7 Comments

Summary:

DNS is the cornerstone of the Internet: It turns http://www.gigaom.com into an IP address that the routers can use to connect a browser to a web site. For this reason, it’s the subject of many attacks. If you convince someone that your server, rather than the […]

DNS is the cornerstone of the Internet: It turns http://www.gigaom.com into an IP address that the routers can use to connect a browser to a web site. For this reason, it’s the subject of many attacks. If you convince someone that your server, rather than the real one, is the site they wanted, you can get up to all kinds of mischief. You can make them think you’re their bank, solicit their private information, monitor what they do, or even feed them Trojans.

Of course, DNS has protections. Each DNS request has a query ID associated with it that uniquely identifies the request. Anyone can send a response to a DNS request, but if you don’t have the right query ID, your response is ignored. Essentially, it’s a race. To hijack someone, you need to send the wrong IP address, with right query ID, before the correct address gets there. Until now, this model has protected online surfers reasonably well because the chance of a guessed QID arriving before the legitimate one shows up are improbably small.

But there may be a way around this, and Dan Kaminsky says he’s figured it out — but he’s not telling how just yet.

Releasing a hack is Big Drama. Some folks — like Kaminsky — prefer to contact the authorities and vendors, giving them time to patch their servers before publication. Kaminsky announced that he wouldn’t reveal the details of the exploit until Black Hat, but on July 9 he said anyone who figured it out could get on stage with him. Shortly afterward, he announced that the major players had patched their systems.

There are others who believe that vulnerabilities should be outed as soon as possible: Assuming the bad guys already know is a prudent course of action. Kaminsky’s announcement seems to have prompted speculation, leading to the disclosure of what some believe is the hack he was planning to announce, which Halvar Flake figured out. A description of the exploit first showed up on pasteboards — sites that publish snippets of programming. Initially, it was being deleted by system administrators. But you can’t put the genie back in the bottle, so now it’s out in the open.

Some skeptics question the impact of the vulnerability, and some say it’s an old hack that’s been around for years. But we view many more strangers’ pages these days, particularly on social sites that are increasingly plagued with friend spam, so online behavior may have changed enough for this old dog to learn new tricks.

Kaminsky hasn’t confirmed that Flake identified the same vulnerability. But perhaps as a result of the speculation, Kaminsky’s latest blog entry says simply, “Patch. Today. Now.”

Whatever the case, it’s a good day to have a smart network administrator patching your servers.

  1. Alistair:

    Well said. I’ve also put together a few background links on this issue at: http://gregness.wordpress.com/2008/07/22/dns-vulnerability-now-in-the-wild/

    Kaminsky was just on a webcast with Cricket Lau on the DNS vulnerability.

    Sincerely,
    Greg

    Share
  2. Alistair,

    Kaminsky actually says more than what you said. He said to point to OpenDNS if you can’t patch or your ISP isn’t patched.

    Do we get no love because we said no to advertising on GigaOm? (kidding) We’ve been talking about the importance of DNS security for the last two years.

    Share
  3. Also — you like to Thomas Ptachek’s tweet from like three weeks ago where he doubts the vulnerability existed.

    This is the same jerk who was then briefed by Kaminsky and later stated he agreed it was VERY SERIOUS. He then preceded to steal his thunder and leak the story on his blog!

    Share
  4. [...] The Kaminsky Hack: DNS Exploits in the Wild [...]

    Share
  5. It’s worth pointing out that Halvar (almost) figured out the bug due to the published advisories, not due to information given to him in confidence (unlike Matasano).

    Share
  6. We shouldn’t expect old security methods to always work. This is just another blip, and new measures will be added to be effective for another 10-15 years.

    Share
  7. [...] up on yesterday’s post (for which exploits are already in the wild, so like I said before, get patchin’!) I hit my router’s embedded web server and saw [...]

    Share

Comments have been disabled for this post