When Dan Kaminsky released details about his discovery of DNS flaws, most of the public panicked while the professionals scoffed. After Kaminsky gave his talk at Black Hat yesterday, the best and the brightest in the security field learned the full extent of the DNS vulnerability he discovered. Most of those same bright minds agreed that it’s bad, it's very bad.
Kaminsky offers the full details and scope for his vulnerability. (IMG:J.Anderson)
The term F.U.B.A.R. (Google it) comes to mind when you read about Kaminsky’s talk, or view his presentation slides. Addressing a standing-room-only crowd during his address yesterday, Kaminsky explained with in considerable detail just how bad the DNS vulnerability is. He was not kidding when he made the claim, “I broke the Internet,” because if you take his talk in context, he really did. However, he is not to blame; the Internet apparently has been broken for a long time.
First, before the bad stuff, let’s cover some of the good topics from within Kaminsky's talk:
There are 120 million users protected online thanks to Nominum’s carrier patching operation. In addition, Kaminsky’s notes point out that 70 percent of the Fortune 500 are patched against his DNS discovery. However, the down side to that is the 30 percent that are lacking updates.
Of the sampled non-mail servers, Kaminsky pointed out that 61 percent are patched, while 39 percent are missing updates. The video below, from Clarified Networks, shows the patching rate over a period of 28 days (July 07 to August 03).
First, it is important to remember that the patches released that address this vulnerability slow the attack, but do not completely stop it. They simply make it hard, severely hard, for someone to pull off an attack. That said, any network engineer or administrator who has not applied the available patches by now is leaving their network and its users/customers at serious risk.
This is not FUD (Google that too) or simple over-embellishment, this is the plain truth. Failure to patch will end in nothing but headaches for IT and the end users of the Internet. However, instead of inspiring panic in the streets, make a plan to patch, and follow it. While the flaw is horrendous to the stability and trust of the basic design of the Internet, there are mitigations and solutions to address it.
The details of Kaminsky’s flaw leaked before his talk. However, according to his presentation yesterday, only two of the three vectors of the attack were generally known. The third “new” vector is that an attacker does not have to focus on the top level domain when going after a DNS server.
For example, if attempts to guess the Transaction ID (TXID) for www.foo.com fail, then there are always the sub domains such as, 1.foo.com, 2.foo.com, 3.foo.com, etc. Using the recorded TXIDs from all of the attempts, eventually the attacker will get the correct TXID and take over the DNS server. See Kaminsky's slides for the full details [PPT Format].
Most of the attention centered on the DNS flaw focused mainly on the power to corrupt Web browsing. An attacker can hijack a DNS server and redirect Web requests to his/her own destination, load Malware, or use Phishing to gain information -- maybe both. However, as Kaminsky demonstrated, most of the press coverage and talk from the blogsphere, including some security corners, has been focused with a narrow mind.
Starting with a browser, that area was correct. “Any link, any image, any ad, anything can cause a DNS lookup,” Kaminsky wrote. With that level of attack, there is already a huge door to exploit, but it gets worse. Mail servers will lookup whatever they are told, thanks to DNS. Your mail server will use DNS to lookup HELO, MAIL From, Spam checks, bounce messages, and all the other normal functions.
The focus on mail servers adds a new spin; the DNS vulnerability, if exploited, will cripple most Spam filters, if not all. If this wasn’t bad enough, an attacker who has taken over the DNS on a domain can pluck e-mail out of thin air as it moves across the domain. What this amounts to is an attacker who can, say, alter an expense report, turning the attacked DOC file into a malicious DOC file.
Now, after the attacker attaches something malicious, the Spam filers will kick in and then catch the rogue e-mail, right? Wrong, because the attacker has taken over the DNS. So now you can forget any type of Spam filtering. “All SPAM filtering comes from DNS,” Kaminsky explained in his slides, “[You] can actually hijack SPAM filters [as the] attacker ends up controlling mail reception entirely.” SPF records, they fail too, as they require DNS.
Still there’s more; one standout example would come from a client behind a corrupted DNS server, which could “indirectly poison the entire web via google-analytics.com, ad.doubleclick.net, sitemeter, or any other codebase commonly loaded via an external script src tag,” Kaminsky's slides read.
SSL won’t help as much either, as some have claimed. Remember all SSL (the S in HTTPS) does is verify that the domain is what it claims to be. There is the “assertion” that the site's ID has been validated in some fashion. However, how do the Certificate Authorities (CA) validate the domain, asked Kaminsky. Sadly, the answer is DNS. The good news is that, according to Kaminsky, all the major CAs moved to patch their DNS. The CAs mentioned include, VeriSign, Comodo, Digicert, and Trustwave. During his talk, Kaminsky also proved why EV SSL was no protection against vulnerable DNS, as it is nothing more than a visual identifier, and offers no direct security.
Another method of attack mentioned is the password reset option you see on the login portals of almost every site online. If those sites are missing DNS patches, then an attacker can hijack the forgotten password option, and take over an account. While some domains are not too critical, others like banks and domain systems are very important, and their loss would be devastating.
However, again the good news is that major portals are patched, including MSN, Google, Yahoo, PayPal, eBay, Facebook, and many others. Remember, the other minor sites, about 88 million give or take, are listed when you search for “forgot your password” on Google. Are they using patched DNS servers? Open ID uses DNS as well to verify a person or a site, so it is not exempt from the issue.
On the Enterprise level, if internal DNS servers are talking to a normal name server that's using recursion on both Internet and internal names, then there is a chance of compromise all over the place. Internal DNS compromises can include SNMP (traps and queries), RADIUS, TACACS, SOA architectures, and more. External DNS dependencies are also vulnerable; for example, IPsec if it is tied to a destination subnet. Moreover, other external dependencies can include external backups, payment processing, or Content Distribution Networks.
The bottom line is that Dan Kaminsky should be praised for his work, and all the hype and fear that came with it. He has detailed a very serious problem and, instead of selling it to the highest bidder, he proved himself a good guy and helped protect 120 million people, with more being added to the protection list each passing day.
At the same time, the sheer scope of the damage this vulnerability has heaped on the Internet is enough to have his caffeine supply cut off for a week. Kaminsky ended his talk with a harsh truth:
“DNS should not have been capable of this much damage. It was. Why? ...We have to get better at fixing infrastructure. We got lucky with this bug. Disaster recovery planning needs to include how to handle the discovery in a flaw in any mission critical code anywhere. We are doing a lot of things insecurely. Even with DNS fixed, there are other scenarios in which unencrypted IP traffic is lost to an attacker.”
Perhaps he is right, and, as he mentioned in his talk, welcome to the third age of hacking.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)