Security firm warns of outdated software

Outdated and untested software used to run the Internet address system has undermined online security, an Australian company warns.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
4 min read
Outdated and untested software used to run the Internet address system has undermined online security, an Australian company is warning.

Sydney-based DeMorgan said 30 percent of the computers controlling the ".com" domain name system (DNS)--including several of the highest-level root servers--are vulnerable to "denial of service" and other

Gartner analyst John Pescatore says the domain name system (DNS) is the 411 of the Internet, translating domain names into network addresses that computers understand.

see commentary

attacks because they are running software that is outdated or was never meant for commercial release. Such attacks, which overwhelm a server with bogus requests for information, recently crippled several large e-commerce sites.

The security firm released the widely disputed study last week, finding that just 20 percent of DNS servers in Australia have installed the recommended DNS server software, which received a substantial security upgrade in November. The firm also concluded that as many as 75 percent of DNS servers worldwide have failed to install the upgrade.

Louis Touton, general counsel for the Internet Corp. for Assigned Names and Numbers (ICANN), the agency with ultimate responsibility for the security of DNS, acknowledged some trouble spots. But he said the problems mostly affect remote areas of the Internet and insisted that the core DNS root servers are safe.

"At the root level, security is very robust," Touton said.

Root servers act as control switches on the Internet, taking requests from one domain and showing it how to reach addresses in another. Without them, Net surfers would be unable to reach destination sites.

DeMorgan's charges come as DNS security problems have taken on a higher profile.

Just this month, the Net's technical standards body, the Internet Engineering Task Force (IETF), published new specifications governing DNS servers, including new security protocols. Late last year, a key Internet security agency issued an advisory identifying six security holes in DNS server software known as Berkeley Internet Name Domain (BIND).

The Internet Software Consortium (ISC), the open-source development group behind the software, has since recommended on its Web site that all DNS administrators install a BIND upgrade for "security reasons."

According to DeMorgan, the uncomfortably large percentage of DNS administrators who have failed to do so raises fresh questions about security benchmarks and oversight for the DNS.

ICANN's Touton said the DeMorgan study was flawed.

"DeMorgan wouldn't know what version of software is being used," he said. "A computer search might turn up a version number, but it would not show what patches have been installed...I think concerns over this are overblown."

Touton added that ICANN and the 13 root-server adminstrators have been working together in a Cooperative Research and Development Association (CRADA) to set basic technical improvements and establish funding streams to move the voluntary group to a stronger footing. He said basic guidelines are expected within the next six months.

Is it really that bad?
DeMorgan chief information How a denial of service attack worksofficer Craig Wright said one of the highest-level root servers--".com" root server A, administered by Network Solutions (NSI)--could allow hostile intruders to compromise the system.

"Some of the codes are vulnerable to either a root compromise or DDoS (distributed denial of service) attacks," Wright said. "These are mission-critical servers that control the Internet. There seems to be no control to make sure people actually update their patching."

NSI spokesman Brian O'Shaughnessy said the company is aware that domain name servers in general are vulnerable to attacks through BIND. He also said that root server A is not running the most current version of BIND but noted that it has all the latest security patches.

The company will upgrade to a more recent version of BIND only after extensive testing for the software's stability, O'Shaughnessy said. NSI must focus on its domain name registration services and on testing new versions of BIND.

"Network Solutions has too much responsibility riding on the operations of the registry unit," he said. "We only put in patches once we are able to prove that the extensive tests demonstrate the software is stable."

The root server A is the top-level domain server that functions

Jim Hu
News.com staff writer
Discussing the importance of DNS security.
as a traffic controller for ".com," ".net," ".org" and all 244 country codes to find one another. Root server A has 12 "slave machines" below it in the hierarchy that are located around the world and administered by separate organizations.

The ISC recommends the use of version 8.2.2 patch level 5.

Nevertheless, Wright said root servers E and F are running a new version of BIND--version 8.2.3 (T5B)--described by developers as a prerelease.

Touton said that ISC--which runs the F root server--is working hard to release a new BIND version 9, and it would be a mistake to assume that there are serious security problems with the earlier beta.

While Touton agreed there are outstanding security issues, he said most problems in the DNS are far removed from the core functions.

"This is a hierarchical system, and there are leaves on the tree that are running BIND version 4 in some out-of-the-way places," he said. "A decentralized system is not always up to the highest standard across the board."