Technology news and Jobs 
Information Technology News Patched DNS still vulnerable to cache poisoning UPDATED
Information Technology News Patched DNS still vulnerable to cache poisoning UPDATED | Patched DNS still vulnerable to cache poisoning UPDATED |
|
| by Stuart Corner | |
| Tuesday, 12 August 2008 | |
  
Featured Whitepaper
5 Best Practices for Smartphone Support
The original vulnerability, known as cache poisoning, enables an attacker to direct references to a URL to an incorrect IP address of their own choosing. Details were summed up in this vulnerability note from US-CERT. When the caching server requests a correct IP address from an authoritative server it uses a 16 digit code (65,000 possible combinations) which on the face of it would make it difficult for an attacker to guess the right number and deceive the caching server. However Kaminsky found a way to try very many combinations before the authoritative server had time to respond, greatly increasing the chance of success and making cache poisoning practicable. Because this vulnerability is rooted in the way DNS operates, a iron clad solution requires the implementation of new DNS security features in DNSSEC which will take years to become widespread. As a short term fix the industry came up with a solution whereby the caching server makes its requests to the authoritative server using random port numbers, of which about 2000 are available. This increase the variations the attacker would need to guess from about 65000 to 65000 x 2000. (However it has been claimed that Apple's fix in its software is only half a fix: instead of using random port numbers it simply increments the port number for each query) Now, Polyakov claims to have "successfully poisoned the latest BIND [popular open source DNS software] with fully randomised ports!" He claims the attack took less than ten hours and was achieved by suing two attacking machines connected to the attacked server via a GigE link. He says that each attacking server was able to send about 40-50 thousands fake replies before the remote authoritative server returned the correct reply, so if the attacking server was using the correct port, out of about 2000, the chance of successful poisoning was greater than 60 percent. "If you have a GigE lan, any trojaned machine can poison your DNS during one night..." he concluded. Polyakov's discovery could be only the tip of the iceberg. Kaminsky presented details of his technique at the Black Hat conference earlier this month. And he concluded his presentation with some dire warnings, saying the Internet community had to "get better at fixing infrastructure...We got lucky with this bug. The next one will not be so 'smooth'...A lot of people just do not realise the degree to which security best practices have been ignored for years. DNS should not have been capable of this much damage." He concluded: "Even with DNS fixed, there are other scenarios in which unencrypted IP traffic is lost to an attacker That attacker is capable of way more than he should be. More than I've even said here." |
Tags
| < Next story in category | Previous story in the category > |
|---|
