Kaminsky Details DNS Hack - Systems Management News On The Web

CHANNELS

ON THE WEB

PRINT EDITION

BZ MEDIA

AS OF 8/20/2008 9:38AM EST

Kaminsky Details DNS Hack
By Alex Handy

July 25, 2008 — When noted security researcher Dan Kaminsky spoke yesterday, the world listened.

“We're in a lot of trouble,” said Kaminsky. “This attack is very good. this attack is being weaponized Tout in the field.” When the details of his new DNS attack vector were leaked two weeks after his initial public announcement, Kaminsky decided to speak out a week ahead of his scheduled Black Hat appearance to a select group in a Web presentation.

Kaminsky is director of penetration testing for IOActive and a frequent speaker at security conferences. Originally, Kaminsky said he was looking for a way to send files over DNS, in an effort to find a way to speed up content distribution. While researching this project, he rediscovered some of his previous work that allowed a malicious user to poison DNS caches. Soon after, Kaminsky was working on something he knew would break the Internet by allowing the sacred association between IP numbers and the domain names they host to be changed by one person almost at will.

Kaminsky's attack is, essentially, a bait and switch. He combines two well-known DNS problems with a third of his own discovery. Essentially, when a DNS server is repeatedly asked for records it does not have, an attacker can provide an illicit address for the reference and couple that with other poisoned records that are completely unrelated to the query. Asking for 1111.sysmannews.com could yield a spoofed response packet that also gives an IP address to replace the existing records for anything from google.com to DHS.gov.

“We all thought that it was hard to poison DNS records because it's a race, and you've got a good guy and you've got a bad guy. The good guy has an advantage, a secret number from 0 to 65,000. You can get there first but you can't cross the finish line unless you've got that number. Beyond that, to the winner goes the TTL [Time to Live]. The winner can choose how long he has won for. I am 65,0000 times more likely to win, if you want to try again that'll take another couple hours or days,” said Kaminsky of the traditional security picture of DNS.

“That was the thinking. There are three bugs. Two of the bugs were kind of known,” said Kaminsky, describing the attack in an analogy. “The first bug is that the bad guy's got the starter pistol. It's a race, and the bad guy gets to decide when the race starts.” This is because the bad guy can set up a Web page that contains multiple DNS requests, including 100 images, all hosted on his own subdomains of the attacked domain: http://1111.hacker.com/image.jpg, http://1112.hacker.com/image.jpg, etc.

“The second bug is that the bad guy has multiple guys in the race. The bad guy's got 100 people with different numbers floating out there. It's never one in 65,000 packets, it's one in 650,” said Kaminsky. Essentially, this bug comes from the fact that an attacker can use multiple points of origin, such as a zombie bot network, to send out spoofed DNS packets.

“The big deal is the third bug, which says, 'Who says you only have to have one race?' The actual nature of the bug in DNS is that there are two replies you can get. Yes, you might get the answer you want back, but DNS is a hierarchy, and you have to be able to traverse the hierarchy. It's really a relay race. This is just how DNS works. So what you do as the bad guy is you don't look up www.blackhat.com, you lookup 1.blackhat 2.blackhat, etc. When the good guy wins, he says, 'I don't know what that is.' When the bad guy wins, he says, '1.blackhat.com? You can check at NS1.blackhat.com, and here's its address,” said Kaminsky. Of course that address for NS1.blackhat.com would be poisonous and direct users to a fake site.

Kaminsky has been accused of repackaging old vulnerabilities since he first said he had a new DNS attack. He told his audience that, while it uses existing vulnerabilities, this itself was a new vulnerability.

“Most of the other bugs we've known had to wait until the query runs out. The new stuff was realizing, 'I can overwrite existing stuff, and that means I can target popular sites,' ” said Kaminsky. “I can target stuff that is always in cache and has a long TTL. You don't even have to reply with the name you were asked.”

Patch It Now
Jerry Dixon, former director of the Cyber Security Division of the Department of Homeland Security, agreed with Kaminsky and cautioned administrators around the world patch as soon as possible. He classified the Kaminsky attacks as extremely dangerous and said that real-world implementations were already available online.

Don Wood, director of technology for DNSstuff, said, “It's definitely a real risk, and it's something DNS admins need to be aware of. Some ISPs are scrambling to try and change their version of Bind. The older versions of Bind certainly are vulnerable,” said Wood.

Rich Mogull, security researcher and founder of Securosis, suggested that enterprises having trouble patching ancient DNS servers remove old systems entirely. Instead of waiting around to patch these legacy systems, Mogull suggested that admins simply replace these systems with newer software-based DNS servers.

When Kaminsky initially discovered this attack, he went to all the major vendors of DNS software and worked with them to build a patch. Those patches arrived in early July, along with Kaminsky's admission of his discovery. While Kaminsky didn't reveal the actual nature of his attacks publicly until yesterday, the Metasploit team of H.D. Moore and Dustin Trammell released working code on Wednesday.

Kaminsky's attack leaves numerous nooks and crannies that need to be filled. The standard fix applied by all patches is to add source port randomization to DNS queries. This increases the entropy of guessing a session ID from 16 bits to 30 bits.

“We have made the exploit thousands to tens of thousands of times harder, so that it will have to generate an enormous amount of traffic on your network. I know it's not the most perfect thing, I know it's a big deal, but patch. It's no longer patching your network for 'I don't know what attack,' it's patching for Metasploit because it's going to destroy us,” said Kaminsky.

How to Fix the Internet
There were numerous other proposals to block this attack, but Kaminsky insisted that source port randomization was the best fix. Dixon said that, while the U.S. government is now considering implementing DNSSEC, the secure DNS standard, he added that even as an example of how to do things right, a DNSSEC America would only be as secure if the rest of the Internet moved to the unfinished standard as well.

Another point of difficulty is unruly NAT boxes. “There are NAT firewalls that are removing the entropy from the source ports,” said Kaminsky. He apologized for leaving firewall and NAT vendors out of the initial patch discussions, but said that there would be new software from most such companies as time went by.

Another angle that remains unpatched is the client side of the equation. Kaminsky admitted that his attack could be used to target an individual user and that patches for client-side DNS would likely be coming soon. But he also said that his focus with this attack was to help everyone fix the servers, which could be used to compromise thousands of machines at once, rather than focusing on protecting individual users from targeted attacks.

Another possible way to defend against attacks was to lengthen time to live for popular sites in DNS caches. But Kaminsky poo-pooed this angle of defense.

“The nice thing about this patch is it rolls up all the other knowledge we've found over the years. Long TTL defends against the Metasploit version one attack [an older DNS attack vector]. It does not defend against this attack,” said Kaminsky.

He went on to emphasize the severity of his attack and the now-wild mutations thereof. Kaminsky said that the Internet has traditionally relied on DNS to provide trusted information on how to access remote systems. “That access that we provide is not necessarily going to be ours anymore,” said Kaminsky. “I don't know what Internet we'll be providing, but it's not ours anymore.”

Related Search Term(s): DNS, security

EMAIL THIS ARTICLE

SEND FEEDBACK