Incident Details

Incident: DNS Redirect Attack on NetNames' Customers' Sites by Hackers

Published Date: 2011-09-06

Postmortem Analysis
Timeline	1. The software failure incident happened on Sunday, September 4, 2011 [7836].
System	1. Domain Name System (DNS) [7836]
Responsible Organization	1. The software failure incident, which involved a DNS redirect attack affecting several websites including UPS, Vodafone, Acer, National Geographic, and The Telegraph, was caused by hackers who gained unauthorized access to customer accounts through a SQL injection attack [7836].
Impacted Organization	1. UPS 2. Vodafone 3. Acer 4. National Geographic 5. The Telegraph 6. The Register 7. NetNames [7836]
Software Causes	1. SQL injection attack was used to gain access to customer accounts and place unauthorized re-delegation orders through the provisioning system, leading to the redirection of legitimate web traffic to a hacker-controlled page [7836].
Non-software Causes	1. SQL injection attack used to gain access to customer accounts [7836]
Impacts	1. Several domain names registered by NetNames, including sites like UPS, Vodafone, Acer, National Geographic, and The Telegraph, were affected by the DNS redirect attack, leading to their traffic being redirected to a hacker-controlled page [7836]. 2. The affected websites experienced periods of inaccessibility, with some customers still facing accessibility issues even days after the attack [7836]. 3. National Geographic reported that visitors to their website were redirected to an outside website, causing disruption that was quickly resolved with additional security measures put in place by NetNames [7836]. 4. Vodafone confirmed that DNS entries were altered for a short period, affecting a large number of major corporate and media organization websites, including Vodafone.com. However, customer information was secure, and the content of the site was not affected [7836]. 5. The Register's service was restored after about three hours of the attack, indicating a temporary disruption in their website availability [7836].
Preventions	1. Implementing proper input validation and security measures to prevent SQL injection attacks [7836]. 2. Regularly reviewing and updating security protocols and systems to ensure robust protection against malicious attacks [7836]. 3. Enhancing monitoring and alert systems to quickly detect unauthorized changes to DNS settings [7836]. 4. Conducting thorough security audits and penetration testing to identify and address vulnerabilities proactively [7836].
Fixes	1. Implementing additional security measures: NetNames, the domain registrar affected by the attack, mentioned putting additional security measures in place to prevent similar incidents in the future [7836]. 2. Reviewing and enhancing system defenses: NetNames stated that they would continue to review their systems to ensure they provide a solid, robust, and secure service to their customers [7836]. 3. Disabling compromised accounts: NetNames disabled the accounts that were used to carry out the unauthorized changes to prevent further access to the systems [7836].
References	1. NetNames spokesperson Stuart Fuller [7836] 2. UPS spokeswoman Lynnette McIntire [7836] 3. John Caldwell, president of National Geographic Digital Media [7836] 4. Vodafone representative [7836] 5. The Register [7836] 6. Computerworld [7836]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	(a) The software failure incident related to the DNS redirect attack affecting domain names registered by NetNames and its affiliate Ascio is specific to the organization itself. This incident was caused by unauthorized re-delegation orders placed through the provisioning system, which updated the master DNS servers' addresses, leading to legitimate web traffic being redirected to a hacker-controlled page. The attack was facilitated by a SQL injection to gain access to customer accounts [7836]. (b) There is no information in the provided article indicating that a similar incident has happened before or again at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident in Article 7836 was primarily due to a design-related issue. The incident occurred because of unauthorized re-delegation orders being placed through the provisioning system, which updated the master DNS servers' addresses, leading to legitimate web traffic being redirected to a hacker-controlled page. This unauthorized action was made possible by using a SQL injection attack to gain access to customer accounts, highlighting a vulnerability in the system's design that allowed for such malicious actions to take place [7836]. (b) Additionally, the incident also involved an operation-related failure as the unauthorized changes made through the SQL injection attack impacted the operation of the system by redirecting legitimate web traffic intended for customer websites to the hacker-controlled page. This operation-related failure resulted in disruption for the affected sites and required quick action to reverse the changes and restore service to the impacted customers [7836].
Boundary (Internal/External)	within_system	(a) within_system: The software failure incident was primarily within the system as it was caused by unauthorized re-delegation orders placed through the provisioning system via a SQL injection attack, leading to the redirection of legitimate web traffic to a hacker-controlled page [7836]. The attack originated from within the system, highlighting a vulnerability that allowed the malicious actors to manipulate the DNS data and redirect traffic for specific domain names registered by NetNames and its affiliate Ascio. The incident involved exploiting weaknesses in the system's security measures, indicating an internal failure that enabled the unauthorized changes to be made.
Nature (Human/Non-human)	non-human_actions	(a) The software failure incident in this case occurred due to non-human actions. The incident was a result of a cyber attack where unauthorized re-delegation orders were placed through the provisioning system via a SQL injection attack, leading to the redirection of legitimate web traffic to a hacker-controlled page [7836]. The attack was not caused by human error or intentional actions but rather by external malicious actors exploiting vulnerabilities in the system.
Dimension (Hardware/Software)	software	(a) The software failure incident reported in Article 7836 was primarily due to a software issue rather than hardware. The incident involved a DNS redirect attack that occurred due to unauthorized re-delegation orders placed through the provisioning system, which updated the master DNS servers' addresses for certain customer domains. This unauthorized action was facilitated by a SQL injection attack that gained access to customer accounts, leading to the redirection of legitimate web traffic to a hacker-controlled page [7836]. (b) The software failure incident in Article 7836 was caused by contributing factors originating in software. The attack involved the exploitation of a SQL injection vulnerability to gain access to customer accounts and place unauthorized re-delegation orders through the provisioning system, resulting in the redirection of web traffic to a hacker-controlled page. This incident highlights the importance of software security measures to prevent such attacks [7836].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident was malicious in nature. The incident involved a DNS redirect attack orchestrated by hackers who gained unauthorized access to customer accounts through a SQL injection attack. The attackers placed unauthorized re-delegation orders through the registries via the provisioning system, which updated the master DNS servers' addresses for certain customer domains. This resulted in legitimate web traffic being redirected to a hacker-controlled page branded TurkGuvenligi, indicating a deliberate attempt to harm the affected websites [7836].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The software failure incident was primarily due to poor decisions made by the attackers who carried out the attack on the domain name registrar's system. The attackers used a SQL injection attack to gain access to customer accounts and place unauthorized re-delegation orders through the registries, which led to the redirection of legitimate web traffic to a hacker-controlled page [7836]. (b) Additionally, the incident involved accidental decisions or unintended consequences as the affected companies, such as UPS, Vodafone, National Geographic, and others, did not intend for their websites to be redirected to unauthorized pages. The redirection of traffic was not a planned or intentional action by these companies but rather a result of the attack on the domain name registrar's system [7836].
Capability (Incompetence/Accidental)	unknown	(a) The software failure incident in Article 7836 was not attributed to development incompetence. The incident was caused by a cyber attack involving a SQL injection to gain unauthorized access to customer accounts, leading to the redirection of legitimate web traffic to a hacker-controlled page. This indicates a deliberate malicious act rather than a failure due to incompetence in development [7836]. (b) The software failure incident in Article 7836 was accidental in the sense that the attack was not caused by unintentional mistakes or errors in the development process. It was a deliberate cyber attack involving unauthorized access through a SQL injection to redirect web traffic to a hacker-controlled page. The incident was not accidental but rather a targeted attack [7836].
Duration	temporary	(a) The software failure incident in this case was temporary. The incident involved a DNS redirect attack that affected a small number of customer domains registered by NetNames. The attack occurred on Sunday, and by Monday morning, most evidence of the redirect was gone. The affected sites were quickly fixed, and additional security measures were put in place by the registrar, NetNames [7836]. (b) The software failure incident was temporary as it was caused by unauthorized re-delegation orders placed through the provisioning system via a SQL injection attack. The illegal changes were reversed quickly to bring service back to the impacted customers, and the accounts concerned were disabled to prevent further access to the systems. The incident was not permanent as the systems were reviewed to ensure a secure service for customers [7836].
Behaviour	omission, value, other	(a) crash: The software failure incident did not involve a crash where the system loses state and does not perform any of its intended functions. The incident was related to a DNS redirect attack that affected the functionality of specific websites but did not result in a complete system crash [7836]. (b) omission: The incident could be categorized as an omission failure as the system omitted to perform its intended functions correctly at the instance of the attack. The unauthorized changes made through a SQL injection attack led to the redirection of legitimate web traffic to a hacker-controlled page, causing the affected websites to omit their normal functions [7836]. (c) timing: The incident was not primarily a timing failure where the system performed its intended functions but at the wrong time. Instead, it was more focused on the unauthorized redirection of web traffic due to the DNS redirect attack [7836]. (d) value: The software failure incident can be classified as a value failure as the system performed its intended functions incorrectly. The unauthorized changes made to the DNS servers resulted in the incorrect redirection of web traffic to a hacker-controlled page, impacting the normal functioning of the affected websites [7836]. (e) byzantine: The incident did not exhibit a byzantine failure where the system behaved erroneously with inconsistent responses and interactions. The primary issue was the unauthorized redirection of web traffic through DNS manipulation, leading to the affected websites displaying a hacker-controlled page [7836]. (f) other: The behavior of the software failure incident could be categorized as a security breach or a cyber attack. The incident involved a targeted attack on the DNS system, resulting in the unauthorized redirection of web traffic to a hacker-controlled page. This behavior goes beyond typical software failures and falls into the realm of cybersecurity incidents [7836].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, non-human	(d) property: People's material goods, money, or data was impacted due to the software failure. The software failure incident involving the attack on the domain name registrar resulted in the redirection of traffic for some customers' sites to a web page controlled by hackers. While the sites themselves were not hacked, the unauthorized redirection of traffic affected the accessibility of the websites, causing disruption for users. For example, the UPS website was inaccessible for a period of time, and Vodafone mentioned that DNS entries were altered for a short period, leading to some web users being redirected. Additionally, National Geographic reported that visitors to their website were redirected to an outside website, which was quickly fixed with the help of officials. The incident also involved a SQL injection attack that allowed the hackers to gain access to customer accounts, leading to the unauthorized changes in the DNS servers responsible for serving data for the affected domains [7836].
Domain	information, transportation, sales, manufacturing, finance, knowledge, entertainment, government	(a) The information industry was affected by the software failure incident. Several major companies in the information industry, such as National Geographic, were impacted by the DNS redirect attack on their websites [7836]. (b) The transportation industry was indirectly affected as well. For example, UPS, a transportation company, had its website inaccessible for a period of time due to the DNS redirect attack [7836]. (c) The natural resources industry was not directly impacted by the software failure incident. (d) The sales industry was indirectly impacted as some major corporate websites, including Vodafone, experienced DNS entries being altered, causing web users to be redirected [7836]. (e) The construction industry was not directly affected by the software failure incident. (f) The manufacturing industry was indirectly impacted as some manufacturing companies' websites, like Acer, were affected by the DNS redirect attack [7836]. (g) The utilities industry was not directly affected by the software failure incident. (h) The finance industry was indirectly impacted as Vodafone, a major telecommunications company, had its website affected by the DNS redirect attack [7836]. (i) The knowledge industry was indirectly impacted as educational and informational websites, such as National Geographic, were targeted in the DNS redirect attack [7836]. (j) The health industry was not directly affected by the software failure incident. (k) The entertainment industry was indirectly impacted as websites related to entertainment, such as National Geographic, were redirected during the attack [7836]. (l) The government industry was indirectly impacted as some government-related websites may have been affected by the DNS redirect attack, although specific examples were not mentioned in the article. (m) The software failure incident was not directly related to an industry not covered by the options provided.

Sources

Sites of UPS, Acer, others redirected in DNS attack - CNET - Published on: 2011-09-06
Article ID: 7836

Back to List