August 7, 2008 8:17 AM PDT

At Black Hat, Kaminsky details DNS flaw

by Tom Espiner
  • Font size
  • Print
  • 5 comments

Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.

In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.

Kaminsky explained that transaction IDs, which are supposed to prevent "bad guys" from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as "1.foo.com" or "2.foo.com." As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.

Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked--for example, "foo.com." Requests for foo.com would direct a user to a site of the attacker's choosing.

Dan Kaminsky

(Credit: Declan McCullagh/CNET News)

This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images, and ads can cause a DNS look-up. Mail servers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide e-mail response.

Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.

"When the bad guy poisons .com, he gets all requests, even requests he didn't know in advance he wanted," Kaminsky said in his presentation. "He gets to decide what he'll poison forever."

Using encryption such as SSL can mitigate the risks posed by the DNS flaw, according to Kaminsky. However, he warned that SSL only has limited implementation at present and brings its own certification issues. People still log onto sites even if its SSL certificate has expired, he said.

Multiple vendors have brought out patches for their products to mitigate the risks associated with the flaw, mainly based around randomizing port numbers. Kaminsky said this had been effective. Nominum has been patched, Bind implementations have been patched, and Microsoft automatic updates have "swept through lots and lots of users."

Kaminsky said that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched nonmail servers.

However, Cambridge University security expert Richard Clayton told ZDNet UK that patching and randomization are effective only up to a point.

"You can randomize the identifier for the packet, and you can randomize the port number, but the bad news about randomization is the birthday paradox," Clayton said. "If you have 20 people in a room, the chances are that two of them will share the same birthday. That's the problem, if you're choosing at random and an attacker is choosing at random. If you are using two-to-the-sixteen (65536) samples, and an attacker is sending samples at the rate of the square root of two to the sixteen, which is two to the eight (256), the attacker has a 50 percent chance of success."

While randomization mitigates the problem, essentially it just "(puts) off the dreadful day when the attacker can send packets fast enough to overcome entropy", Clayton said.

Clayton said that a "real" fix would be to have the server notice when it was receiving a lot of requests which were not quite correct, become "suspicious," and only communicate using TCP, which can't be spoofed. A further fix would be to have carriers communicate using DNSSEC, a form of DNS which is encrypted, Clayton said.

Tom Espiner reports for ZDNet UK.

Click here for full coverage of Black Hat 2008.

Topics:

Vulnerabilities & attacks

Tags:

Black Hat 2008,

Kaminsky,

DNS,

DNS flaw

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
RockYou sued over data breach
Hacker Gonzalez pleads guilty in Heartland breach
Microsoft rebuts IIS vulnerability claims
More attacks expected on Facebook, Twitter in 2010
GSM crypto code cracked, engineer says
Web-based Lookout protects mobile devices, data
Hackers claim to crack Kindle copyright armor
Using Facebook and Twitter safely
Related
Google wants to unclog Net's DNS plumbing
Microsoft investigating 'black screen of death'
BlackBerry Messenger at fault in Tuesday outage
Microsoft rebuts IIS vulnerability claims
Microsoft plugs zero-day IE hole
Amazon EC2 cloud service hit by botnet, outage
DNS security and performance considerations, and ISP alternatives
Firefox, Adobe top buggiest-software list
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by n3td3v August 7, 2008 8:47 AM PDT
I wonder what Dan Kaminsky thinks about HD Moore releasing the exploit code early when he was asked not to.
Reply to this comment
by n3td3v August 7, 2008 9:03 AM PDT
Geek Alert: Dan Kaminsky on the DNS Bug of 2008
http://www.youtube.com/watch?v=B0dHDD9fFM4
Would you bang the chick on the front row?
Reply to this comment
by The_Decider August 7, 2008 10:19 AM PDT
You sound like a 14 year old script kiddie.
by benjaminstraight August 8, 2008 3:15 AM PDT
Cool.
Reply to this comment
by ghostwalkers12 August 8, 2008 9:40 PM PDT
Kaminsky discovered nothing not known to people very familiar with the IP suite of algorithms, and with DNS. The process of discovering (for removal of defects) is covered by combinatorial testing. But given the conventions of development in software industry, such is a novel concept in itself to most. The only certain way to avoid the cache poisoning exercises of script kiddies is to assure that the DNS does not query over the client facing NIC. Patching the DNS server does not resolve the problem. It continues to exist, easily exploited in less than 10 seconds. If motivated your DNS is gone in under a second.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET