Incident Response, Malware, Phishing, TDR

Study: Corrupted DNS resolution attacks grow with use of open servers

Malicious DNS redirection at the server level is growing with the proliferation of open-recursive DNS servers, according to a new joint research paper.

The study, written by researchers at Georgia Tech and Google and planned to be released in February at the Network and Distributed System Security Symposium Conference in San Diego, reports that approximately 68,000 of the millions of open-recursive DNS servers in use are now behaving maliciously.

This finding was inferred from a sampling that queried 600,000 open DNS resolvers, 2.4 percent of which returned incorrect results. Of that percentage, 0.4 percent were deemed by the research team to be maliciously generated, deliberately sending users to false addresses or pages infected with malware.

Unlike private DNS servers, units configured to be open recursive will answer all DNS lookup requests from any computer on the internet.

Georgia Tech researcher David Dagon told that a particularly troubling discovery during the test sampling deployed in the study were "proxy pages" that were served up as answer to the queries – pages that looked exactly like legitimate websites hosted by major players such as Google.

Dagon and his co-authors, including Chris Lee and Wenke Lee of Georgia Tech and Niels Provos of Google, focused their test queries on "phishable domains," such as banks and anti-virus companies, Dagon said.

Security experts cautioned that the findings in the Georgia Tech study should not be interpreted as revelation of a secret network of corrupted servers that will spawn a new, more insidious wave of phishing attacks on unsuspecting web surfers.

"Just because a server has been configured to be open doesn't mean that it is compromised, and if an open server has been compromised that doesn't ensure that anyone is talking to it," OpenDNS founder and CEO David Ulevitch told "I can dig a bunch of holes in my back yard, but that doesn't mean anyone walking down the street is going to fall into them."

Ulevitch, whose company provides DNS services to schools and businesses, added that servers do not have the final word on DNS settings, and that web browsers can offer protection from unwanted changes in these settings. Browsers also can be set to enforce a longer period for caching of answers to queries.

Ulevitch, who also operates nonprofit phishing clearinghouse PhishTank, scoffed at a recent characterization of the results of the Georgia Tech study as the advent of "Phishing 2.0."

"It's another example of ‘F.U.D.', " he said – a finding that can generate widespread fear, uncertainty and doubt about the security of basic web tools or programs.

Dagon and his research team estimate that there are at least 17 million DNS servers currently operating in an open-recursive mode. However, Ulevitch said he believes the number is much lower, possibly no more than 5 million. Ulevitch noted that some DNS servers may be deployed as open-recursive simply because they have been set up incorrectly.

Dagon and Wenke Lee are co-founders of a start-up, Damballa, which is developing protections against malicious malware attacks. According to Dagon, a current focus of Damballa is protection against botnets. He said he could not confirm a recent media report that another focus of the start-up is protection against the malicious DNS resolution authority threat identified in the paper that he and his partner co-authored.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.