You can count on Cloudmark to bring together the latest trends, insights, and conversations about network traffic abuse. Visit often to stay up to speed on email, mobile, web, and DNS security threats.
Documents revealed by several lawsuits involving Acquinity Interactive and its predecessor, ModernAd Media, give an unusually detailed view into the finances of a spammer. At its peak, Acquinity generated approximately $147 million in revenue per year,1 an income of $17 million, 2 and claimed to employ six hundred people. 3 The president of Acquinity, Garry Jonas, had a flamboyant lifestyle. He owned a $2,300,000 waterfront condo in Boca Raton, Florida 4 and went into partnership as a boxing promoter with former heavyweight champion Mike Tyson. 5 However, Acquinity, Jonas, and three of Acquinity’s four largest customers all fell afoul of the law for various illegal or deceptive business practices. 6
This operation was not a single corporation, but a complex web of related corporations and individuals working in concert on various legal and illegal Internet marketing schemes. In fact, there was not even a single entity called Acquinity, but two: Acquinity Interactive, LLC, a Florida limited liability company and 7657030 Canada, Inc., a Canadian corporation that was also doing business as Acquinity Interactive in the lawsuit that brought down this operation, the FTC grouped these two corporations, along with Garry Jonas, the President of Acquinity Interactive, LLC, and three other individuals (Scott Modist, Joshua Greenberg, and Gregory Van Horn) collectively as the Acquinity Defendants 7 Modist and Greenberg were later dropped from the case. 8
7657030 Canada was registered in September of 2010, with Garry Jonas listed as the sole director. 9 However, the story goes back further than that. Jonas, Van Horn and Modist were previously executives of ModernAd Media, LLC, 10 a Florida Corporation registered in May, 2008. 11 Jonas was the CEO, and Warren Rustin, an old high school friend of his, was President. 12 It did not take long for ModernAd Media to get into trouble with the law. In May of 2010 they were fined $2.9 million by the Florida Attorney General bring charges for violations of the CAN-SPAM law. 13 As part of the settlement, ModernAd Media signed an Assurance of Voluntary Compliance (AVC) regulating its future business practices. 14 It’s clear from the AVC that the attorney general’s office wished to prevent ModernAd Media from offering ‘free’ goods that in fact came with a lot of strings attached.
The AVC was only binding for ModernAd Media and not the individuals involved. Perhaps this is the reason that in December 2010 Rustin announced that he had:
…recently sold certain assets of ModernAd Media to a group of ModernAd executives that includes our former CEO Gary Jonas, Greg Van Horn and Josh Greenberg. They have formed an Internet marketing company named Acquinity Interactive… 15
In fact, it appears as if all the assets were transferred to Acquinity, including approximately $10 million in accounts receivable, and customers accounting for approximately $120 million in annual revenue, 16 which one disgruntled creditor described as the “fire sale price” of $2,682,783.00. 17 Acquinity took over ModernAd Media’s operations on January 1st, 2011, operating out of the same address at 2200 SW 10th Street, Deerfield Beach, Florida. 18
One of the assets transferred from MobileAd Media to Acquinity appears to have been their list of consumer email addresses. Both companies practiced “co-registration”, which is a process of collecting an email address purportedly for one purpose while incidentally signing that email address up for additional marketing messages. 19 Acquinity claimed to have a list of 80,000,000 email addresses with 150,000 new registrations per day and offered to rent their list for unlimited use to other email marketers. 20 Acquinity’s aggressive registration and email marketing policies meant that spam filters stopped many of their emails. 21 By using a variety of techniques for avoiding filters, they were able to get enough emails delivered to make some income from legitimate advertising affiliate programs. However, some of their largest clients were less legitimate.
A court case brought by a creditor of ModernAd media resulted in disclosure of Acquinity’s earnings by customer and year for a three-year period. 22 Here are Acquinity’s top four sources of income.
|Client||2011||2013 Jan-Nov||2013 Jan-Nov||TOTAL|
|One Technologies, L.P.||$8,397,392||$8,110,505||$4,809,919||$21,317,816|
Frontline Direct is a legitimate affiliate marketing program.
According to an FTC press release from November 2014, One Technologies, L.P. operated:
…an online scheme that allegedly lured consumers with “free” access to their credit scores and then billed them a recurring fee of $29.95 per month for a credit monitoring program they never ordered. 23
One Technologies generated $21 million in revenue for Acquinity over three years.
Polling Associates is a corporation with a mailing address in the tiny Caribbean country Saint Kitts and Nevis. 24 Along with its operators, Burton Katz and Jonathan Smyth, it was included in the FTC’s Amended Complaint against Acquinity. 25 According to the FTC, they worked with Acquinity to trick mobile phone users into signing up for services that resulted in unauthorized charges on their phone bill, 26 a process known as phone “cramming”. There is evidence to suggest that Garry Jonas may have been behind this scheme. According to testimony on phone cramming delivered to the Senate Committee on Commerce, Science and Transportation in 2011:
MORE [International] explained that Gary [sic] Jonas and Jeff McKay, the owners of ModernAd Media and The Payment People, respectively, “directed the formation” of the third-party vendors and “identified individuals to serve as presidents.” 27 Like third-party vendors related to daData and MySnS, these third-party vendors were also one common enterprise… Committee staff has found ample evidence suggesting that the third-party vendors related to daData, MySnS, and MORE International were nothing more than “front companies” for larger “hub companies.” Committee staff found third-party vendors operating out of mailboxes in UPS Stores, Post Office boxes, fake offices, and residences, with “presidents” that knew nothing about the companies they were supposedly leading. 28
Polling Associates generated $20 million in revenue for Acquinity over three years. In addition, a company called W Media generated $7 million in revenue for Acquinity in two years with no apparent assets other than a PO Box in New Jersey, 29 so this may have been another front company.
Ecom Interactive owned Zbiddy.com, 30 a “penny auction” site. Penny auctions claim to auction goods at far less than retail prices. However, the bidders pay a fee for each unsuccessful bid, netting the seller a large profit. 31 The Better Business Bureau called penny auctions one of the top ten scams of 2011. 32 Users of Zbiddy also complained of overbilling and poor quality goods. 33 The BBB gives Zbiddy an F rating, citing 618 complaints filed and the fact that “Business has failed to resolve underlying cause(s) of a pattern of complaints.” 34 It appears that Acquinity owned a significant interest in Ecom Interactive/Zbiddy. Coincidentally, Zibddy operated out of the same address in Deerfield, Florida 35 as Acquinity and ModernAd Media, and is listed as a “Non-includable US Entity” on Acquinity’s 2011 tax return. 36 A blog comment from someone claiming to be a former employee confirms that Garry Jonas was one of the principal operators of Zbiddy.com. 37 In January 2013, following an investigation by the Florida Attorney General’s Office, Ecom Interactive signed an Assurance of Voluntary Compliance prohibiting overbilling, shill bidding and other bad practices. 38 Zbiddy generated $19.6 million in revenue for Acquinity over three years.
In the end, it was the same scam that ModernAd Media operated that brought Acquinity down — offering “free” gift cards and consumer goods that never actually turned up. In July 2013 the FTC filed suit against Acquinity and others for sending spam SMS messages. 39 According to the FTC’s press release:
Consumers who clicked on the links in the messages found themselves caught in a confusing and elaborate process that required them to provide sensitive personal information, apply for credit or pay to subscribe to services to get the supposedly “free” cards. In addition, consumers’ phone numbers were signed up to receive unwanted automated telemarketing calls, also known as robocalls. 40
According to a former Acquinity employee posting on Glassdoor.com:
The calls themselves were pitiful because we’re taking inbound calls for people claiming a gift basket when all they’re doing is eventually getting looped into buying something. We had to “review” a supposed online survey they took which asked way too much psychographic information bordering on intrusive. The key question that made the difference was asking if the caller had a credit card, bank debit card, both or neither. If they had both and not a prepaid card, you’re forced to pitch a 14 day trial for $3.95 and get the credit card info on the spot while fighting objections. 41
The FTC’s initial complaint requested a temporary injunction freezing the assets of Acquinity and the other defendants, and appointing a receiver in order to “…avert the likelihood of consumer injury during the pendency of this action.” 42 This appears to have effectively put Acquinity out of business. Moreover, their earnings for 2013 were less that half those of 2012. 43 The case settled in October 2014, upon which the Acquinity defendants were required to pay a $7.8 million fine, refrain from spamming and cease other illegitimate marketing practices. Further, they were required to make regular reports to the FTC on all their business activities. To ensure payment of the fine, the FTC placed a lien on Jonas’s condo and obtained rights to assets owned by Kare Pharmacy, another business associated with Acquinity. 44
Jonas’s star continues to fall since the settlement. In December 2014, it was announced that the boxing promotion company that he founded with Mike Tyson was breaking up. 45 Perhaps his brand is so tarnished that even Mike Tyson does not want to do business with him.
On July 1st of last year, a stringent anti-spam law, Canada’s Anti-Spam Law (CASL), went into effect 46 We took a look to see what impact this had on Canadian email activity. 47 Our most significant findings were:
Let’s look at those results in detail.
Spam is an international phenomenon, but the US is both one of the biggest sources and the biggest targets for spammers. It’s not a surprise, then, that 53 of spam that is sent from Canada goes to the US. However, the amount of spam outbound from Canada went down noticeably when CASL was implemented.
Though there is volatility from month to month, the total volume of spam originating in Canada every month since CASL was implemented had been lower than the lowest month before the law went into effect. The average monthly spam volume decreased by 37% and there was a dramatic drop in email received by Canadians following the implementation of CASL.
The monthly average volume for all email received by Cloudmark customers in Canada went down by 29 to 16.6%.
Why did CASL have such an impact on legitimate email? Most likely because it enforces far more stringent requirements for obtaining consent for marketing emails. Practices for adding a consumer email address to a mailing list that would be acceptable under the US CAN-SPAM legislation do not satisfy the level of affirmative consent required by CASL. While CASL has been ineffective in preventing the professional spammers promoting bootleg pharmaceuticals, diet pills and adult services, it has stopped unscrupulous email marketers from growing their mailing lists by co-marketing or easy-to-miss opt out checkboxes.
CASL has even had an impact on some US spammers. We frequently see affiliate spam these days which contains the warning, “This message is not intended for Canadian citizens.”
Generally the news is good this quarter. Worldwide we have seen widespread action to clean up spam sending systems resulting in a 13% decrease in the number of IPv4 addresses blacklisted by Cloudmark. The US remains the country with the most blocked IP addresses, but in the past three months, it too has seen a reversal of the increasing trend that dominated the previous two years. Let’s hope that is sustained.
Romania, for a long time a major source of spam, continues to show dramatic improvement. Between November 2012 and April 2014, Cloudmark was blocking between 20 of Romania’s entire IP address space. This is now down to 6.2%. While this is still high, it does represent significant progress in the past year. Romania is now in fifth place in terms of the absolute number of IP addresses blocked, after the US, China, Germany, and Russia.
Another dramatic improvement recently has been in Panama. Though Panama has a relatively low number of IP addresses in absolute terms, until January of this year Cloudmark was regularly blocking more than 10 of Panama’s IP addresses. This highlights the importance of outbound spam filtering to preserve IP address reputation.
In terms of the percentage of IP addresses blocked, a relatively new arrival has taken the top spot. 48 Saudi Arabia now has 6.4% of their total address space blocked.
This is largely due to a single ISP, Saudinet, which is the largest in the region. It appears to be the result of widespread botnet infections and compromised accounts rather than the situation in Romania and Panama where resources were purchased by spammers. In Saudi Arabia, we saw a decline in the figures for March 2015, so hopefully Saudinet is getting a handle on their users’ malware problem.
Every day, thousands of computers are infected with a particularly nefarious form of malware called “ransomware”. This malware encrypts all the user’s data and personal files, and will not decrypt them until the victim pays a ransom, usually in bitcoins. Hundreds of times a day, owners feel they have no alternative but to submit to this extortion. 49 Usually this is because it is critical data needed for work and the most recent backup may be out of date. Rather than lose days of work recreating the encrypted files, it is easier just to pay up. However, the victim may still lose days of work before the data is recovered because of the time required to obtain the bitcoins necessary to pay the ransom. In this article we look at the best way to obtain bitcoins in order to recover irreplaceable data as quickly as possible.
Paying ransom should be regarded as a last resort. It sends money directly to cyber criminals and thus encourages more criminal activity. It is far better to follow best practices to reduce the risk of infection, and allow easy recovery from backups in the event that you do get infected. However, not every consumer or enterprise follows best practices, and even law enforcement has fallen victim to ransomware. One local police department in Swansea, Massachusetts was forced to pay ransom when a computer containing police reports and booking photos was infected. 50
There are several public exchanges that sell bitcoins, so it might seem that it would be easy to simply go to one and make a purchase on the Internet, as you would for any other goods or service. However, bitcoin transactions are irreversible and untraceable, so instant bitcoin purchases would provide an easy way for criminals to cash out stolen credit cards or bank account credentials. Further, the exchanges have responded to the threat of fraud by stringent identity checks, low purchase limits, and high transaction costs. The typical ransom is two bitcoins, so we set out to purchase two bitcoins as quickly as possible to ascertain the challenges a user may encounter. We were not particularly successful, but at the end of a week we had a clear idea of what we should have done. 51
For same day purchases we found that Coin.Mx offered the best solution. This allows credit card purchases up to $500 after a validation process that, in addition to the usual identity checks, requires the purchaser to make a video showing their face, a government issued ID and both sides of the credit card used to make the purchase. Though it might be possible to cheat this process with a fake ID and stolen credit card, at least they would be able to share your picture with law enforcement if necessary. Initially the credit card company blocked the purchase transaction as suspicious and it took a phone call to get approval.
Coin.Mx offers a poor exchange rate and charges a hefty premium for credit card use. As a result, our $500 only purchased about 1.57 bitcoins, which was not enough to pay the ransom. The easiest way to deal with this is to ask a second person to sign up to Coin.Mx and pool resources to come up with the two bitcoins plus a little extra for the 0.001 bitcoin transaction fees that Coin.Mx charges. Alternatively, Coin.Mx will increase your purchase limits if you arrange a conference call with your bank.
If you have more time to spend, you may get better exchange rate from Coinbase.com. Once you have validated a bank account and credit card with them you can also make instant purchases, but this is limited to $100, which came to 0.37 bitcoins. (Adding that to the Coin.Mx instant purchase gave us a total of 1.94 bitcoins, frustratingly just short of the 2.00 bitcoin target.) You can however purchase bitcoins by bank transfer if you are prepared to wait several business days for the transaction to clear.
There are also websites that will broker instant purchases of bitcoins from people in your physical vicinity by arranging to meet in person and exchange bitcoins for cash. Even in a high tech region such as San Francisco we found that these meetings had a very high no-show rate. Further, we cannot recommend this approach unless you absolutely need to make your purchase without an audit trail.
Best Practices for Avoiding Ransomware:
Many countries continue to see SMS campaigns similar to those of 2014’s latter months. However, gambling ads aimed at U.K. SMS inboxes have jumped by over 350% during the first quarter of 2015.
Payday loan and accident compensation spam still remain the most popular forms of mobile messages reported by U.K. subscribers with 34 and 27 percent, respectively, of reports this quarter. The third highest form comes from mobile and online gambling sites and the affiliates advertising for them. This category has perennially been of low volume, accounting for only four percent of all reported U.K. mobile messages in 2014. These gambling site ads have risen from 5 in March.
Interestingly, it appears that this surge in March was due in large part to a single affiliate spammer (or small group coordinating the campaign.) Online gambling in Great Britain is a very big and legitimate business. One such online gambling company is BGO Entertainment.
BGO has quite the marketing budget, bringing in the likes of movie star Verne Troyer and Twitter star Dan Bilzerian for their most recent $15 million series of video ads. 52 BGO also uses affiliates to drive traffic to their site. Through their BGO Buddies program, affiliates are guaranteed a portion of revenue generated from customers the affiliate refers to BGO’s online casinos. Gambling affiliate programs are sophisticated and numerous enough that an entire ecosystem has developed around online casino affiliate programs. In October of last year, BGO partnered with affiliate marketing platform provider Income Access to provide BGO Buddy affiliates with easy-to-use geo, time-of-day, browser and other forms of highly targeted advertising. 53 However, BGO re-launched this program at the end of February following a move to Income Access’s acquisition platform.
“We’re looking forward to being able to provide our affiliate partners with improved tracking functionality on both desktop and mobile devices, and also giving them a greater level of reporting, enabling them to optimise their campaigns more comprehensively,”- Allan Turner, Head of Performance at BGO Entertainment
Also of interest, the day of this re-launch, February 26, coincides perfectly with a sudden and drastic flood of unsolicited marketing messages hitting U.K. mobile subscribers 54. An example of the messages sent is shown below.
It’s apparent from reports to the U.K. Spam Reporting Service that at least one affiliate was excited by BGO’s new offerings and possible revenue. Rather than the typical mass marketing path of email and website ads, this affiliate took to blasting via SMS. At its peaks, this campaign was accounting for 15 to 25 percent of all reported mobile messages in the U.K. each day. Just a few weeks later in mid-March, this campaign almost disappeared.
Each message’s formulaic nature even across campaigns makes it apparent that these were from the same source. The timing of these campaigns, while possibly coincidental, also suggests that it was not just multiple, unrelated affiliates or companies using the same messaging platform. These attempts continued through the few remaining weeks of the quarter, perching casino ad campaign volumes at 10 percent of all U.K mobile reports.
Customer-premises equipment also known as customer-provided equipment (CPE) has been the target of security research for some years now. These devices include routers, DSL/cable integrated networking adapters and Internet gateways that sit on the customer’s premises and allow connections to the various telecommunication media. Unfortunately, these ubiquitous devices are increasingly becoming a core problem for both consumer and Internet security.
A plethora of low hanging fruits exist in the form of vulnerabilities in CPE that make for a both an easy and effective target. One of the easiest attacks consists of scanning the Internet for devices still configured with their default login credentials. Many of these devices come out of the box with a predefined user name and password that can be found easily on various websites, given the make or model. Alternatively, a list of these default passwords makes brute-force guessing the login to many devices a trivial exercise. Various tools and sites such as SHODAN exist for easily discovering and scanning Internet-facing devices. The ability to find these vulnerable devices in a simple way allows for malicious mass login attempts using default credentials. Security researcher Kyle Lovett estimates that roughly 25 to 80 million of CPE devices in small and home offices are still configured with default credentials that leave them vulnerable. 55
Just as default credentials have been around for ages, serious flaws in the basic firmware in many of these devices have been published publicly for years. Unfortunately, once installed, CPE devices are rarely updated with firmware patches so they tend to remain vulnerable even if a fix is available from the manufacturer. Over a million ADSL routers issued by 14 vendors were found to have outdated firmware from 2007. This firmware is known to have various critical vulnerabilities that can grant any attacker full control over the device.
One such example of a known flaw that persists to this day is known as “directory traversal.” This vulnerability allows anyone, even the unauthenticated, to probe the device for information about how it is configured. This includes an encrypted hash of the admin credentials that is often times too weak to prevent hackers from decrypting it. Discovered as far back as 2011, this vulnerability is still seen in unpatched firmware to this day. The flawed and unpatched firmware responsible seen by Lovett was being still used on at least 700,000 ADSL routers given to customers around the world by their ISPs.
Another innocuous preset that leaves many endpoints vulnerable to compromise is due to the issuing ISP. Many ISPs configure their consumer devices to enable and accept remote management by default for support purposes. However, nearly 60 percent of the ADSLs scanned by Lovett were easy-to-compromise devices that had hidden support accounts with the same easily guessable password.
These issues tend to have a larger impact on developing telecommunication markets due to the difficulty of meeting the demand of rapid growth. Security and up-to-date firmware are rarely, if ever, a profit driving focus in a market that already struggles with slim margins. These poorly secured CPE devices were found in Colombia, India, Argentina, Thailand, Moldova, Iran, Peru, Chile, Egypt, China and Italy according to Lovett. Others in countries such as the U.S. appear to be off-the-shelf routers purchased by consumers rather than distributed by the ISP. 56
Automatic updates similar to desktop operating systems may seem like an easy solution, but these services could bring more issues. Currently, many ISPs remotely reconfigure and upgrade the software on home routers using a protocol called TR-069. Shahar Tal, a security researcher, did some digging on this protocol and found that less than 20 percent of the deployed endpoints found used SSL and many failed to properly verify certificates. 57 On the ISPs side, the management servers responsible for issuing the commands via TR-069 were not much better. Shahar Tal found remote code execution vulnerabilities within days of analyzing two open source offerings, while a widely adopted commercial version was vulnerable to SQL injection attacks.
Compromised devices are often used for three purposes: DNS redirection, finding more easy-to-compromise devices, and distributed denial of service (DDoS) attacks.
By controlling the victim’s DNS settings, attackers can redirect or even hijack portions of their Internet traffic. For example, an attacker could redirect URLs to any IP they wanted to serve malware or ads, inject ads into other sites, poison search results such as how to remove said compromises, or man-in-the-middle traffic to hijack a log in. Also, these are not limited to a certain operating system or desktop machines. For example, a mobile phone, tablet, or any other device connected to a compromised router is just as vulnerable to having it’s traffic redirected or hijacked.
Compromised routers are also used for more than just redirecting the victim’s computer traffic to malicious sites. Often times these routers are setup as zombie members of botnets that remotely control the routers’ actions via central Command and Control servers (CnCs.) This centralized control is then often times used to dole out targets for the compromised routers to scan for vulnerabilities. Thus, these hacked routers give attackers a vast number of free resources with which to find and compromise even more poorly secured devices — compounding the problem. Since the devices are owned by legitimate users who are spread across the world, blocking or fixing the compromised routers is difficult.
It’s also common for the wranglers of these botnets to use this large, geographically diverse set of hacked routers to launch DDoS attacks against targets on the web. Currently, a very famous example of this is that of Lizard Squad using a botnet of home routers to carry out attacks on Microsoft’s Xbox Live and Sony’s Playstation Network, among other targets.
Lizard Squad’s DDoS service, LizardStresser, coordinates and controls compromised routers 58 in mass to use SYN floods, UDP floods, DNS amplification via open resolvers, or a combination of these to cripple their chosen targets. Hacked CPE devices can also be configured to function as recursive open DNS resolvers, as well — thus allowing the botmasters to create their own functionality for amplification attacks from scratch. The malware used to control the compromised devices can infect various versions and flavors of Linux, MIPS, SPARC-servers and other devices such as routers. This gives the group a wide variety of choices for what can be viable to compromise when searching for weakly secured CPE devices. Unfortunately, these security problems still impact those with secure CPE devices. Lizard Squad now offers this service for just $5.99 a month to knock targets offline for 100 seconds.
Avoiding and preventing these types of issues is a multifaceted problem that requires better scrutiny of the device manufacturers, the router vendors, and ISPs delivering these devices to households. This list of flaws stem from each of the various points in this chain making the solution less than straightforward. However, it’s clear that there should be a robust and secure way to push firmware updates to these devices, and that any device that does not support this should come with an expiry date, because vulnerabilities will almost certainly be found within a year or two of shipping.
The Domain Name System (DNS) was originally defined as a hierarchical directory-like system intended to provide human-readable host name to IP resolution services in a manner that supports distributed delegation of sub-nodes. This distributed service evolved quickly and became critical to the functioning of many systems connected to the Internet. The core protocol was defined with implied trust from upper levels of the directory and relies on a process of referrals for lookups.
An added DNS security layer has been a long-standing desire, to improve the level of trust that clients could place in DNS responses. A controversial fix was developed in 1994 under the name DNS Security Extensions (DNSSEC). DNSSEC enabled resolvers to validate each response received in the DNS tree by cryptographically verifying keys published from the top level of the directory and down. Due to its complexity and debatable value, discussion around the solution dissipated. Debate around the deployment of DNSSEC was reignited in 2008 when researcher Dan Kaminsky discovered a potent flaw that allowed attackers to poison the results from vulnerable DNS servers. 59
Through a series of new DNS record types and a cryptographic validation process, DNSSEC enables authentication of DNS responses from the top DNS directory hierarchy down to the end DNS node, and is intended to provide the DNS client with assurance that the DNS response received from a domain name server was not manipulated by a third party in transit. By cryptographically validating each DNS response, the recursive resolver can significantly reduce the possibility that a MITM attempting a cache poisoning attack can successfully return a modified DNS result which the recursive resolver would then store in its cache, preventing malicious traffic redirection for the period of time that the entry would have been otherwise cached.
From the end user perspective, the use of DNSSEC should be imperceptible. The DNSSEC protocol was designed to be backwards compatible with the legacy DNS protocol to enable a smooth transition for legacy systems leveraging DNS. DNS stub resolvers who wish to leverage DNSSEC issue DNS requests with a specific flag set, requesting that the recursive resolver carry our DNSSEC validation of any returned results for a given resource. Only in the case that DNSSEC validation fails, due to misconfiguration or operational issue for a given domain, will the user see an difference in behavior. In the case that a non-DNSSEC aware client initiated the query, they would receive results regardless of the DNSSEC problem. In contrast, DNSSEC-aware clients would likely receive a DNS error and no results from their lookup. 60
One of the major roadblocks facing DNSSEC’s widespread adoption is the difficulty of deployment and management. Several base-level requirements must first be met:
Regarding the first requirement, each domain’s TLD zone must be signed and that domain’s signing record zone must be added to the “.” (root) zone. As of March 2015, only 79 percent of all TLDs and ccTLDs support DNSSEC.
In order for a domain’s DS key to be added to the root zone for the domain’s TLD, the domain registrar must support a mechanism for the configuration of DS records within their management tools and they must be able to communicate these DS records to your domain’s top-level domain.
Thirdly, the various tools and processes for signing zones are challenging to understand and are missing the needed automation frameworks for zone management and re-signing, leading to added administrative overhead. Signed zones also need to be re-signed after every update and on an ongoing short interval basis. These signing events can be especially problematic for zones with a large volume of entries as these zones may require a long time to sign.
Once launched, other issues come into play as well. When the DNSSEC signing process breaks anywhere within the DNS hierarchy, signed domains can effectively appear to be “knocked offline” from the client perspective until the problem is first fixed and then standing TTLs expire on remote DNS servers. Even those well versed in the technology have had hiccups. OpenDNSSEC, an open-source project aimed at creating a turn-key solution for using DNSSEC, has had management difficulties with their DNSSEC records. On January 25th, opendnssec.org suffered from a 12-hour outage due to allowing the domain’s RRSIGs to expire. 61
The load on both the authoritative and recursive resolver DNS infrastructure increases with DNSSEC and may require that network operators deploy more DNS infrastructure in order to support the functionality and the added transaction time can be perceptible to the end user. 62 Further, DNSSEC validation requires additional processing power on DNS resolvers to validate records via public key cryptography. DNS query response sizes will increase, as DNSSEC-compliant client queries will result in three to four times the current query response count, with the addition of DNSKEY, RRSIG and DS records. The volume of data in query responses will also increase significantly. One reason for this is because the RRSIG record that provides signing information for every DNS record is typically much larger than the standard record. For example, the MX query response for Comcast is six times smaller with DNSSEC disabled:
$ dig MX comcast.net … ;; MSG SIZE rcvd: 394
Example MX query response with DNSSEC enabled returns 2457 bytes:
$ dig MX comcast.net +dnssec … ;; MSG SIZE rcvd: 2457
Lastly, some DNS concepts are not compatible with DNSSEC. Wildcard records are not supported, so the signed record for “*.example.com” would not be able to be DNSSEC-authenticated when “www.example.com” is queried.
Beyond the issues of deploying and maintaining DNSSEC, concerns have also arisen that it may in some cases enable new attacks or reduce security.
For instance, the large DNS responses associated with DNSSEC enables abuse via DNS amplification or reflection attacks. By design, DNS leverages the connectionless UDP protocol and this enables source address spoofing of specifically crafted DNS requests that are known to return very large DNS responses. The ratio of response data size to the original request data size can be upwards of 50 to one. By leveraging this spoofing technique, an attacker can leverage a large network of openly accessible DNS resolvers and very limited source bandwidth to generate a flood of DNS responses at their intended target, overwhelming the target system and the target’s network provider with 100’s of gigabits of traffic per second.
By design, DNSSEC asserts the existence of a record in addition to the non-existence of records. Between real record entries are swathes of non-existent entries DNSSEC must assert as not existing of via a special DNS record type, “Next Secure” (NSEC). The purpose of NSEC records is to disclose what the next signed entry in a zone file is so that all other records in between one record and the next can be declared non-existent. This DNSSEC characteristic allows an attacker to quickly compile the full list of existing DNS entries in a zone, enabling enumeration of the various systems specified within a given zone file.
Previously, the ability to view complete zone files was gated by obscurity. The contents of a zone would need to be generated via automated guesswork. The NSEC records are an easy way to find targets for the delivery of email spam and for planning future network attacks. The NSEC3 record provides a partial solution to this by only supplying hashed responses for validating the next domain name, but deploying NSEC3-compatible zones comes with the downside of additional management overhead. 63
Whether domain owners believe DNSSEC is worthwhile or a waste of time it has yet to reach widespread adoption. This is especially apparent when looking at the number of DNSSEC-signed domains in the top TLDs. The adoption of DNSSEC by domains registered within these top TLDs remains extremely low. 64
Certain new and proposed Internet protocol standards seek to leverage the DNSSEC chain of validation model to enhance network service security such as DNS-Based Authentication of Named Entities (DANE). 65 DANE aims to improve the security of various network services by enabling service owners to specify that a) a service should always be connected to via TLS and b) that a specific CA or end entity certificate should be expected when making a connection. DANE seeks to deemphasize the need for public certificate authorities (CA) that are intended in the pre-DANE world to be equally trustworthy and able to generate certificates for any host name. In practice, this utopian view of universal CA trustworthiness is fraught with frequent examples of errors and abuse, 66, 67 and this is something that DANE has the capability to improve upon. For example, a proposed standard that leverages DANE for the Simple Mail Transfer Protocol (SMTP) seeks to extend DANE validation for SMTP client to SMTP server connections, 68 closing several longstanding loopholes that could prevent secure email delivery.
The jury is still out on whether DNSSEC will ever reach broad adoption. Early adopters have typically been governmental organizations and financial institutions, along with specific regional pockets of network operator enthusiasm. However, some of the world’s largest network operators have so far found DNSSEC deployment and management to be too onerous to undertake. A mix of new potential uses, the known deployment challenges, and continued questions regarding the security and utility of DNSSEC will factor in to the potential deployment plans of network managers.
Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world's inboxes from wide-scale and targeted email threats.
With more than a decade of experience protecting the world's largest messaging environments, only Cloudmark combines global threat intelligence from a billion subscribers with local behavioral context tracking to deliver instant and predictive defense against data theft and security breaches that result in financial loss and damage to brand and reputation.
Cloudmark protects more than 120 tier-one service providers, including Verizon, Swisscom, Comcast, Cox and NTT, as well as tens of thousands of enterprises.