DNS Vulnerabilities Are Nothing New - Systems Management News On The Web

Sort By :DateRelevance

DEPARTMENTS

HOME

TOP STORIES

ON THE WEB

BZ MEDIA

Printable version

DNS Vulnerabilities Are Nothing New
By Alex Handy

July 14, 2008 — This is an update to a story originally posted on July 8.

Dan Kaminsky says he knows how to break the Internet. At the annual Black Hat conference in Las Vegas next month, security researcher Kaminsky will reveal his much-touted DNS attack, which he claims exploits a fundamental flaw in the underlying protocol.

Fortunately, Kaminsky went to DNS software makers earlier this year and coordinated a patch effort. Those patches were released in early July, but with a vulnerability that’s so widespread, it remains to be seen whether the Internet is prepared for Kaminsky’s big reveal.

Thomas Ptacek, principle at Matasano Security, said that DNS’ flaws have been well documented. “We’ve known about this since 1995,” he said.

Ptacek went on to explain the problems with DNS. “You have this thing called the session ID, and it’s there because the one server does multiple responses. Since about 1985, everyone has known that IP is totally spoofable. DNS no different," said Ptacek.

“So most protocols rely on strong session IDs to keep people from spoofing packets,” he continued. “You look at a typical Java Web app, where you have a 128-bit session ID. It’s cryptographically impossible to guess that. DNS is a 16-bit session ID. There are only 65,000 possible responses. When it came up originally, the most popular name server on the Internet was BIND. In 1995 or 1996, when this stuff was originally talked about, the people who did BIND said, ‘We don’t want to do a whole bunch of work to stop this attack. There’s not a lot we can do about it.’ What we need to do to fix this is DNSSEC.”

But DNSSEC, the specification for a secure DNS protocol, only received its first major RFCs in 2005, and it is almost non-existent in the wild. “After 13 years of talks, we still don’t have DNSSEC,” said Ptacek.

Andrew Jaquith, program manager for security at the Yankee Group, agreed, acknowledging that DNS is only getting more vulnerable as more sophisticated attacks are revealed, such as Amit Klein’s cache poisoning attacks, revealed last year.

“There are issues with DNS that go well beyond this particular issue. DNS is one of those services that we have decided we’re all going to trust, and I think there are people who are figuring out that that’s not a safe assumption,” Jaquith said. “DNS is like oxygen. What if somebody secretly started replacing the oxygen you normally breathe with nitrogen? DNS is designed to scale and designed to be simple. The solution may not be simple, and may not scale. We’re in a place where we’re damned if we do, dammed if we don’t,” he said.

Possible Vectors
Kaminsky is keeping mum about his newfound DNS exploit. He was unavailable for comment for this article. In the days after he announced the exploit and patches, Kaminsky was overwhelmed by interest, questions and requests to comment on the vulnerability.

However, several experts postulated possible attack vectors. One possible attack could simply involve the poisoning of an ISP DNS cache and redirecting all user traffic to a phishing site instead of the real bankamerica.com or gmail.com. Once so directed, users would be entering their passwords and login information into a trap.

Another possible vector could involve spoofing DNS around a specific mail server. An attacker could request a confirmation e-mail from almost any service on the Web, asking for a password reset. (Those “I lost my password” links are on almost every commercial site.) When the password is reset and a new one is sent out, the spoofed DNS could route the mail to another trap server, allowing the attacker to take over a user’s account after having only the login name or e-mail address.

In an effort to clear up the uncertainty, Kaminsky offers a DNS checker on his blog at www.doxpara.com, which can identify vulnerable DNS servers.

On his blog, Kaminsky said that he’s been called on to reveal the exploit ahead of Black Hat. Hoping to keep the potential for exploits to a minimum, Kaminsky has only allowed a small circle of researchers to hear about the full exploit.

Even Derrick Scholl, director of security engineering and response at Sun Microsystems, who coordinated the effort inside Sun to patch this hole, hasn’t seen the exploit. “If we pressed, it’s entirely possible we could have seen it,” said Scholl, but because the fix was fairly straightforward, he saw no need to probe Kaminsky on the topic.

Kaminsky did reveal the exploit to Ptacek, however, which Kaminsky detailed on his blog. “And so, on the urging of Rich Mogull, who’s been instrumental at bringing this entire endeavor out from under the shadows (and who was kind enough not to demand the technical details to do it), I did what I should have from the start. I provided technical details of the attack to Thomas Ptacek and Dino Dai Zovi, submitting myself for peer review,” wrote Kaminsky, “It went well.”

After that review, in an exchange with Systems Management News, Ptacek wrote: “Dan’s got the goods. … Most of what I said to you, I stand by. The part about not patching, now now now? I TOTALLY TAKE THAT BACK,” wrote Ptacek. Having seen the exploit, he considers it extremely dangerous.

The Fix Is In
To fix the problems, Kaminsky is taking advantage of the fact that source port randomization has been added to most major DNS server software, including BIND. “The major thing that will change is that people’s sub-DNS resolver is designed only to talk to your primary name server, and now it’s going to have source port randomization, and that will be annoying, except that your name server is in your network. Now you have to add the firewall rule that says to open all source ports to [the] DNS server. If you don’t patch this at all, nothing changes for you. If you were vulnerable to this attack, you were doing it wrong. DNS was totally spoofable before this,” said Ptacek.

It’s for this reason, he added, that Web applications handle their own trust and identity issues, and that no Internet applications rely on DNS for either.

Paul Vixie, creator of the open-source DNS server BIND and numerous other Unix standard tools such as rtty, worked with Kaminsky to coordinate the patch effort among DNS software providers. He said that the exploit Kaminsky will unveil at Black Hat is similar to Klein’s previously identified problems, but only in as much as it’s based on the fundamental flaws in DNS’ packet session IDs.

Vixie said that adding source port randomization to DNS servers can effectively add 14 more bits to the existing 16-bit session IDs. This brings the ID possibility space to a total of 30 bits.

“From a cryptographic perspective, that’s laughable, but it turns out that’s enough,” said Vixie. He stated that with 30 bits of possibility in the ID generation, Kaminsky’s attacks would require so many attempts that other security devices like IDS and IPS should be able to spot the attack with ease, as it would resemble a denial-of-service attack.

“If you’ve got some old NAT box somewhere on your network that does cute things with DNS, that will have to go,” said Vixie. He added that opening ports in the firewall to allow for source port randomization will be necessary, but that such an opening can still be restricted to only the DNS machines.

“It’s the best we could come up with,” said Vixie, who advocated the adoption of a secure DNS protocol. Still, Vixie was optimistic about the patching efforts. He compared the effort to what took place prior to Y2K. He predicted that, when Kaminsky’s attack is revealed, there may be a slight letdown as the exploit may not become rampant in the wild due to eight months of prior planning by vendors and developers. Such a lack of fervor, said Vixie, would be an indication of a successful patching initiative.

Related Search Term(s): E-mail, networking, security

Share this link: http://www.sysmannews.com/link/32504

EMAIL THIS ARTICLE

SEND FEEDBACK