Register.com’s 9/11
My blog has been down three times this week (so far) – as Register.com has been under a denial of service attack that has knocked out their DNS name servers.
As with anything computer-related, we only pay attention when disaster strikes.
I got this email from them (finally):
For the past three days Register.com has been experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack – an intentionally malicious flooding of our systems from various points across the internet. We know the disruption of business this has caused our customers is unacceptable, and we are working round the clock to combat it. (For more information about DDoS attacks, please see http://en.wikipedia.org/wiki/Denial-of-service_attack.)
While we are still under attack, our counter-measures are currently minimizing the disruption to your services. We are using all available means to halt this criminal attack on our business and our customers’ business.
We are committed to updating you in as timely manner as possible, please continue to check back here for additional updates or go to www.twitter.com/Register_com.
Thank you for your patience.
Now I think I’ll take steps to make sure it doesn’t happen again… if you have a blog or website, you may want to do the same.
There’s not a lot of information on this attack, but Gizmod may be onto something:
Here’s why that is deeply, deeply scary. As we explained, Conficker has built a zombie botnet infrastructure by registering hundreds of spam DNS names (askcw.com.ru, and the like), which it then links up and uses as nodes for infected machines to contact for instructions. In its earlier forms, Conficker attempted to register 250 such DNS names per day. But with the third version of the software, the Conficker.c variant which has been floating around for the last month or so, the number of spam DNS takeovers was boosted to 50,000 per day—a number security pros can no longer keep up with.
What the April 1 update did was simple: It provided instructions for linking up with the thousands, perhaps tens of thousands of new nodes registered by Conficker.c over the last few weeks, effectively growing the size of the p2p botnet to a point where it can not be stopped.
“It’s not about ownage, it’s about continued ownage,” says Kaminsky, citing a favourite quotation of one of his hacker buddies. “It’s not about how you get into the network, it’s about, ‘How do you be [there] a year from now?’” And the answer is: “You do a lot of the things the Conficker developers are doing.”
“This is not something where the guys wrote it, it’s out, then they’re going to go out and play Nintendo. They’re frankly trying to build something that is a sustainable network for months or years to come,” Kaminsky says.
The interesting thing about this attack is that in the time it knocks out the DNS server, it is possible to insert a new registration – and route the DNS through another point. What this means is that the hackers can monitor traffic from a site (even a secure one) and possibly grab important information from it.
New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels
New tool that can steal users authentication credentials makes websites used for email, banking, e-commerce and other sensitive applications less secure, even when they’re sent through supposedly secure channels.
The toolkit, named CookieMonster, is used in a variety of man-in-the-middle scenarios to trick a victim’s browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user’s browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.
The vulnerability stems from website developers’ failure to designate authentication cookies as secure. On such websites, web browsers are free to send data over insecure http channel, and that’s what CookieMonster causes the browsers to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure non-https portions of the protected website, which makes the browser send the authentication cookie.
CookieMonster is currently in the hands of only about 225 security professionals. In the next couple weeks, the tool will become generally available. According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include united.com, bankofamerica.com, register.com, netflix.com, and a host of other big-name online destinations. Errata Security’s Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google’s Blogger.com and Google Finance remain wide open.
I think the situation is probably a bit more sinister than they are letting on…
