What is a DNS attack?
What happened to the New York Times website?
On Tuesday afternoon (Aug. 27), the New York Times' website became inaccessible, and was spotty much of Wednesday (Aug. 28). How could one of the biggest media companies in the world go down for a day or more?
Turns out the New York Times' website was hit with a domain name system (DNS) attack, in which hackers target the system that matches a website URL (like nytimes.com) to the servers where that website's content is stored. None of the New York Times' content was affected; people just couldn't find it.
The Kicker: Simple security etiquette might have prevented the attack.
The New York Times' DNS records are managed by an Australian-based company called Melbourne IT, a domain registrar similar to the American company GoDaddy.
It appears that the hackers who hit the New York Times were able to penetrate Melbourne IT's security by acquiring an administrator's username and password.
Marc Frons, the New York Times' chief information officer, said in the Times' own article on the hack that the culprit appears to be “the Syrian Electronic Army, or someone trying very hard to be them.”
That doesn't tell us much. The Syrian Electronic Army, or SEA, is a group of hackers that appears to be loosely affiliated with or sympathetic to the regime of Syrian President Bashar al-Assad. The SEA has also been very active lately: in the last few months it's claimed responsibility for attacks on The Onion, NPR and the blog of British reporter Hon Snow (no relation to "Game of Thrones").
What is a DNS attack?
DNS is an essential part of the Internet's information architecture.
"DNS has been in place essentially since the Web started… [and] from its very origins it was not built to support the Web as it exists today," said Kevin O'Brien, an enterprise solutions architect from Cloudlock, a cloud-based data security company.
According to O'Brien, DNS has a number of structural flaws, which the New York Times hackers exploited to bring the website down.
Here's how DNS works: When you want to go to a website, you type in that website's domain name. In the New York Times' case, that's nytimes.com, the rights to which it purchased from a domain name registrar, in this case, Melbourne IT.
When Melbourne IT registered that domain name, it created an entry in the DNS registry that connected "nytimes.com" to the internet protocol (IP) address of the New York Times' servers, 18.104.22.168.
This registry is necessary because domain names were designed to be easily understood by humans, not by computers. Domain names do not point to Web content in a way that a computer can understand. Similarly, IP addresses are not user-friendly for humans.
So when you type "nytimes.com," your Web browser connects you to one of the many DNS servers on which the registry is stored and matches that text to the corresponding registered IP address 22.214.171.124.
The hackers zeroed in on the source. They acquired a Melbourne IT username and password, entered the registrar's system, and altered the DNS records that then went out to DNS servers across the Internet.
O'Brien likened DNS servers to a phonebook: people can search the book by a person's name and find the entry that connects the person to a telephone number. What the hackers did is like changing the number next to the New York Times' name in the phonebook.
That alteration probably took about 15 minutes to make, O'Brien said. Once the hackers made the change, it took a while for that change to propagate to the Internet's DNS servers.
For a brief window, typing nytimes.com into your browser led you, not to the Times' servers, but to a SEA-themed website containing the message "Hacked by Syrian Electronic Army."
Most of the time, though, browsers were simply unable to locate an IP address associated with the domain name www.nytimes.com, resulting in a browser error message.
Technically, websites don't need domain names, and the Times site never really went down. But to access it, you would have had to know the IP address 126.96.36.199 and enter it into your browser.