DNS Vulnerabilities Are Nothing New

By Alex Handy

July 14, 2008 — (Page 1 of 4)
This is an update to a story originally posted on July 8.

Dan Kaminsky says he knows how to break the Internet. At the annual Black Hat conference in Las Vegas next month, security researcher Kaminsky will reveal his much-touted DNS attack, which he claims exploits a fundamental flaw in the underlying protocol.

Fortunately, Kaminsky went to DNS software makers earlier this year and coordinated a patch effort. Those patches were released in early July, but with a vulnerability that’s so widespread, it remains to be seen whether the Internet is prepared for Kaminsky’s big reveal.

Thomas Ptacek, principle at Matasano Security, said that DNS’ flaws have been well documented. “We’ve known about this since 1995,” he said.

Ptacek went on to explain the problems with DNS. “You have this thing called the session ID, and it’s there because the one server does multiple responses. Since about 1985, everyone has known that IP is totally spoofable. DNS no different," said Ptacek.

“So most protocols rely on strong session IDs to keep people from spoofing packets,” he continued. “You look at a typical Java Web app, where you have a 128-bit session ID. It’s cryptographically impossible to guess that. DNS is a 16-bit session ID. There are only 65,000 possible responses. When it came up originally, the most popular name server on the Internet was BIND. In 1995 or 1996, when this stuff was originally talked about, the people who did BIND said, ‘We don’t want to do a whole bunch of work to stop this attack. There’s not a lot we can do about it.’ What we need to do to fix this is DNSSEC.”

But DNSSEC, the specification for a secure DNS protocol, only received its first major RFCs in 2005, and it is almost non-existent in the wild. “After 13 years of talks, we still don’t have DNSSEC,” said Ptacek.

Andrew Jaquith, program manager for security at the Yankee Group, agreed, acknowledging that DNS is only getting more vulnerable as more sophisticated attacks are revealed, such as Amit Klein’s cache poisoning attacks, revealed last year.

Related Search Term(s): E-mail, networking, security

Pages 1 2 3 4

Share this link: http://www.sysmannews.com/link/32504

Network Security: Getting the NAC of It When it comes to threats to your company's network, remember that most threats originate from inside, not outside. Keeping a strict eye on employees and limiting access to important data are options that employers should consider.

Cleaning Up E-mail Management An AIIM survey says very few American organizations have confidence in the security and reliability in their e-mail management capabilities. The association is holding training courses to help reduce e-mail management issues.

Metadata Security for SharePoint Adds Security Permissions Titus Metadata Security for SharePoint allows permissions to be assigned based on the recipient's Active Directory properties

Add comment

Name*
Email*
Country

Comment
Preview

DNS Vulnerabilities Are Nothing New

By Alex Handy

Related Articles

Add comment