Have you ever heard anything about domain "hijacking"? This means that attackers manipulate name server entries in order to redirect users to unwanted pages - either for political reasons, for the purpose of distributing malware or for "phishing" data.

Registries and registrars in the firing line

Registries and registrars are at the heart of the internet’s adressing system and as such they are increasingly attracting the attention of would-be attackers. Similarly to a fortress, the assailant only needs to find a small weak spot – such as a window left unattended – to breach the defences and start doing some serious damage. So, the defences have to be tightened: from the moat to the gates – from the registry to the registrar and their resellers. In recent years, various cases have been documented in which attacks have succeeded through targeting the weakest link in the chain – whether it’s via stolen credentials, infected networks or web applications or social engineering cons. The vast majority of these attacks are financially motivated: there is a considerable black market where botnets designed to distribute malware can be hired by the hour, or redirected traffic can be bought. Essentially, any information related to a company can be monetised – another way of harvesting them is by changing domains’ MX Resource Record and reading incoming and outgoing e-mail correspondence.

Registries are responding to these kinds of scenarios with a full range of security measures:

These include creating services that are designed to provide an additional layer of security for domains and the domain name service such as Anycast Nameserver networks, DNSSEC and the Registry Lock. But the registries themselves have to be on top of their game too, from a security point of view, and adopt effective information security management systems (ISMS). The nic.at ISMS successfully acquired ISO 27001 certification this year, putting us in the vanguard of European domain registries. It’s important to remember that registrars and their resellers are involved in the process when it comes to domain security – a priority for the nic.at ISM team, and a focus of its support activities. Measures include keynote talks as well as national security drills in which various IT-related emergency scenarios are simulated and made available to registrars. 

Sharing information and a willingness to talk openly about security incidents in a confidential setting is paramount. This makes it possible for people to learn from each other, avoid repeating each others’ mistakes and improve the overall level of security, as Bert ten Brinke, Chairman of the Security Working Group of the European National Registries explained.

Cyber criminals are aware of the registries’ value

Michael Hausding, a Security Engineer at SWITCH, specialises in security breaches in the registry environment.

What makes registrars and registries such an attractive target?

Access to the name server records for domains. Once manipulated, you can reroute domains and all the visitors to that particular domain. For example, taking them to pages that are infected with malware. Or to phishing sites that trick people into revealing user credentials. From an attacker’s point of view it is less effort to steal a password and change a name server than it is to try and hack a well-protected web server. If they can manipulate a name
server belonging to one of the major ISPs, then they are in a position to hijack hundreds of thousands of domains in the DNS in one fell swoop. Cyber criminals are all too aware of the potential rewards.

How can hackers manipulate name server data?

Via registrars, who are in a position to make updates for the domains entrusted to them. Hackers use established patterns such as exploiting security loop holes in content management systems or target phishing attacks aimed at registrar staff to get their hands on access data. Once in their possession, this data can be used to log in to the registry’s admin interfaces and change the data associated with domains.

What can registries do if a registrar has been hacked?

To start with, throw their weight behind the initial investigation: was any domain data changed during the period? Has any violation occurred? If yes, help repair the damage. And of course issue new access data, such as passwords etc. It’s essential that the registry is notified immediately.

And how can people guard against this kind of attack?

Registrars can protect themselves by patching their systems regularly and using ultra-secure, user-specific passwords for sensitive transactions – safe storage and changing them regularly also bolsters security. Suitable staff training is also important. Domains can guard against unwanted changes by using DNSSEC and additional security features such as Registry Lock.