DNS, DoS, and recent cyber attacks

How concerned should I be in light of the recent cyber
attacks? Is my cable modem an “open resolver”? Can it be highjacked?

The short answer: I have configured most of my clients’ routers to distribute addresses for DNS servers provided by the OpenDNS project. Read on to learn how that protects you.

I had never considered the possibility of a hacked cable box, I suppose mostly because I’ve never heard a geek mention it. I just did a googling of “hack cable modem,” resulting only in discussions of how one might rejigger one’s own modem to elevate the connection speed or get free Internet, both of which appear to be quite prosecutable offenses.

I’m no hacker, but I have a decent handle on small-network security, and I have difficulty imagining the purposes to which a miscreant might put a cable modem. It can’t send data by itself, and your own local network is protected by the router that sits behind the modem.

So, onto discussion of the recent cyber attacks against Spamhaus.

As this article explains, the attack is actually performed on vulnerable DNS servers, such as those run by less vigilant Internet service providers around the world.

What’s a DNS server?

DNS is not hard to understand — it can be thought of as the phonebook of the Internet. When you ask your web browser to go to http://www.i-wish-elliot-spitzer-hadnt-been-such-a-schmuck.com…well, let’s use http://www.google.com as a shorter example…your browser first asks your computer what DNS servers it should use to look up the address.

In my house, my computer sends my browser to the OpenDNS Project’s servers or (We always have a second server as a backup in case the first one isn’t available.)

Then my browser asks the OpenDNS server where to find http://www.google.com. It receives a numerical reply, the IP address of Google’s Web server. Then the browser goes to that IP address and asks for whatever web-page information the server cares to give it.

How does this help hackers?

To understand the recent malfeasance, it’s called a Denial of Service (DoS) attack. This is one example:

Imagine someone hijacks one of these vulnerable DNS servers, so that when you ask for Google.com, you actually get directed to some other Web server. Now imagine everyone using that ISP’s servers having every single one of their browser requests directed to the same Web server. The unsuspecting server would get barraged by requests, and would have to start turning some of them away — denial of service.

Service breaks down, customers get angry, service loses money, attack successful.

The big ISPs in America protected themselves against these attacks a few years back. But even before that, when the attacks first reared their heads, I looked into the proscribed ways to protect oneself, and immediately started plugging in the OpenDNS servers into all my clients’ routers. Crisis averted, at least for us.

Hackers employ several methods to affect a DoS. As I understand it, the goal is not direct monetary gain, but perhaps a hobbling of an adversary, or even an expression of protest. DoS is a typical weapon of the hacker collective Anonymous.

As you can see on the OpenDNS page, using their servers offers other benefits and features, including faster replies to queries and configurable web-content filtering for those with tender sensibilities.

Bonus nerdy information

Google actually started its own public DNS service a little while ago. You can use the servers and in place of the OpenDNS servers.

They have put up a page explaining DNS security in more depth.

I hope you find this information in any way helpful or reassuring.