Some systems at the .ie domain registry (IEDR) remain offline today, following a security incident yesterday that led to Google and Yahoo’s Irish websites redirecting to a server in Asia.
In a statement on its website today, the IEDR confirmed the unauthorised access to a registrar’s account which led to a change to the DNS nameserver records for the two .ie domains.
“Gardai have been notified and IEDR has requested that the Garda Bureau of Fraud Investigation conduct an investigation into this external attack on the .ie namespace,” the statement said.
Although the statement didn’t refer to the sites by name, users on social media and elsewhere identified the sites as Google.ie and Yahoo.ie, both of which are back online at press time.
Security software vendor Sophos said on its Naked Security blog that because of the change, visitors to Google.ie were being redirected for a time to nameservers called farahatz.net, apparently based in Indonesia.
The IEDR said it worked with the registrar to ensure the nameserver records were reset and corrected promptly.
“Simultaneously, the IEDR commenced an investigation and analysis, with the assistance of external security experts.”
Systems go offline
Following the investigation and on the advice of security experts, the IEDR said it temporarily took external web-based systems offline in order to analyse the problem further.
In its statement, the registry said its Whois service and its API are both “fully operational”, adding this means that registrars accounting for more than two-thirds of .ie domains are “largely unaffected” by the interruption.
Public access to .ie websites and email is unaffected, IEDR said.
Brian Honan, security consultant with BH Consulting, said the IEDR had taken proactive steps to deal with the incident.
“They have contained it while still investigating it,” Honan told Siliconrepublic.com.
While the root cause of the incident is still unknown, Honan said the risk was that attackers could have taken advantage of the change for their own ends.
“By redirecting the DNS, they could bring people’s traffic to any site they wanted – they could have sent them to a website with malicious content,” he said.
The incident has lessons for other organisations that manage their own DNS records, Honan added.
“Companies need to ensure they protect their access to the control panel that manages their DNS server, by using secure passwords,” he said.