1. DNS/hijacking/対策
Contents
ドメイン名ハイジャック •攻撃者にドメイン名がトランスファーされてしまい、管理権限を乗っ取られること。
この定義では不十分なことははっきりした。 -- ToshinoriMaeno 2019-04-07 07:46:06
2019-04-08 piyolog 不正移管によるドメイン名ハイジャックについてまとめてみた https://piyolog.hatenadiary.jp/entry/2019/04/08/053000
海外では2要素認証の導入が進行中だ。-- ToshinoriMaeno 2019-05-07 01:25:49
1.1. sea turtle
How to Avoid the New DNS Hijacking Attacks By: Wayne Rash | April 22, 2019 https://www.eweek.com/security/how-to-avoid-the-new-dns-hijacking-attacks
対策例
- Use DNS Security Extensions (DNSSEC) at your registrar. Yes, it costs extra, but not using it is stupid.
- Use a registry lock service, which require an out-of-band message before changes can occur.
- Use multi-factor authentication, such as DUO which is recommended by Cisco Talos.
- If you think you were targeted, Talos suggests institute a network-wide password reset.
- CISA recommends an audit of public DNS records to verify that they are resolving as intended.
- CISA also recommends searching for any encryption certificates related to suspect domains and to revoke any fraudulently requested certificates.
なりすまし対策には証明書が重要だ。
- だが、DNSなりすましされたら、DV証明書も効果はない。
-- ToshinoriMaeno 2019-05-06 00:46:39
1.2. DHS CISA
https://www.us-cert.gov/ncas/alerts/AA19-024A
Mitigations
NCCIC recommends the following best practices to help safeguard networks against this threat:
- Update the passwords for all accounts that can change organizations’ DNS records.
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Audit public DNS records to verify they are resolving to the intended location.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
1.3. tweet
https://twitter.com/beevek/status/1118848324591865856
- Monitor critical DNS records (NS, DS, ...) - Alert on changes w/ DNS audit logs & 3rd party monitoring - DNSSEC sign zones - MFA, unique pws, IP whitelisting @ registrars & DNS - Dual DNS networks - Security minded registrars & DNS providers
Kris Beeversさんが追加
1.4. Schneir
blogのコメントが参考になる。-- ToshinoriMaeno 2019-05-06 01:33:49
Schneier Blog
- @schneierblog
New DNS Hijacking Attacks https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html … 21:06 - 2019年4月18日
New DNS Hijacking Attacks https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html
- Researchers at Cisco's Talos security division の受け売り?
https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html#c6791456 Cormacolinde • April 18, 2019 8:02 AM
I’ve been thinking about how to block these attacks for a while now and at least you need to do the following to detect and limit your exposure:
- Monitor your DNS! Make sure you monitor your NS glue records and other critical records. - Create a CAA record to prevent someone using a different CA to get certificates. - Use DNSSEC to sign your DNS zone.
But in order to protect yourself from this kind of attack completely, you might be better using an internal CA for all internal systems, and use certificate pinning.
And obviously some sort of tunneled DNS client would help. I know the Cisco Umbrella client does this, but there’s probably others.
1.5. nominet.uk
Cath Goulding CISO How to keep out the DNS Hijackers 16th April 2019 https://www.nominet.uk/how-to-keep-out-the-dns-hijackers/
Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA.