Kaminsky reveals details and extent of DNS flaw
Security researcher Dan Kaminsky has given details of a fundamental flaw in the Domain Name System, and the extent of the vulnerability.
In a presentation given at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.
Kaminsky explained that transaction IDs, which are supposed to prevent "bad guys" from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as '1.foo.com', '2.foo.com'. As transaction IDs can only be a number between 0 and 65535, and the attacker can launch multiple requests, eventually the attacker could spoof a domain by matching the ID through chance.
Once this domain is spoofed, the attacker can flood a nameserver with spoofed replies to poison its cache for the domain being attacked — for example, 'foo.com'. Requests for foo.com would direct a user to a site of the attacker's choosing.
This vulnerability can be exploited by using multiple vectors of attack, according to Kaminsky. Web browsers can be forced to look up what the attacker wants, as links, images and ads can cause a DNS look-up. Mailservers will look up what an attacker wants when performing functions such as a spam check, or when trying to deliver a bounce, newsletter, or bona fide email response.
Kaminsky warned that it is also possible to pollute top-level domains such as .com, .net and .org.
"When the bad guy poisons .com, he gets all requests, even requests he didn't know in advance he wanted," Kaminsky stated in his presentation. "He gets to decide what he'll poison forever."
Using encryption such as SSL can mitigate the risks posed by the DNS flaw, according to Kaminsky. However, he warned that SSL only has limited implementation at present and brings its own certification issues. People still log onto sites even if its SSL certificate has expired, he said.
Multiple vendors have brought out patches for their products to mitigate the risks associated with the flaw, mainly based around randomising port numbers. Kaminsky said this had been effective, as carriers such at Nominum had patched, Bind implementations had been patched, and Microsoft automatic updates had "swept through lots and lots of users".
Kaminsky said that 70 percent of Fortune 500 companies have tested and patched mailservers successfully, while 61 percent have patched non-mail servers.
However, Cambridge University security expert Richard Clayton told ZDNet.co.uk that patching and randomisation are only effective up to a point.
"You can randomise the identifier for the packet, and you can randomise the port number, but the bad news about randomisation is the birthday paradox," said Clayton. "If you have 20 people in a room, the chances are that two of them will share the same birthday. That's the problem, if you're choosing at random and an attacker is choosing at random. If you are using two to the sixteen [65536] samples, and an attacker is sending samples at the rate of the square root of two to the sixteen, which is two to the eight [256], the attacker has a 50 percent chance of success."
While randomisation mitigates the problem, essentially it just "[puts] off the dreadful day when the attacker can send packets fast enough to overcome entropy", said Clayton.
The security expert said that a "real" fix would be to have the server notice when it was receiving a lot of requests which were not quite correct, become "suspicious", and only communicate using TCP, which can't be spoofed. A further fix would be to have carriers communicate using DNSSEC, a form of DNS which is encrypted, said Clayton.