Anatomy of a hack: How the SEA took down the NYT and Twitter

The New York Times and Twitter’s UK site went offline for some users on Tuesday as part of an attack that the Syrian Electronic Army took credit for. The SEA is a pro-Syrian leader Bashar al-Assad hacktivist group, but it’s taking a less common route to taking down web sites — it’s attacking the domain name system.
Most public attacks against web sites have been denial-of-service attacks, where the attackers gather a massive array of computers to ping the servers of their target, overwhelming them. But recently, attacks — including denial-of-service attacks — have been hitting the Domain Name System, sensing a weak spot.
To get a sense of what is happening in a typical DNS attack, I emailed Cory von Wallenstein — he’s the CTO of Dyn, a company that provides cloud-based DNS services. Companies use Dyn to bypass the general DNS servers run by their own ISPs, with the idea that using such a service makes their web traffic (both inbound and outbound) faster and more secure.
Von Wallenstein explained that there are three types of attacks that escalate in complexity. The first is called a cache poisoning attack. In an email, von Wallenstein described it like this:

In that attack, hackers attempt to inject malicious DNS data into the recursive DNS servers that are operated by many ISPs. These DNS servers are typically the “closest” to users from a network topology perspective, so the damage is localized to specific users connecting to those servers.

Standards like DNSSEC can help protect against these types of attacks, and this wasn’t the type of attack used Tuesday afternoon. The second type is to take over one or more authoritative DNS servers for a domain and change the DNS data. Authoritative DNS servers are those that keep a list of addresses configured by an original source or an administrator on their behalf. Dyn does this for Twitter, for example.
Von Wallenstein said that if an attacker were to compromise authoritative DNS, the effect would be global — however, to do this, one would have to get past a company like Dyn or OpenDNS that have built good security practices including good social engineering training. This also wasn’t the type of attack used by the SEA against Twitter and the NYT.
According to von Wallenstein, the third form of attack — and the one used by the SEA on Tuesday — is to take over the registration of a domain and change the authoritative DNS servers. The attack isn’t on the domain name system, but on the registrars, in this case MelbourneIT. It’s the most time consuming attack to undo, because while you can make the changes to the authoritative DNS servers pretty quickly, the recursive DNS servers can cache information for a full day unless the operators perform a manual purge.
For huge sites like Twitter, the New York Times and The Huffington Post, ISPs are likely to notice the attack and make the effort to clear their DNS servers’ cache, but if an attack of this nature takes out a smaller site it could leave them down for a day or even longer. And if the SEA’s recent activity is any guide, we could see a lot more of these types of attacks.