Black Hat 2008 - DNS Goodness by Dan Kaminsky
August 2008 by Michael Hayes CTO, B-4-U Inc.
The Domain Name Server (DNS) is one of the Internet’s key Network elements. It is both a Directory Server allowing simple names like www.Google.com / 126.96.36.199 and www.Robots-4-U.com / 188.8.131.52 to exist as words instead of the IP addresses. These DNS look-ups occur every few clicks on the internet / intranet, they also occur when E-mail, Voice Over IP queries and numerous other normal activities on the WEB take place. If there is a way to compromise this device in any major way, then there will be a significant decrease of trust using the World Wide Web.
Michael Hayes CTO, B-4-U Inc.
Looking through the rear view mirror:
The current discussions and Buzz of the last 3 months, culminating with Dan’s public pronouncement of the DNS vulnerabilities was the major announcement in both BackHat 2008 and DEFCON 2008. The first comment is that this was a fundamental flaw that dates back to the origins of the Internet. In simple terms a fundamental flaw exists in the DNS look-up capability that allows a race condition to take place. With a single query on a DNS a myriad of transactions take place to find the address of a WEB site or Server. This opens up a time window for a “BAD GUY” to guess a random number and place in cache a false address that could points to a Phishing Site or other nefarious site. A “BAD-GUY” could then capture information at the end site or position themselves to launch a Man-In-The-Middle-Attack.
This is a fundamental design fault, that allows cache poisoning, it works behind a firewall, and all DNS servers are at risk, SSL and VPNs do not protect against this problem. Industry rallied fast to do something about this, with hundreds of millions of people and queries now protected. The majority of major vendors of DNS provided fixes and major Enterprises and Carriers have applied these patches.
To show the seriousness of this design fault Dan Kaminsky quoted security researcher Brad Hill’s: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That is every kid right now."
Through the looking Glass:
It might be anti-climatic, but the DNS patches that have been developed by numerous vendors need to be applied. Since this race situation/vulnerability is pervasive through-out the internet and the intranet, the risk of malicious activity using these attack vectors is high. It is critical that we ensure that all the patches are applied in a very timely manner (NOW).
Subsequent patching is also critical, to Servers, PCs and mobile devices. This is now the most critical step in securing all Enterprise and Home computer plus their networks.
Dan’s slides are available at www.doxpara.com/?p=1204
Dan Kaminsky’s conference