Comments on: Kaminsky (finally) provides DNS flaw details

In a Webinar on Thursday, researcher discloses specifics about his DNS cache poisoning flaw, and cites statistics on the number of systems that are patched.

[nachurboy]

Either I didn't understand the description of the flow or the grammar of this article was too hard to understand.

"Everyone thought, he said, if "one sets a long time to live (TTL), say, for one year, that would work." But Kaminsky found that going to look up 1.blackhat.com, 2.blackhat.com, etc, he can find the name server and then take over that domain. Kaminsky said the process of getting a response is about 10 seconds. " What does this mean?

"Where go from here?" Is that a sentence?

[AdeBarkah]

A caching nameserver "remembers" valid domain records for the duration of the TTL value. Until the TTL expires, the nameserver will simply return the cached record instead of performing a recursive query. Since no query is performed by the server, an attacker can't poison it during this period.

In the example given, if the TTL is one year, then an attacker would have to wait one year (until the TTL expires) before he can successfully poison the nameserver. Even then his odds of succeeding is relatively low, and if he fails, he'd have to wait another year before the next attack. Even a relatively short TTL value (a couple of hours) could effectively thwart a DNS poisoning attack.

Or so we thought.

Dan found a way to "bypass" this TTL limit by forcing the nameserver to query for closely-related domain names. e.g., 1.blackhat.com, 2.blackhat.com, etc., instead of www.blackhat.com. These so-called "in-bailiwick" domains will trigger DNS queries, which can then be attacked.

Using this method an attacker can force a caching nameserver to make an arbitrary number of queries (thousands per second), essentially guaranteeing a successful attack.

[sundance808]

it means nobody has an idea what it means

[Mteicher]

How is Kaminsky going about solving the issue versus providing detailed information about the issue in order for his hacker buddies to develop exploits to attack the DNS Servers. Content distribution, have you heard of Napster or Limewire, or how about Multi-cast. Your buddy Tom P already did this with Sonicity years and years ago. How about providing the community with something useful instead of talking about doom and gloom.

[nocake]

Ridiculous! Do you have any idea how lucky we are that Kaminsky disclosed this responsibly? What if some rogue entity ended up with it instead and silently exploited the web? Do you have a clue as to the damage that could be done?
Kaminsky has done the right thing by everyone: he notified the vendors, gave them time to patch (this is a big bug), and kept the exploit to himself.
Additionally, why is Kaminsky's responsibility to fix it? is he in charge of the BIND project now? Should he have asked miscrosoft for their source so he could personally patch and recompile Windows without the DNS glitch? What nonsense. Show some respect.

[ghostwalkers12]

Kaminsky discovered nothing not known to people very familiar with the IP suite of algorithms, and with DNS. The process of discovering (for removal of defects) is covered by combinatorial testing. But given the conventions of development in software industry, such is a novel concept in itself to most. The only certain way to avoid the cache poisoning exercises of script kiddies is to assure that the DNS does not query over the client facing NIC. Patching the DNS server does not resolve the problem. It continues to exist, easily exploited in less than 10 seconds. If motivated your DNS is gone in under a second.