[dns-operations] zdnet blog: ICANN and IANA's domains hijacked by Turkish hacking group
bortzmeyer at nic.fr
Fri Jul 4 08:11:46 UTC 2008
On Fri, Jun 27, 2008 at 07:49:53PM +0000,
Duane Wessels <wessels at dns-oarc.net> wrote
a message of 13 lines which said:
> http://blogs.zdnet.com/security/?p=1356 says:
> The official domains of ICANN, the Internet Corporation for Assigned
> Names and Numbers, and IANA, the Internet Assigned Numbers Authority
> were hijacked earlier today, ...
> Anyone have more details?
Not a lot of details but more authoritative than ZDnet. The registrars
are typically the weakest link:
Response to Recent Security Threats
3 July 2008
ICANN has been the recent target of an online attacks. This announcement provides more information on those attacks and ICANN's response to them.
As has been widely reported, a number of domain names, including icann.com and iana.com were recently redirected to different DNS servers, allowing a group to provide visitors to those domains with their own website.
The domains in question are used only as mirrors for ICANN and IANA's main websites. The organizations' actual websites at icann.org and iana.org were unaffected.
The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.
It would appear the attack was sophisticated, combining both social and technological techniques, but was also limited and focused. The redirect was noticed and corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the redirect to be entirely removed from the Internet.
ICANN is confident that the lessons learned and new security measures since introduced will ensure there is not a repeat of this situation in future. ICANN's Security and Stability Advisory Committee (SSAC) is considering the issue of access to domain names through registrars as a priority research topic. The results of that work will be made available through the usual channels.
In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted.
In response to the attacks, ICANN has started an internal review of its existing security procedures to see if there are any lessons that can be learnt and to make any improvements necessary. Full reports on both incidents have been provided to law enforcement agencies.
More information about the dns-operations