A fatal flaw with the DNS (Domain Name System) is being exploited in Internet attacks and more attacks are likely, the security researcher who discovered the flaw said on Thursday.
"I do think we are going to see attacks. I think we have been seeing attacks already going on in the field," said Dan Kaminsky, director of penetration testing for IOActive, who warned the industry about the DNS vulnerability nearly five months ago. "We're doing everything we can to mitigate and reduce its incidence."
Kaminsky mentioned a DNS-related incident with China Netcom (possibly the incident reported by the ZD Net Zero Day blog), but said it wasn't clear that it was due to the vulnerability he found. "There are other scenarios that I can't, unfortunately, get into," he added.
Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet. An attacker exploiting the vulnerability could redirect Web surfers to malicious sites, even if the surfers typed in the legitimate Web address. For example, someone could type in the address for a bank and end up at a site that looks like the bank site but is a fake site set up to grab sensitive information like passwords.
Security firm MessageLabs recorded a 52 percent increase in suspicious DNS traffic between July and August, "indicating that the online underworld is poised to launch targeted attacks in coming weeks," the firm said in a statement released early on Thursday.
To be fair, some of that suspicious traffic is due to security researchers gathering statistics, according to Kaminsky. But there's no way to tell how much of it is for research purposes, he said.
"People are sweeping the Internet looking for vulnerable systems," he said. "What they have in store, we don't know."
Those stats only show part of the problem--researchers aren't able to scan the traffic going to servers used for directing e-mail and corporate Web browser traffic, and thus are missing the stats on attempts to find unpatched systems via those alternative modes, Kaminsky said.
"The most important thing for people to patch are the name servers that back up their mail servers," he said.
Meanwhile, people can use test code to find out if their systems are safe at Doxpara.com.
"The good news is that there are hundreds of millions of users protected against these attacks. The bad news is it's not everybody," he said.
Kaminsky first warned security software vendors about the problem in a secret meeting at Microsoft headquarters in March so they could start writing patches to address the problem. On July 8, he went public with the information, but not the details, of the flaw, at the same time Microsoft, Cisco, and other vendors released their patches in an unprecedented, synchronized multivendor effort.
Kaminsky planned to release details about the vulnerability during a talk he was scheduled to give at the Black Hat security conference a month later in order to give people more time to patch their systems. But within a few weeks, security bloggers were speculating about and leaking technical details of the vulnerability. A few days later there was exploit code reported in the wild.
Those developments forced Kaminsky to go public with some details about his finding in a conference call with journalists on July 24. Then he talked more about it at Black Hat in Las Vegas two weeks ago, reporting that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched non-mail servers.