RE: A Deep Dive on the Recent Widespread DNS Hijacking

["Montgomery, Douglas \(Fed\) via NANOG" <nanog () nanog org>]

You might have missed reading the very article you cite.

"Woodcock said PCH’s reliance on DNSSEC almost completely blocked that attack, but that it managed to snare email 
credentials for two employees who were traveling at the time.
....
Aside from that, DNSSEC saved us from being really, thoroughly owned.”



Or maybe ACME .. https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-11.2

"It is therefore RECOMMENDED that ACME-based CAs make all DNS queries via DNSSEC-validating stub or recursive 
resolvers.  This provides additional protection to domains which choose to make use of DNSSEC.”

I am not sure how many of the domains listed as being hijacked are DNSSEC signed, but it seems if they were, and had a 
reasonable long TTL on a DS record at their parent, many if not most of these could have been prevented/detected.

ICANN seems to think that is the case: ICANN Calls for Full DNSSEC Deployment
https://www.icann.org/news/announcement-2019-02-22-en

Of course, DNSSEC is often blamed for not protecting those who did not deploy/use it.  Not sure what can be said about 
that line of reasoning.

Dougm
--
Doug Montgomery, Manager Internet  & Scalable Systems Research @ NIST
 


============
    Date: Sat, 23 Feb 2019 12:13:41 -0700
    From: "Keith Medcalf" <kmedcalf () dessus com>
    To: "nanog () nanog org" <nanog () nanog org>
    Subject: RE: A Deep Dive on the Recent Widespread DNS Hijacking
        Attacks
    Message-ID: <6e31d305aee69c4d85116e6a81d0c91d () mail dessus com>
    Content-Type: text/plain; charset="us-ascii"
    
    On Saturday, 23 February, 2019 10:03, Stephane Bortzmeyer wrote:
    
    >Very good article, very detailed, with a lot of technical precisions,
    >about the recent domain name hijackings (not using the DNS, just good
    >old hijackings at registrar or hoster).
    
    >https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
    
    So in other words this was just an old school script kiddie taking advantage of DNS registrars, the only difference 
being this was a whole whack of script kiddies acting in concert directed by a not-quite-so-stupid script kiddie, with 
some "modernz" thrown in for good measure.  (Sounds like an NSA operation to me -- and the targets perfectly match 
those that the NSA would choose -- plus some good old misdirection just for the jollies of it)
    
    The second takeaway being that DNSSEC is useless in preventing such an occurrence because the script kiddies can 
merely turn it off at the same time as they redirect DNS.  However, having DNSSEC can protect you from incompetent 
script-kiddies.  It can also give you a false sense of security.
    
    Did I miss anything?
    
    ---
    The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.