backtop

Print E-mail del.icio.us 27 comment(s) - last by Baroebbas.. on Aug 12 at 7:58 AM

A graphic for the Metasploit Framework, which published code for the DNS vulnerability late last July.
Researcher posits the scope of a widespread flaw in the internet's core infrastructure

Speaking at the Black Hat security conference in Las Vegas, security researcher Dan Kaminsky warned that a critical vulnerability in the internet’s worldwide DNS (Domain Name System) infrastructure is worse than initially thought.

Kaminsky initially came forward early last month to disclose the existence of a critical security bug in most of the world’s DNS servers. The bug allows hackers to silently redirect web surfers to an alternate, possibly malicious, web site when a user’s web browser queries a poisoned DNS for the address of a given internet domain, like www.microsoft.com.

“Every network is at risk,” said Kaminsky, who described the flaw as one of the biggest internet security holes since 1997.

Kaminsky says the extent of this flaw – details of which he promised to withhold until later this month, until they were suddenly leaked and then retracted by bloggers at security firm Matasano in July – allows far more than simple website redirection. Since the internet is highly reliant on its DNS infrastructure – to the point where SSL certificates authenticate against it – the flaw allows for a staggeringly wide variety of attacks: poisoned DNS entries could allow hackers to silently redirect attempts to log in to FTP, mail, and Telnet servers, or fool systems like Windows Update into downloading from servers under hackers’ control.

 “There are a ton of different paths that lead to doom,” said Kaminsky to his attendees of his standing-room only presentation on Wednesday.

According to Kaminsky, the ISPs of roughly 42 percent of broadband consumers around the world have patched their DNS servers, and approximately 70 percent of the world’s Fortune 500 are protected. Of that remaining 30 percent, roughly half of the companies Kaminsky surveyed encountered difficulties patching their systems, while the other half has put in little or no issue to fix their systems.

When details of the flaw were released, Kaminsky simply told server operators to “patch. Today. Now. Yes, stay late.”

Wired’s Threat Level reports that Kaminsky spent more than an hour running through the variety of systems that are vulnerable to attack, noting that a hacked DNS server produces a “domino effect” amongst linked systems. He is aware of at least fifteen ways it could be used – but notes that more are likely to turn up the longer its studied.

Despite the urgency, however, there have been few, reports of the vulnerability surfacing in the wild. This is despite the exploit code being made available for the widely-used Metasploit Framework, which allows both researchers and hackers alike easy access to a variety of attacks. One such incident, published July 30 on the official Metasploit blog, notes a successful attempt to poison AT&T’s Austin, Texas DNS servers to redirect Google surfers to a page that served up hidden advertisements.

Kaminsky posted a simple test on his website DoxPara, which allows visitors to determine if their DNS servers are vulnerable to attack.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
1 Question
By William Gaatjes on 8/8/2008 3:01:00 AM , Rating: 2
If i enter the ip address directly instead of the name this would not work because in that case i don't need the dns right ?

To be on the save side you could use the ip address directly of the sites where you would have to pay money.
It would not be so difficult to copy paste this address from a text file. Hell, one could even make a plugin that does this directly.

If i am wrong please tell me cause i am rusty on my knowledge about how the internet protocol works.




RE: 1 Question
By Vinnybcfc on 8/8/2008 4:17:33 AM , Rating: 5
It would work but you would need to know the IP addresses before hand otherwise you would be looking up the address of the redirected server.


RE: 1 Question
By solah13 on 8/8/2008 8:12:29 AM , Rating: 2
A plugin wouldn't be necessary, you could use your hosts file.


RE: 1 Question
By Digimonkey on 8/8/2008 8:23:47 AM , Rating: 2
The problem with this is SSL authenticate via domain name. Another thing is that the machine may be answering for multiple domains. If you connect to the IP address directly it'll just serve up the default/main site which may not be the one you want.


RE: 1 Question
By johnadams on 8/8/2008 9:17:31 AM , Rating: 2
And remember - IP addresses are more likely to change than the DNS assigned name.


RE: 1 Question
By leexgx on 8/9/2008 8:31:49 AM , Rating: 2
not normaly you norm get an Fixed IP if the IP changed alot you have to wait upto 4 hrs for all the DNS servers to update the new IP in there recordes

if its an Home user connection thay do norm change on reconnect or after 24hrs

UK cable is fixed untill new Mac adress is used (new pc or router pluged in)
UK BT lines mostly new ip on reconnect (no 24hr new IP) some times you get an static ip for home broadband (pipex)
Business lines 99% allways have an static DHCP IP unless requested to have an dynamic IP


RE: 1 Question
By ryedizzel on 8/9/2008 1:24:50 PM , Rating: 2
quote:
Business lines 99% allways have an static DHCP IP unless requested to have an dynamic IP

I love reading comments from wannabe tech nerds. There is no such thing as a static DHCP IP. And why would a business ever request to have a dynamic IP?


RE: 1 Question
By TomCorelis (blog) on 8/10/2008 6:51:50 PM , Rating: 2
Yeah there is. I can set a DHCP server to reserve and allocate specific IP's to specific computers. You get the configuration ease of DHCP with the unchanging nature of a static IP.


RE: 1 Question
By leexgx on 8/9/2008 8:35:45 AM , Rating: 2
static is usefull for security use as is why you can norm get them for home use (some banking/other systems require your IP to be static to alow you to connect to the service)


RE: 1 Question
By leidegre on 8/12/2008 4:13:12 AM , Rating: 2
If you intended to use a conventional browser to view the web, you'll need to inject the Host header with each request.
You can build a simple proxy which does this but in order for web servers to process your request they need to know which Host you requested, as several domains can point to the same physical server. All this is part of the HTTP/1.1 specification.

People get ripped-off on the internet all the time but it's not just anyone and it's not necessarily due to some technical flaw. Some people just ain't careful or they lack the ability to sense danger.


Tool
By TomZ on 8/7/2008 8:32:31 PM , Rating: 2
quote:
Kaminsky posted a simple test on his website DoxPara, which allows visitors to determine if their DNS servers are vulnerable to attack.

I don't know about that tool. I clicked on it, and it said that my ISP's DNS was vulnerable to cache poisoning. Then just for kicks, I ran the test again a few seconds later, and it said that the same DNS was safe. I'm not sure I can trust the results...

Unless AT&T patched the DNS in between my two clicks. :o)




RE: Tool
By Dark Legion on 8/8/2008 1:21:05 AM , Rating: 2
I'm using OpenDNS, and I ran the test, it said the same yours did. Then under the result, it said "Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS." And then I did the same as you, ran it again, and it showed up fine. That test seems a little dodgy.


RE: Tool
By Zurtex on 8/8/2008 10:44:44 AM , Rating: 2
Woops, accidentally voted you down, so replying to cancel it out.

But the test seems to work quite well for me :).


RE: Tool
By mxnerd on 8/11/2008 1:04:28 PM , Rating: 2
Same here. I started using OPENDNS a while ago. I feel it's better and faster than my previous ISP Verizon and current ISP charter's DNS server.

Checked their safety and turned out fine.

Highly recommended.


RE: Tool
By EnderJ on 8/8/2008 3:15:06 AM , Rating: 2
All that shows up for me is Page Not Found.


RE: Tool
By RaisedinUS on 8/8/2008 9:03:24 AM , Rating: 2
I get this:
Your ISP's name server, XX.87.66.XXX, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.
I assume this is a good thing.


RE: Tool
By mikeyD95125 on 8/10/2008 4:23:41 AM , Rating: 2
Same. Comcast is my ISP if that makes a difference.


around the have?
By tallcool1 on 8/8/2008 7:21:37 AM , Rating: 2
quote:
42 percent of broadband consumers around the have patched their DNS servers,

Around the what?




RE: around the have?
By Master Kenobi (blog) on 8/8/2008 7:49:39 AM , Rating: 4
Around the mulberry bush.


In this case, maybe a little FUD is warranted?
By GaryJohnson on 8/7/2008 8:55:12 PM , Rating: 2
quote:
patch. Today. Now. Yes, stay late.

As I understand it, the patches make it harder to exploit the flaw, but the flaw still exists. The software which runs the protocol is being patched, but the protocol still has the flaw.




By aBott on 8/8/2008 9:12:49 AM , Rating: 2
The problem is that even if your servers are patched, a server further down the line could be vulnerable and your server could be fed bad DNS information.


Whew