the registry to the person who issued the request from the domain's registry.

The requester will need to give a predetermined pass phrase to the registrar to get the change made. These will lessen the chance of the registrar being able to make accidental or unwanted changes to the DNS records for the domain. Registry level locks offer a higher degree of security for the domain and may also incur a charge to implement.