Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.
In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.
Kaminsky explained that transaction IDs, which are supposed to prevent "bad guys" from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as "1.foo.com" or "2.foo.com." As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.
Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked--for example, "foo.com." Requests for foo.com would direct a user to a site of the attacker's choosing.
Dan Kaminsky
(Credit: Declan McCullagh/CNET News)This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images, and ads can cause a DNS look-up. Mail servers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide e-mail response.
Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.
"When the bad guy poisons .com, he gets all requests, even requests he didn't know in advance he wanted," Kaminsky said in his presentation. "He gets to decide what he'll poison forever."
Using encryption such as SSL can mitigate the risks posed by the DNS flaw, according to Kaminsky. However, he warned that SSL only has limited implementation at present and brings its own certification issues. People still log onto sites even if its SSL certificate has expired, he said.
Multiple vendors have brought out patches for their products to mitigate the risks associated with the flaw, mainly based around randomizing port numbers. Kaminsky said this had been effective. Nominum has been patched, Bind implementations have been patched, and Microsoft automatic updates have "swept through lots and lots of users."
Kaminsky said that 70 percent of Fortune 500 companies have tested and patched mail servers successfully, while 61 percent have patched nonmail servers.
However, Cambridge University security expert Richard Clayton told ZDNet UK that patching and randomization are effective only up to a point.
"You can randomize the identifier for the packet, and you can randomize the port number, but the bad news about randomization is the birthday paradox," Clayton said. "If you have 20 people in a room, the chances are that two of them will share the same birthday. That's the problem, if you're choosing at random and an attacker is choosing at random. If you are using two-to-the-sixteen (65536) samples, and an attacker is sending samples at the rate of the square root of two to the sixteen, which is two to the eight (256), the attacker has a 50 percent chance of success."
While randomization mitigates the problem, essentially it just "(puts) off the dreadful day when the attacker can send packets fast enough to overcome entropy", Clayton said.
Clayton said that a "real" fix would be to have the server notice when it was receiving a lot of requests which were not quite correct, become "suspicious," and only communicate using TCP, which can't be spoofed. A further fix would be to have carriers communicate using DNSSEC, a form of DNS which is encrypted, Clayton said.
Tom Espiner reports for ZDNet UK.
Apple released a security update Thursday to users of its Tiger and Leopard operating systems to address a critical and well-publicized Domain Name System flaw, along with a dozen other updates.
The DNS flaw, which was first reported by Dan Kaminsky of IOActive on July 8, could allow attackers to redirect Web site visitors to any site they choose and present forged information. The DNS translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet.
During the second pre-Black Hat security conference Webinar on July 24, Kaminsky provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.
However, an exploit code that could allow someone to attack the DNS was available in various places on the Internet on July 23.
Apple's update also fixes a QuickLook bug where loading a malicious Microsoft Office file could lead to "arbitrary code execution."
Apple recommends Security update 2008-005 for all systems running Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, Mac OS X Server v10.5.4. The update is available at Apple.com or through the update mechanism in OS X.
If you haven't heard about the current DNS vulnerability, here is a Reader's Digest-like summary. Security guru Dan Kaminsky found a vulnerability that could give the bad guys a relatively easy way to redirect Internet traffic. For example: You might think you are logging on to Bank of America's Web site. But instead, some hacker may have just exploited a domain name system vulnerability and is now in control of your identity.
Kaminsky deserves credit for finding this flaw and alerting the Internet community so it could fix the problem. This effort is well under way, but according to an article in yesterday's New York Times, Kaminsky believes that 41 percent of all DNS servers are still vulnerable, meaning that no one has patched these systems with new software that closes this gaping security hole.
The danger here is that most of the world will shrug its collective shoulders, dismissing this as a technology problem. The truth is that this is the Internet equivalent of a bridge collapse on Interstate 35W in Minneapolis. This disaster demonstrated that a critical piece of infrastructure was badly in need of repair. Unfortunately, the same is true of DNS, a critical but rickety technology.
Clearly the folks who control most of the Internet infrastructure get this. Comcast and Verizon have already patched their DNS servers, while AT&T is in the process of doing so. Great, but what about all of the companies with a large Internet presence? This is where the Internet may be most vulnerable, folks. According to ESG Research, 48 percent of large organizations (i.e. 1,000 employees or more) experienced at least one DNS outage in the past 12 months. What's more, 42 percent of these companies consider patching and upgrading DNS a time-consuming operational process. Given these statistics, my guess is that a lot of enterprises believe that the DNS problem doesn't really impact them, that it is really an Internet infrastructure problem. This is a misguided and dangerous perspective.
DNS anchors all Internet communications, thus it should be considered critical infrastructure. It's time that enterprise organizations realized this and started treating it accordingly. Hopefully Kaminsky's discovery will act as a change agent to fix the problem. Otherwise, we could all be in trouble.
- prev
- 1
- next
