30 Aug 2013

The Syrian Electronic Army takes down the New York Times and Twitter – should we be worried?

This Tuesday, the Syrian Electronic Army (SEA) used a type of attack known as a Domain Name System (DNS) hijacking against sites such as the New York Times and Twitter. This type of attack used the DNS, which is a kind of internet address book, to reroute traffic from its intended destination to sites controlled by the SEA. The process to get this done was as follows:
  1. The SEA orchestrated a phishing attack on Melbourne IT, a DNS register reseller.
  2. With the resellers credentials, the group logged in and changed the domain names of NYT and Twitter
  3. The SEA then changed the domain names of their own sites to those previously held by NTY and Twitter
All fairly simple stuff, which then spread the false IP addresses from one server to another and eventually all around the world. Eventually, the SEA’s servers couldn’t handle the traffic which left people trying to go to the websites locked out completely. So should people be worried? The truth is these attacks are fairly simple to run and difficult to protect against, because there is no real security on DNS addresses. One measure of protection is to put a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically, however there is some difficulty putting this in place for .au .co.nz addresses at the moment.