DNSChanger and PROTECT IP: FBI hit and legislative miss

Today the world woke up to DNS changing and something called DNSChanger. First we had the excellent news of a major FBI bust, taking down a cyber-ring that had infected about four million computers in 100 countries. The operators of this fraud had used malware called DNSChanger to redirect infected computers to rogue websites. For example, Mr. Consumer would type itunes.com into his web browser but end up somewhere other than itunes.com, namely a website chosen by the crooks who had altered the way Mr. Consumer's computer found its way from site to site. (There are plenty of details in the FBI announcement.)

The crooks generated at least $14 million in ill-gotten gains by redirecting traffic to manipulate online advertising schemes. And Mr. Consumer was not the only person affected. Systems within some large enterprises were affected as well as some government agencies, including NASA. Busting this operation was a big win for the feds: 6 arrests made, a huge botnet taken over by the good guys, numerous bank accounts frozen, and hard drives from more than 100 rogue servers seized. If this action can be followed by a successful prosecution and stiff penalties for those convicted then the risk/reward ratio for cybercrime will be nudged a little closer to "not worth it."

The sheer scale of this DNSChanger scam is likely to increase the momentum for technology that makes it harder to subvert DNS for illegal purposes namely DNSSEC, short for DNS Security Extensions. The goal of DNSSEC is to protect the Internet from certain attacks, such as DNS cache poisoning, man-the-middle attacks, and the kind of DNS changing the FBI has so dramatically brought to light.

How disappointing then, to get an email later the same day, also about DNS changing, but this time the DNS changer is the U.S. government itself, acting at the behest of a coalition of interests looking for ways to defeat online piracy of music, movies, and other intellectual property. This state-sponsored DNSChanger is part of the PROTECT IP bill in the Senate, and it's House counterpart, the "Stop Online Piracy Act (SOPA)." These bills would require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office, if the website was "infringing". The definition of infringing is distributing illegal copies, counterfeit goods or anti-DRM technology,

While we are all in favor of stopping piracy, messing about with DNS and legalizing state-controlled DNS changing seems like overkill. Furthermore, it is fundamentally incompatible with DNSSEC, a technology that will, if it is allowed to proceed, make many parts of the Internet more resistant to abuse, and expand the possibilities for lawful and profitable business in cyberspace. While the FBI and other law enforcement are working hard to stop the bad guys making millions by infecting our computers and subverting DNS it seems unwise to give private companies the ability to go ahead and change DNS armed only with court orders.

To learn more about this issue read the whitepaper by Paul Vixie and other Internet lunimaries "Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill" (pdf file). You can read news coverage on CNET and Public Knowledge. Other issues with the legislation are discussed on TechDirt. There is even a video.

Author Stephen Cobb, ESET

  • mark

    Clearly you do not understand that how DNSSEC works or how malware might circumvent any DNSSEC stub resolver action.  The bottom line is that DNSChanger could happen in a DNSSEC world.  
    Prior to Paul Vixie using ISC to express his political views on rogue site legislation and masking them as technical concerns, he wrote an extension allowing the "DNSChanger" software functionality directly in BIND. 
    Furthermore, making DNSSEC compatible with Paul's RPZs is not a huge software challenge.  It is a question of will.
    This has never really been a technology problem.  Certainly not one that cannot be solved.

  • Stephen Cobb

    Mark — I agree that this is not a technology problem, it is one of standards. Security of the Internet would be improved if the Internet standards were updated to enable more, better authentication of entities operating on the Internet (sending email, managing DNS entries, and so on). DNSSEC would NOT end malware or cybercrime, but it would make some cybercrime easier to prevent and some cyber-criminals easier to catch. The risk/reward ratio would be mudged in the direction of deterrence. Well-known theories of risk displacement tell us that bad actors will continue to act badly, but the current state of Internet standards makes life too easy for the bad guys.
    In my opinion, DNSSEC would be an improvement. The SOPA and PIPAs legislation needlessly impedes that improvement. And with all due respect, as someone who has been using online communications professionally since before BIND was written, I think I do understand how DNSSEC works and how malware might circumvent any DNSSEC stub resolver action. I also understand how those intent on infringing copyright can defeat DNS filtering. As someone who has lost a lot of money, both personally and professionally, to copyright infringers, I am committed to reducing piracy. I just don't think DNS filtering is the way to go.

  • Brian

    > …DNSSEC would be an improvement.
    If there is an attack that would have been prevented with DNSSEC, I am interested in hearing about it.

    DNS has lots of security problems that are being exploited regularly, but they do not seem to be problems protocols can solve. Many are attacks on the servers, lack of countability in registration processes, and lack of accountability for involvement in criminal activities.

    We need standards for the quality of infrastructure and operations that are used to implement DNS. Similar solutions are needed for CAs that issue SSL certificates. If we can raise the bar here, then we can start to consider the benefits of improvements to the protocols.

  • Mark

    Thank you for posting my comment and for the response.  I respectfully disagree that SOPA and PIPA, if passed, would have any effect on the speed of DNSSEC implementation.   DNSSEC would likley have had no effect on this cybercrime incident as these were determined criminals, but you took the opportunity on this credible public forum to make a correlation between the FBI case, DNSSEC and the proposed legislation and conclude that the legislation is bad.
    Your article says both bills "require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office," but the fact is that neither bill is prescriptive about replacing an IP address.  These bills simply require that DNS doesn't resolve an address for a site. This, frankly, doesn't violate the DNSSEC standard.  Quoting from SOPA, the service provider is to “prevent the domain name of the foreign infringing site from resolving to that domain name’s Internet Protocol address.”  Quoting from PIPA, the service provide is to “prevent the domain name described in the order from resolving to that domain name’s Internet protocol address.” 
    What is interesting about the current technology rhetoric surrounding this bill, whether it's coming from Vixie,  Ulevitch or others, is that the tech community understands that DNS redirection is an extremely useful security tool but yet continues to focus on how these bills will impede DNSSEC.  The only thing stopping DNSSEC is the failures of DNSSEC.  I am all for having a real debate on how this bill might impact the Internet, but the current discourse is nothing but scare tactics and misinformation.
    As for the bill stopping determined pirates from pirating, I agree that it may not.   Just as no lock will prevent  a determined thief from stealing my car or breaking into my house, a DNS block will be a deterrent for many individuals and will ultimately lower the page views making those sites financially less viable and "not worth it" for the criminals which run them.

Follow us

Copyright © 2017 ESET, All Rights Reserved.