Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Kaminsky's DNS Attack Disclosed, Then Pulled

Posted by Soulskill on Mon Jul 21, 2008 06:00 PM
from the can-of-worms dept.
Security Networking The Internet
An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak." Reader Time out contributes a link to coverage on ZDNet as well.
+ -
story

Related Stories

[+] Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
Submission: Kaminsky's DNS Attack Disclosed, Then Pulled by Anonymous Coward
[+] Attack Code Published For DNS Vulnerability 205 comments
get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."
[+] Patch DNS Servers Faster 145 comments
51mon writes "Austrian CERT used data from one of their authoritative DNS server to measure the rate at which the latest DNS patch (source port randomization) is being rolled out to larger recursive name servers. While about half the traffic (PDF) they receive is now using source port randomization, their data suggest that this is due to ISPs who roll out such fixes immediately. The rate of patching has fallen to disappointingly low levels since. If your ISP isn't patched, perhaps it is time to switch." After details of the DNS vulnerability leaked, researchers |)ruid and HD Moore released attack code; ZDNet's security blog has an analysis.
[+] Apple Still Has Not Patched the DNS Hole 296 comments
Steve Shockley notes an article up at TidBITS on Apple's unexplained failure to patch the DNS vulnerability that we have been discussing for a few weeks now. "Apple uses the popular Internet Systems Consortium BIND DNS server, which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
[+] DNS Poisoning Hits One of China's Biggest ISPs 86 comments
Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."
[+] DNS Inventor Tackles Flaw 101 comments
nk497 writes "Dr Paul Mockapetris is looking to fix the flaws in the Domain Name System he helped invent. 'It was never meant to be the only security mechanism for naming data on the internet, but was intended for additional security measures to be added to it later.' The flaws, first uncovered by security researcher Dan Kaminsky over the summer, lets attackers redirect genuine URLs to malicious ones — a problem Mockapetris believes could be solved using digital signatures."
[+] Technology: Kaminsky Bug Options Include "Do Nothing," Says IETF 134 comments
netbuzz writes "Meeting in Minneapolis this week, the Internet engineering community is debating whether to aggressively fashion and apply fixes for the so-called Kaminsky bug in the DNS discovered this summer, or to simply let its threat stand as motivation for all to move with greater speed toward DNSSEC, which is considered the best long-term security solution. Problem with the latter approach is that DNSSEC has been in the works for a decade already, no one is confident it will be universally embraced, and the Kaminsky flaw is causing real problems today.
[+] Technology: DNSSEC Implemetation Held Up By Tech Delays 49 comments
Jack Spine writes "VeriSign has said that the main obstacle to DNSSEC implementation has been technical delays. The large size of the .com and .net domains would have made it impractical to deploy earlier versions of DNSSEC, according to VeriSign vice president of naming services Pat Kane. Deployment of DNSSEC will close a major security flaw in the DNS, the internet's equivalent to a telephone directory. The problem of DNS cache poisoning was thrown into sharp relief by researcher Dan Kaminsky last year."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Kaminsky's DNS Attack Disclosed, Then Pulled 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • The push for DNSSec (Score:5, Interesting)

    by QuantumG (50515) * <qg@biodome.org> on Monday July 21 2008, @06:03PM (#24281743) Homepage Journal

    Kinda makes you wonder what they're getting out of it.

    • Re:The push for DNSSec (Score:5, Funny)

      by dintech (998802) on Monday July 21 2008, @06:07PM (#24281785)
      Fame? Notorioty? Unstoppable attractiveness to women?

    • Re:The push for DNSSec (Score:5, Insightful)

      by gatekeep (122108) on Monday July 21 2008, @06:29PM (#24281987)

      DNSSec is still the only ultimate patch for this. Source port randomization just makes it difficult to do given currently available processing and bandwidth capacity. Instead of 16 bits of entropy to crack (DNS Transaction ID) we now have rougly 32 (DNS Transaction ID + Source port).

      Given enough bandwidth, we're still vulnerable to poisoning, but it's not feasible today.

      DNSSec is more future proof. No matter how much bandwidth you have, guess a full certificate is orders of magnitude harder.

        • Re:The push for DNSSec (Score:5, Interesting)

          by 0xygen (595606) on Monday July 21 2008, @07:45PM (#24282759)

          Not to be paranoid, but the argument of "no-one can do this" is often weak in the light of it being governments or intelligence agencies who are trying to mess with your internet access.

          Is he scared of his government?

          Or concerned about what his government may be doing to others in the world?

          The problem is not necessarily on the "some attacker half way across the world on another AS", but may be much closer to home.

        • Re:The push for DNSSec (Score:5, Insightful)

          by Michael Hunt (585391) on Monday July 21 2008, @08:05PM (#24282975) Homepage

          BGP routes are filtered when they're exchanged between eBGP routers. If you don't filter, you're an idiot. This I agree with.

          You're not talking about BGP route filtering, though; you're talking about some kind of reverse path filtering (making sure that a route to the source address exists on the interface that you received the packet from). In practice, you almost never do this on BGP routers, as RPF makes some (somewhat naive) assumptions about the symmetry of Internetwork traffic.

          Most people who have some kind of RPF deployed have it on a customer-facing device, as you generally only have one route per customer (and can make assertions about traffic NOT coming via that route, AND traffic COMING via that route.)

          That said, not an awful lot of people even have RPF deployed. Certainly nowhere near 100%. And it only takes one (or a handful of machines) that can forge UDP source addresses for this to be an issue.

            • Re:The push for DNSSec (Score:5, Informative)

              by Michael Hunt (585391) on Tuesday July 22 2008, @01:40AM (#24285391) Homepage

              It's a hard call in some cases. There's an argument that most (any?) multihomed customers should be able to send packets asymmetrically. That said, nobody with even half a brain should be running a NAS/LNS with single-homed customers WITHOUT RPF, although the (admittedly, in .au) number of people i've crossed paths with who are doing it wrong is staggering.

              Conversely, if i'm peering with you and six other guys, and happen to be carrying traffic to your network (but not advertising a route back to some of MY peers, for e.g. traffic engineering reasons) across a given link, you have no business dropping that traffic.

              RPF is a good idea, but it kind of breaks one of the more fundamental paradigms of the Internets.

  • I've been deeply worried (Score:4, Funny)

    by smitty_one_each (243267) * on Monday July 21 2008, @06:13PM (#24281841) Homepage Journal
    ...about these Monsanto DNA attacks for some time...

  • Doxpara.com also updated. (Score:5, Informative)

    by gatekeep (122108) on Monday July 21 2008, @06:20PM (#24281899)

    Doxpara.com, the blog of Dan Kaminsky who first discovered the vulnerability, has also been updated. [doxpara.com]

    In case of Slashdotting, here's the full update;

    Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (Theyâ(TM)re ready for your traffic.) Thank you to the many of you who already have.

  • That's it (Score:4, Funny)

    by krkhan (1071096) on Monday July 21 2008, @06:41PM (#24282113) Homepage
    I've had enough. From now on, /. isn't /. for me. It's 216.34.181.45. I'm updating all my bookmarks. Wait, why is it redirecting? I have a bad feeling about this. Itsatrick.

  • The significance of the attack... (Score:4, Informative)

    by Rudd-O (20139) on Monday July 21 2008, @06:42PM (#24282129) Homepage

    ...is not just that you can race legit DNS servers for legit queries, is that you can request recursive resolution for bullshit DNS servers, while submitting fake answers WITH malicious informational records that let you poison second-level domains. So by requesting xxjk3j.google.com while submitting your own coolly crafted answer, you can make the victim DNS use YOUR DNS as authoritative for the future google.com replies.

    THAT is the significance of the attack. THAT is what matasano pulled.

  • Better Speculation (Score:5, Informative)

    by logicnazi (169418) <logicnazi@nOspam.gmail.com> on Monday July 21 2008, @08:44PM (#24283275) Homepage

    Alright, so I'm not even someone who does DNS/networking stuff even for a hobby (just a math grad who skimmed the RFCs once or twice) so if I can figure this out from what's up now then any competent bad guy can as well.

    Anyway my guess is that it involves a combination of the birthday attack and the request for multiple nonexistant nameservers. That is as the attacker you trick poisontarget.com into trying to resolve the following locations.

    AAA.google.com
    AAB.google.com ....
    XXX.google.com

    Now you forge a single response packet that works for all of these requests and send many different copies with different TXIDs. Thus to succeed you need only hit ONE of the TXIDs used in the real requests.

    In these forged responses you also have a forged glue record (as suggested in some of the links) which gives you control of lookups for all of google.com at poisiontarget.com after a single success.

    Then again maybe I missed something basic which means this doesn't work.

  • GoogleReader caching FTW (Score:5, Informative)

    by Anonymous Coward on Monday July 21 2008, @10:13PM (#24283991)

    y ecopeland
    0.

    The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.
    1.

    Pretend for the moment that you know only the basic function of DNS -- that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.

    Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bob's unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice -- once when he is called to the counter to place his order and again when he's called back to get his sandwich. If you're wondering, Bob likes ham on rye with no onions.

    If you've got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. It's called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.
    2.

    Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.

    First, QIDs.

    Bob's a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would like the answer to be 6.6.6.0.

    It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If I'm Mallory and I'm attacking Bob, how can he distinguish my packets from Alice's? Because I can't see the QID in his request, and the QID in my response won't match. The QID is the only thing protecting the DNS from Mallory (me).

    QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, here's a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded --- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory's response gets to your computer before the legitimate response arrives from your ISP's name server, you will be redirected where Mallory tells you you're going.

    Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bob's request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.

    But there's a bunch more problems here:

    *

    If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.
    *

    If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, she'll break the RNG and be able to predict its outputs.
    *

    16 bits just isn't big enough to provide real security at the traffic rates we deal with in 2008.

    Your computer's resolver is probably a stub. Which means it won't really save the response. You

    • Re:I got this much (Score:5, Informative)

      by bluefoxlucid (723572) on Monday July 21 2008, @06:26PM (#24281965) Journal

      Found this while google screwing. Someone got it!

      http://pastebin.ca/1078776 [pastebin.ca]

      1.
      Reliable DNS Forgery in 2008: Kaminskyâ(TM)s Discovery
      2.
      from Matasano Chargen by ecopeland
      3.
      0.
      4.

      5.
      The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.
      6.
      1.
      7.

      8.
      Pretend for the moment that you know only the basic function of DNS â" that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.
      9.

      10.
      Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bobâ(TM)s unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice â" once when he is called to the counter to place his order and again when heâ(TM)s called back to get his sandwich. If youâ(TM)re wondering, Bob likes ham on rye with no onions.
      11.

      12.
      If youâ(TM)ve got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. Itâ(TM)s called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.
      13.
      2.
      14.

      15.
      Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.
      16.

      17.
      First, QIDs.
      18.

      19.
      Bobâ(TM)s a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would like the answer to be 6.6.6.0.
      20.

      21.
      It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If Iâ(TM)m Mallory and Iâ(TM)m attacking Bob, how can he distinguish my packets from Aliceâ(TM)s? Because I canâ(TM)t see the QID in his request, and the QID in my response wonâ(TM)t match. The QID is the only thing protecting the DNS from Mallory (me).
      22.

      23.
      QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, hereâ(TM)s a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. M

    • Re:Here's the whole post (Score:5, Informative)

      by Anonymous Coward on Monday July 21 2008, @06:32PM (#24282019)

      Ok, here's the gist: It's difficult to spoof a response for the right domain name, because of the random query IDs. You need too many requests and caching servers don't usually ask for the same name very often. But it's easy to get a caching server to ask for many different names in a subdomain, so do that and send your fake answers. One of them is going to get accepted sooner or later. Include spoofed glue for the real subdomain (www...) in your answers. Because the glue is for the same domain, it is accepted. Tadaa, poisoned DNS.

    • Re:Ridiculous armwaving... (Score:5, Informative)

      by supersat (639745) on Monday July 21 2008, @06:58PM (#24282287)
      This isn't even close to the same attack. Newer DNS server have randomized query IDs, so spoofing DNS packets isn't nearly as trivial as it used to be. This attack appears to combine the birthday paradox attack strategy (sending lots of queries and replies so the probability of a spoofed QID matching is much higher) with adding resource records for the actual name you want to poison (under the same domain).

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.