Major DNS flaw: details likely to be revealed at Black Hat

Stuart Corner
Tuesday, 05 August 2008 12:39

Business IT - Security

The global Internet community is bracing for the potential of malicious attacks on the domain name system with the discoverer of the DNS exploit that send shockwaves through the industry last month expected to reveal full details of it on August 6 at the Black Hat conference in Las Vegas.

The attack known as cache poisoning works by the hacker inserting a false IP address into the cache of domain name to IP address references maintained by all ISPs, and many enterprise systems. It exploits a flaw in the domain name system which mean that every piece of software used to provide DNS look up functionality was vulnerable. A vulnerability note on the US CERT web site contains details and a lengthy list of vendors whose products were, vulnerable.

Kaminsky briefed the industry in March on the means he had discovered to exploit this vulnerability and software patches to afford protection were developed. He has since revealed some details of the technique, but not all. And while software vendors have come up with solutions, these have not addressed the fundamental flaw in the system, simply made it harder to exploit. In essence to insert a false IP address into a domain name cache the hacker needs to determine the value of a 16 bit code used by the caching server when it interrogates what it thinks is a bona fide DNS server in the Internet. This equates to around 65,000 possibilities. This flaw has been known for some time, but prior to Kaminsky's exploit, it would likely have taken weeks for an attacker to find the right code. Kaminsky's technique has reduced the time to minutes. The solution has been to use a different UDP port address for each query, increasing the possible combinations an attacker would need to try 2000 fold.

Writing on his blog ,  Kaminsky explains it thus: "Before the attack: A bad guy has a one in sixty five thousand chance of stealing your Internet connection, but he can only try once every couple of hours. After the attack [which Kaminsky discovered]: A bad guy has a one in sixty five thousand chance of stealing your Internet connection, and he can try a couple thousand times a second. After the patch: A bad guy has a one in a couple hundred million, or even a couple billion chance of stealing your Internet connection. He can still try to do so a couple thousand times a second, but it's going to make a lot of noise."

Patches have been developed for all software from major vendors but many ISPs, especially smaller ones used open source software from the ISC, known as Bind, and there is believed to be much unpatched software still in use.

On his blog site, Kaminsky has a feature that enables users to interrogate their ISP's DNS to determine if it is vulnerable, On 25 July, he wrote that : "From July 8th to July 9th, 4242 of 5000 tests actively run by users behind unique name servers showed that server to be vulnerable. That's about 85 percent. Today, July 25th, the last 5000 tests (about the last six hours) from unique name servers show only 2503 of 5000 vulnerable — just above 50 percent.

Nominum, which supplies DNS software to over 84 customers serving about 120 million broadband users, a figure it estimates to be about 30 percent of the global total, says it had implemented upgrades to all its customers systems by mid July.

The new DNSSEC security system would provide a long term solution, but will take years to implement. Nominum says it supports DNSSec today, "But even the strongest advocates readily admit DNSSec is going to take time, measured in years, to get deployed. Meanwhile hackers are not going away, exploits will evolve, bandwidth and processor improvements will benefit attackers. We can not stand still and assume new security solutions will not be needed because we have DNSSEC."