China Domain name report: More than half of our domain name server is unsafe

Source: Internet
Author: User
Keywords Domain name security server attack

The intermediary transaction SEO diagnoses Taobao guest stationmaster buys the Cloud host technology Hall

August 26 News, North Dragon in the network with domain name registration Management Agency CNNIC issued the first "China's domain Name service and security status Report", "Report" shows that China's current domain name server total of nearly million, of which more than 50% of the domain name server is relatively insecure, and China's 57% of the important information systems exist the risk of

The following is the "China Domain Name Service and security status report" Full text:

Summary of reports:

-As of August 10, 2010, the total number of domain name servers monitored worldwide was 16,306,432, including 2,903,550 authoritative domain name servers and 13,402,882 recursive domain name servers. Active domain Name server number of 1,375,219, of which authoritative domain name server 619,797, recursive domain name server 755,422.

-As of August 10, 2010, the total number of domain name servers monitored to 978,713, of which 107,540 authoritative domain name server, recursive domain name server 871,173. Domestic active Domain Name server number of 67,235, of which authoritative domain name server 19,281, recursive domain name server 47,954.

-Most of the domestic domain servers are distributed in Guangdong, Beijing, China, Taiwan, Shanghai and other developed areas of the Internet. The top 10 of the region's total domain name servers accounted for more than 90% of the total number of domain name servers.

-Scan all authoritative servers in the country, statistics found that more than 62% use Unix system, more than 95% use ISC bind software. Authoritative domain name server in the domestic 53% opened the recursive query function, far more than the global range of 31% of the ratio, there are certain security risks.

-All the domestic recursive domain Name Service system for a comprehensive scan, statistics found that more than 55% of the use of Unix system, more than 94% of the use of ISC bind software.

-Statistics found that more than 4% of the domestic recursive domain name server ports are less random, vulnerable to DNS hijacking attacks, much higher than the global 0.98% average level.

-The sampling statistics of the domain names involved in the important information system in China found that 57% of the domain name resolution service is in a risky state, of which 11.8% of the domain name due to improper configuration management, in a higher risk state.

Chapter I. Description of domain Name Service system

Domain name is an Internet name consisting of a string of dot-delimited characters that is used to identify and locate hierarchical character identifiers for computers on the Internet, similar to the number of numbers on the Internet.

Domain Name System (DNS) is a distributed data query system, which is mainly used to complete the translation function of domain name to IP address. Most Internet applications are based on domain Name System, the vast majority of Internet communications must first through the domain Name system to complete the IP address conversion.

  

Figure 1 Location role of the domain Name System

The Domain Name Service system includes all domain Name system which provides the domain name service, it includes two most, four links: namely the recursive Domain Name Service system, as well as by the root domain Name service system, the top-level domain Name service system, and Other level domain Name Service system composition authoritative domain name Analytic service System.

  

Fig. 2 The structure of the Domain Name service system

In Domain Name service system, the root domain Name service system is authorized by ICANN to provide operation support for 13 global professional domain name management agencies, and the top Domain Name Service system is operated and maintained by the business organization contracted by ICANN, or by the national Government authorized scientific research Management organization, so the stability of these two links is guaranteed.

And a large number of two and two of the following authoritative domain name servers dispersed in the hands of the domain name holders, by the Government, enterprises and institutions, commercial websites, end users of the self-run or hosted in a third party; a recursive domain name server is generally provided by each network access mechanism. These two links are numerous, and the security situation is relatively weak two links, according to monitoring and statistics, two links of Active server 619,797 sets and 755,422 sets, less than half of the relatively safe server. The main reason is that these two links are numerous servers, decentralized management, limited scale, maintenance personnel of the technical level is also uneven, lack of comprehensive professional security service capabilities. #p # subtitle #e#

Chapter II monitoring results of Domain Name Service system

Root Domain Service System

The distribution of root servers has a significant impact on the access performance of the Internet. Up to now, the global domain Name System 13 root servers in the global number of mirror servers a total of 206. The root server and its mirrors have 72 in Europe, 51 in the United States, 45 in Asia, and a mirror server for f root, I root and J root in mainland China.

Table 1 Basic status of root domain server and its mirroring

  

* Indicates that there is mirror service in the country

Second, the top-level domain service system

(i) Overall situation

According to the composition of the Internet domain Name System, the top-level domain is divided into three categories: the Universal top-level domain (gtld,general top level domain), the country and region top-level domain name (cctld,country Code top level domain) and the infrastructure class top-level domains (currently only. arpa). There are 20 common top-level domain gtld, which can be subdivided into organization-sponsored class (sponsored) 13, Universal Class (Generic) 4, and limited general Class (generic-restricted) 3. National and regional top-level domains total 260 (including ". China" and other new top-level domains), in addition to the experimental top-level domain 11, a total of 292 top-level domains.

(ii) Software version type

General top-level domain operators are more concerned about the security of the system, statistics found that more than 69% of the operating system using open source Linux, relatively stable. You can also find that Windows usage accounts for about 20%.

  

Figure 3 Top-level Domain Service system OS type distribution

For the top-level domain Service system using the domain name server for detection scanning, statistics found that more than 95% of the use of open source software ISC BIND.

Table 2 Classification of domain name resolution software used by top-level domain service systems

  

三、二级 and the following authoritative Domain Name service system

(i) Geographical distribution

Statistics found that the provinces with more authoritative servers for China, Taiwan, Hong Kong, Beijing and other Internet-developed provinces and cities. The number of authoritative servers in the 10 regions in the following figure accounts for more than 91% of the total authoritative servers in the country.

  

Fig. 4 Geographical distribution of authoritative domain Name service system

(b) Carrier

At the same time, in the domestic other levels of Domain Name Service system monitoring, the authoritative servers in the distribution of major operators in the statistics, found that the number of authoritative servers in China's mainstream server accounting for all levels of China's Domain Name service system more than 50%.

  

Fig. 5 Distribution of authoritative domain Name service system operators

(iii) software version type

To scan all authoritative servers in the domestic domain Service system, the statistics found that more than 62% of the domain name servers use open source Linux system, Microsoft Windows operating system accounted for about 36%.

  

Figure 6 authoritative Domain Name Service system OS type distribution

All the authoritative domain name servers in the domestic Domain Name Service system are probed, of which more than 95% of the domain name servers use open source ISC bind software, and the ISC bind usage rate of the foreign authoritative domain Name service system is about 93%.

Table 3 domestic authoritative domain Name service system domain name analysis software classification

  

#p # subtitle #e#

(iv) degree of support for the agreement

The agreement support situation of Chinese domain Name Service system and the protocol support of Domain name service system at all levels in China, the ratio of supporting TCP query is slightly lower than world level, the proportion of Chinese Domain Name Service system supporting EDNS0 is slightly higher than the world average.

The authoritative domain name server in the Chinese Domain Name Service system, 53% has opened the recursive inquiry function, is far more than the world Domain name server 31% 's recursive function opening ratio, has the certain security hidden danger, this indicated that China's Domain Name Service system configuration Way has the question.

  

Figure 7 The authoritative Domain Name Service System protocol support degree

Iv. recursive domain Name Service system

(i) Geographical distribution

Most of the recursive domain name servers in China are located in the Internet developed areas such as Guangdong, Beijing, China, Taiwan and Shanghai. The total number of recursive servers in the 10 regions in the following figure accounts for more than 88% of the total number of recursive servers in the country.

  

Fig. 8 Geographical distribution of the recursive Domain Name service system

(b) Carrier

In China, the recursive domain name server for operator-level refinement, more than 62% of the recursive domain name servers distributed in China's mainstream operators, of which China Telecom has the largest number of recursive servers, accounting for the national recursive domain name server total of more than 21%.

  

Fig. 9 operator distribution of recursive domain Name service system

(iii) software version type

A comprehensive scan of China's recursive domain Name Service system has found that over 55% of the recursive domain name servers run on open source systems such as Linux, and about 28% of the recursive domain name services run on the Microsoft Windows operating system.

  

Fig. 10 The distribution of operating system type of recursive domain Name service system

In the statistical analysis of China's recursive domain Name Service system, found that more than 94% of the open source software ISC bind, the foreign recursive domain Name Service system, ISC bind utilization rate is about 86%.

Table 4 Domestic recursive domain Name service system domain name analysis software classification

  

(iv) degree of support for the agreement

Compared with the world recursive Domain Name Service system, the protocol support situation of China's recursive domain Name Service system is consistent with the world average level.

  

Figure 11 Recursive Domain Name Service System protocol support degree

(v) Recursive domain name server port randomness

Recursive domain name server outbound query use of the client port of the randomness of the security of the domain name resolution has a great impact, port random algorithm if not safe, will make the domain name server vulnerable to cache poisoning attacks, the famous Kaminski vulnerability is the use of recursive server client port weak randomness launched the attack. Statistics found that more than 4% of China's recursive domain name server ports are less random, vulnerable to DNS hijacking attacks, much higher than the world's 0.98%.

  

Fig. 12 Recursive Domain Name Service System port random degree distribution #p# subtitle #e#

Chapter III Security Sampling of authoritative domain names in China

Important information system involves a large number of domain names, according to the key domain name visits and service scope, sampling the domain names of various industries, mainly from government agencies, financial institutions, educational institutions, network operators and the various industries involved in the people's livelihood. Statistics found that 57% of the key domain name resolution services in a risky state, only 11% of the domain name resolution service security level is good.

  

Figure 13 Key domain name security status distribution

By analyzing the security status of domain name in various industries, the security of the domain Name Service system of educational institution is the worst, and more than 80% of the domain name resolution service is in a risky state.

  

Fig. 14 Security rank distribution of key domain names in various industries

After the list of key domain scanning monitoring, statistics found that 74% of the domain name configuration of more than two domain name servers, but these two domain name server configuration and more than 23% of the domain name server is located in the same network segment.

Domain Name server as the authoritative server, should be recursive function shut down, otherwise there will be security risks, through statistical analysis, found that the key domain name list of 40% of the domain name server to open the recursive function, increased the risk of attack.

  

Figure 15 Key Domain Name server recursive function open statistics

Authoritative Server Software type and version will greatly affect the security of the domain name server, through the Chinese key domain name used by the software version of the information monitoring and statistics, found that 75% of the domain name server using open source software ISC BIND, and in the use of ISC Bind's domain name server more than 14.93% of the bind version is too low, there are serious security risks.

Table 5 software categories for key domain names in China

  

Fourth chapter DNSSEC and global implementation status

As an important infrastructure of Internet service, DNS domain Name Service system has serious security vulnerabilities in the early stage of its design, which has brought great loss to DNS and Internet in recent years. To this end, the IETF has set up a working group to specialize in the DNSSEC Security Extension Protocol (Extensions), and has introduced a series of RFC standards, from concepts, protocol design, message format, encryption algorithms and key management to improve the existing DNS system deficiencies, To form a complete set of DNSSEC solutions.

The technical principle of analyzing dnssec can be found that the solution follows the following objectives and design principles:

-Provide data source authentication and data integrity verification for the DNS resolution service;

-Because DNS is a public network service infrastructure, access control or data encryption cannot be enforced;

-The DNSSEC protocol needs to be compatible with the original DNS protocol;

-Support incremental deployments;

Deployed dnssec authoritative domain name server when answering query request, first use hash algorithm to compute the digest of the answer message, then store it in the message by encrypting it with its own private key; The query party receives the reply message and decrypts the signature by using the authoritative server's public key, This summary is compared with the summary computed from the packet data to complete the data integrity verification. If the data integrity verification is successful, it also completes the identity authentication of the data source (authoritative domain name server), otherwise the recognition authentication fails. To address the challenges of distributing public keys in a secure manner, the trust chain method is used, and all the trusted anchor points for the DNS authentication process are root domain names servers.

  

Figure DNSSEC Signature Verification process

Since July 15, 2010, when the DNSSEC service was officially provided, the number of top-level domains implemented dnssec has increased, and as of August 13, 2010, 37 top-level domains have deployed DNSSEC, accounting for about 13% of the total top-level domain. Among the top-level domains that implemented DNSSEC are 7 generic top-level domain names, 19 national and regional top-level domain names, and 11 experimental top-level domain names.

Table 6 TLD Implementation DNSSEC statistics

  

In the distributed monitoring of the area, the key algorithm used in the implementation of DNSSEC is also tested, and the rsa/sha-1 algorithm used by the key of 95.43% is statistically found, and the RSA-NSEC3-SHA1 algorithm is used in 3.95%.

Table 7 key algorithm statistics for DNSSEC

  

At present, the root domain Name Service system has been implemented DNSSEC, top-level domain and other levels of domain Name Service systems have DNSSEC deployment into the charter. In order to ensure the security of China's Internet, the domestic domain name service providers should pay attention to the deployment and implementation of DNSSEC, and pay close attention to the difficulties and problems of the implementation of DNSSEC by foreign Domain Name service subject, and explore the safe way for the healthy development of China's Internet in the light of Chinese conditions.

By analyzing the principle of DNSSEC technology and the case of foreign DNSSEC implementation, it is found that the implementation of domestic deployment DNSSEC will face the following difficulties and problems:

First, the lack of the best practical guidance, each domain Name service provider to DNSSEC implementation of the way has not yet unified understanding. As DNSSEC has not yet been widely deployed, it lacks the best possible solution to the problems that will be faced.

Second, the deployment of the implementation of DNSSEC needs a series of technical requirements of higher specialized equipment, such as key management equipment, signature equipment, the market is lack of mature products.

Second, the implementation of DNSSEC to the domain name resolution system has higher requirements, the need to expand the Domain name Analysis System computing resources and storage capabilities to ensure the resolution efficiency.

Third, because the deployment of DNSSEC, implementation of EDNS0 will make the DNS packet increase, more than the traditional 512 bytes, increase network traffic, extended DNS packets may exceed the path Maximum transmission unit (PMTU), the phenomenon of packet loss occurred.

Finally, the deployment implementation DNSSEC needs the technical personnel to the DNS system, the encryption algorithm and so on very proficient, the foreign implementation dnssec because of the configuration error causes the domain name resolution fault to occur repeatedly. There is a serious shortage of professional and technical personnel with these capabilities in China.

The implementation of DNSSEC may increase the success rate of DDoS attacks, as DNS response packets increase, making it easier for hackers to use DNS systems to form amplification or reflection attacks. #p # subtitle #e#

Fifth chapter domain Name Service risk analysis and safety suggestion

Domain Name service includes authoritative domain name service and recursive domain name service, the correct, safe and reliable operation of service is very important for the development and construction of Internet. The analysis found that the domestic domain name service in the configuration management and operation and maintenance of different degrees of security risks, the Domain Name Service system risk and security precautions are as follows:

Risk One: Information changes or expired: at all levels of domain name resolution system and Domain name registration, WHOIS and other systems coordination work, any one of the loopholes may be exploited by hackers, tampering with the domain name resolution data. Authoritative domain Resolution service of the primary server or secondary server, such as improper configuration, also vulnerable to attack, resulting in authoritative resolution service failure.

Precautions: To ensure the independence of the domain name resolution service, the server running the domain name resolution service cannot open other ports at the same time. Authoritative domain resolution services and recursive domain name resolution services need to be provided independently on different servers.

Risk two: DNS System application crashes: Domain name resolution service system software is extremely important, such as due to improper configuration or upgrade delay, software vulnerabilities are easily exploited by hackers. In recent years, open source software bind is widely used, once the software has a serious security vulnerabilities, the Internet service system will face a catastrophic collapse.

Precautions: Adopt a secure operating system platform and domain name resolution software, and pay attention to the latest security vulnerabilities issued by software vendors to upgrade software systems regularly.

Risk three: Domain name hijacking: Through a variety of attacks to control the domain name management password and domain name management mailbox, and then the NS record of the domain name to the hacker can control the DNS server, and then by adding the corresponding domain name records on the DNS server, So that the user access to the domain name, entered the hacker point of content. It is noteworthy that: after the domain name is hijacked, not only the content of the website will be changed, even will cause the domain name ownership also passed others. If the domestic CN domain name is hijacked, but also through the Registrar or register to contact the management agencies, faster to take back control. If the international domain name is hijacked, and is registered through the International Registrar, then its complex solution process, coupled with the localization of services, will make it extremely complicated to retake the domain name.

Prevention Recommendation 1: Select the High security, service and convenient domain name registration service agencies and domain name registration authority;

Prevention Recommendation 2: Hide the domain name resolution software and operating system version information;

Prevention recommendation 3: Limit the transfer of domain name area files;

Risk IV: Man-in-the-Middle Attack (man in the Middle Attack): man-in-the-Middle attack, an attacker posing as a domain name server spoofing, is primarily used to provide error DNS information to the host. Man-in-the-middle attacks are mostly passive, and their detection and defense are very difficult.

Precaution recommendation 1: Use intrusion detection system to detect the Man-in-the-middle attack as much as possible;

Prevention recommendation 2: The Domain name server boundary network equipment traffic, data packet monitoring, monitoring mode can be based on monitoring, SNMP, NetFlow and other network management technology and protocols;

Prevention recommendation 3: The Domain Name Service agreement is normal monitoring, that is, using the corresponding service agreement or using the appropriate testing tools to the service port to initiate the simulation request, analysis of the results of the server returned to determine whether the current service is normal and memory data changes. Deploying multiple detection points distributed monitoring within different networks when conditions permit;

Prevention Recommendation 4: deployment implementation DNSSEC;

Risk Five: Nsec walk: Early dnssec use NSEC scheme, will cause the zone file is traversed, enumerate, thus divulging the management of domain name resolution data, both business data leak, also easy to become a target hacker attack.

Prevention recommendation 1: Using the NSEC3 scheme to solve the problem;

Risk Six: Distributed denial of service attacks (DDoS Attack): DDoS attacks are a more efficient way of attacking on the basis of traditional Dos attacks. The attack is often the attackers organize a large number of puppet machines at the same time to send a large number of query packets to the domain name server, these messages appear to fully comply with the rules, but often require a DNS server to spend a lot of time to query, so that the DNS paralysis. May 19, 2009, the main cause of the nationwide network interruption is DDoS attack.

Precaution recommendation 1: The number of servers providing domain name services should be no less than 2, and it is recommended that the number of independent name servers be 5 units. It is recommended that the server be deployed in a different physical network environment;

Prevention recommendation 2: Limit the scope of services for recursive services;

Precaution recommendation 3: The use of traffic analysis tools to detect DDoS attacks, in order to take timely emergency measures;

Precaution recommendation 4: Deploy an anti-attack device around the domain Name Service system to respond to this type of attack;

Risk Seven: Cache snooping (cached snooping): DNS cache snooping is a process that determines whether a resource record exists in a particular DNS cache. This process allows attackers to get information, such as which domain queries the parser handles. Attackers often use cache snooping to look for objects that can be attacked.

Precautions: Limit the service scope of a recursive service, allowing only users of specific network segments to use recursive services.

Risk Viii. Cache poisoning (or DNS spoofing) (cached poisoning or DNS spoofing): It is difficult to detect a cache poison attack by injecting an illegal network domain name address into a DNS server. Using this vulnerability will allow users to not open the Web page, heavy is phishing and financial fraud, causing huge losses to the victims. Due to the uneven level of software implementation technology, port, packet ID random algorithm behind the domain name server vulnerable to cache poisoning attacks.

Prevention recommendation 1: The key domain name of the analytical results of the focus of monitoring, once found that the analysis of changes in the data can be timely given warning tips;

Prevention recommendation 2: deployment implementation DNSSEC;

Risk nine: DNS amplification, Reflection attacks: Current DDoS attacks are usually implemented in conjunction with "DNS amplification attacks" and "DNS reflection attacks." In both types of attacks, the DNS server is often not targeted, but rather acts as an innocent exploited person. This attack sends small and deceptive inquiries to a series of innocent third party DNS servers on the Internet. These DNS servers then send a large number of responses to the server that appears to be querying, resulting in an amplification of traffic and eventual paralysis of the target. The subject of recursive domain name resolution service needs to control the scope of service, avoid providing open recursive service as far as possible, and discover potential DDoS attack by means of traffic analysis and monitoring.

Prevention Recommendation 1: The use of traffic analysis tools to detect the attack behavior;

Precaution recommendation 2: Deploy an anti-attack device around the domain Name Service system to respond to this type of attack;

In addition, in order to enhance the security and reliability of Domain Name service, the problem of single node failure should be considered when domain Name service is deployed. The routers and switches involved need redundant backup capability, and a perfect data backup mechanism and a log management system are established. The most recent 3-month full resolution log should be kept. It is suggested that the important domain name information system should be ensured by 7x24 maintenance mechanism. The emergency response time cannot be delayed to 30 minutes. #p # subtitle #e#

Appendix 1 Definition of terms

-DNS: It is called Domain Name System, which is an important infrastructure of the Internet, and completes the mapping function of domain name to IP address.

-IP: Network address that identifies each host on the Internet.

-Tcp:transmission control Kyoto, Transmission Control Protocol, is a connection-oriented, reliable, traffic-layer communication protocol based on byte throttling.

-Udp:user Datagram Kyoto, User Packet protocol, is a connectionless Transport layer communication protocol.

-Dnssec:dns Security extension protocol that provides data source authentication and integrity checking on a traditional DNS basis.

-Edns0:dns The first version of the extension agreement, the important protocols necessary to implement DNSSEC.

-Cctld:country Code Top level domain, national and regional top-level domains.

-Gtld:generic top-level domain, universal top-level.

-Root domain server: Is the Internet domain name resolution system, the highest level of domain name servers.

-Authoritative name server: A domain name server that provides authoritative name resolution services.

-Recursive domain name server: A domain name server with recursive query function.

-Isp:internet service Provider, Internet services provider.

Appendix 2 Global Technology Developments and security incidents

Technical trends

-June 2, 2009, PIR (public Internet Registry) signed the. org area file, declaring that org officially supports DNSSEC functionality.

-June 10, 2009, Matthew Dempsky (from. ORG registry) publishes a DNS trust dependency graph (between a zone and a name server) for each TLD to help study the security status of the DNS system.

-June 12, 2009, CNNIC and ISC signed the Strategic Cooperation Agreement, the two sides will jointly carry out DNS basic services software and related technology research and development work.

-July 2, 2009, the ENUM NL attempted to use DNSSEC to sign the 1.3.e164.arpa area and test it before submitting the trust Anchor Point formally.

-On July 7, 2009, Dns-oarc wrote that the recent increase in DNSSEC deployments has revealed that some DNS parsers cannot receive large answer messages.

-In August 2009, CNNIC technicians formally joined the core development team of BIND 10 software, which lays a solid foundation for the research and development of Chinese proprietary domain name resolution software.

-August 10, 2009, ISC announced that Afilias and Neustar would provide a level two DNS service for the DLV area to support DLV registration.

-September 4, 2009, to advance the process of root signing, VeriSign published experimental results on the size of root dnskey response.

-September 17, 2009, ICANN released an analysis of the impact of L-root data inflation-"root Zone augmentation and Impact Analytics."

-September 30, 2009, ICANN proposed that the IDN project be launched on November 16, 2009. The proposal was submitted to the Board of Trustees at the ICANN meeting in Seoul in late October 2009.

-October 1, 2009, ICANN publishes a research report on the root zone expansion model-"root scaling study:description of the DNS root scaling Model" (completed by the TNO Research Organization for Applied Sciences).

-On October 8, 2009, at the ripe 59 meeting in Lisbon, Portugal, the chairman of the DNS team from ICANN, Joe Abley, and the vice president of VeriSign, Matt Larson, announced a timeline for root signing.

-On October 30, 2009, at the Seoul ICANN meeting, the ICANN Board agreed to introduce the IDN CcTLD, which means that a non-Latin-alphabet Internet address will soon be available on the network.

-November 5, 2009-6th, China Internet Network Information Center (CNNIC) undertook the autumn working meeting of "Domain Name System Operation Analysis Research Center" (DNS-OARC) in Beijing. The meeting discussed issues such as DNS security, IPv4 transition to IPV6, internationalization domain name (IDN) propulsion, and so on.

-In December 2009, Google provided the public DNS resolution service.

-February 8, 2010, CNNIC and ISC set up the Internet Technology Joint Laboratory Cilab, the two sides rely on joint laboratories for product development, service platform operation, technical research, as well as domestic business development and other aspects of cooperation.

-April 30, 2010, Xinhua reported the World Expo website expo2010.cn Global access information. As a significant "China" logo on the internet, expo2010.cn, expo.cn and so on, a series of. cn domain name widely used, so that the national domain name to become the Shanghai World Expo Network "new landmark."

-July 10, 2010, the Internet name and number distribution Agency (ICANN) authorized the Internet address Assignment (IANA) to formally write the ". China" domain name to the global Internet root domain Name System (DNS). At this point, the ". China" domain name Global resolution deployment has been implemented. Internet users in the browser address bar directly enter the registered ". China" domain name to access the corresponding Web site.

-July 15, 2010, the root signing server officially provides services that identify the DNSSEC deployment of the root server is complete.

Domain Name Security Event

-May 19, 2009, the domain name free hosting organization Dnspod was subjected to DDoS attacks, coupled with the problems of Storm audio and video software, leading to China's six provincial governors Time network incident.

-July 29, 2009, all versions of BIND 9 were found to be defective. An attacker would simply send a special dynamic update message to the BIND 9 server, which would cause the server to stop working. Experts say the flaw is worse than Kaminsky's exposure to the cache poison.

-September 8, 2009, due to an expired, wrong DLV key,.pr encounter Servfail.

-October 12, 2009, 21:45 local time in Sweden due to incorrect software upgrades in daily maintenance, top-level domain. SE failed, causing the entire Swedish internet to be almost completely paralyzed, and all. SE sites are inaccessible.

-August 26, 2009, Puerto Rico's major domain name registrars were attacked for hours, causing websites of several large companies, such as Google, Microsoft, Yahoo, Cola, to be redirected to a malicious Web site.

-September 24, 2009, Editdns, a reputable managed DNS provider (popular hosted DNS provider), suffered a DDoS attack.

-October 21, 2009, Yammer (like Twitter, a short messaging service for business people) has been paralysed for a long time due to DNS configuration errors.

-October 22, 2009, Internet infrastructure services provider new network's DNS system suffered a more than 10-minute continuous attack.

-January 12, 2010, the well-known search engine company Baidu DNS was hijacked, causing its web site can not be visited within hours.

-January 20, 2010, the era of interconnected domain name resolution service was attacked.

-February 8, 2010, India's largest software developer Tata (TATA) Consulting services company website was attacked by hackers, confirmed the attack by DNS hijacking.

-February 22, 2010, the famous website of dslreports domain name server has failed.

-March 9, 2010, the Australian gaming website Ubisoft suffered from DDoS attacks.

-March 24, 2010, Wikipedia Wikimedia's DNS was configured incorrectly when doing service switching, making it impossible for European users to visit the Wikipedia site for hours.

-March 26, 2010, a well-known foreign VoIP provider Line2 's domain Name System is under DDoS attack.

-On May 15, 2010, Denic was responsible for operating the German national top-level domain de due to configuration errors, resulting in thousands of de domain names inaccessible.

-June 2, 2010, Netscape Netscape's DNS service was compromised and paralysed.

-June 3, 2010, the foreign website quakelive because of the domain name configuration error, caused the website to be unable to visit for a long time.

-August 3, 2010, VERYCD in parts of the country, the official meager confirmed that the DNS server was the result of the attack.

-August 7, 2010, the internationally renowned DNS service provider DNS Made easy access to DDoS attacks, resulting in 1.5 hours of service downtime. The analysis found that DDoS attack traffic up to 50Gbps, and the attack traffic for DNS has the highest history of 49Gbps.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.