AT&T first reported victim of DNS attack – HD Moore was NOT “Pwned”by Steve Ragan - Jul 30 2008, 23:05
AT&T is the first known DNS poisoning victim using recent vulnerability (IMG:J.Anderson)
IDG News is reporting that HD Moore, or rather his company BreakingPoint, has had traffic redirected to a fake Google search page. The irony that HD Moore is at the center of this recent news is not lost on anyone familiar with the security sector of IT. However, the larger issue is that the attack noticed by BreakingPoint was not on its network, but rather a DNS server on AT&T’s network, making the ISP the first to fall victim to the DNS vulnerability discovered by Dan Kaminsky.
"The DNS server in question was dns1.austtx.sbcglobal.net (126.96.36.199). This system accepted recursive requests from anywhere (not just subscribers) and is the default DNS server for anyone who purchased SBC Internet Services (in our case, a T1 line that was our primary until our fiber was run). Internally, we use two DNS servers, one going out the fiber, other going out the T1 as backup," Moore explains.
"Early Tuesday morning, some of the friends and family members of BreakingPoint employees noticed that the iGoogle web page was returning a 404 from their home internet connections. Once our folks got to the office, they noticed that every once in a while, they could also reproduce it from within our network. Digging into it, we discovered that one of our internal DNS servers was still using SBC/AT&T as an upstream forwarder and that this server was returning the wrong results for www.google.com."
The redirected traffic linked to a split frame, with one frame showing an altered Google search page, and three others designed to click on advertisements automatically. The attack and redirection amounted to nothing more than a simple scam if you look at the result of the initial attack, but the serious issue is the DNS poisoning of AT&T, one of the larger ISPs in the U.S.
“I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five-minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for,” Moore reveals. He was originally misquoted by IDG News and the misleading story was later corrected.
The attack was expected by many security experts and, while it was perhaps bound to happen, it could have been prevented with the application of proper patches. This is a well-known fact.
The story that led up to AT&T being served and gaining new public light as the first DNS victim, is filled with drama the likes of which you would only see in a soap opera; only it is the press and the security community that is at the center of it all.
It started when several major vendors: Microsoft, Cisco, Red Hat, ISC (BIND), and Sun Microsystems, to name a few, which each released an advisory and update for their respective implementations of DNS management. The reasoning for the massive patch effort and advisory listings, all on the same day, was one man, IOActive researcher Dan Kaminsky.
Kaminsky worked for a long time and sat on his information, making sure each vendor knew what he had discovered, and even going so far as to get CERT involved to help with things.
On July 08, the news had broken, and the vendors each released patches and mitigations at the same time. This is when all hell broke loose in the media. The news that DNS servers the world over were at risk and the end of the Internet was near started to spread. The initial stories were mostly FUD based, and centered on one issue, namely that Kaminsky had found something serious, and everyone should panic.
However, at the same time the news started to spread, several security researchers and respected security community experts called Kaminsky out on his findings, some even accusing him of rushing to spread panic. Going public on this scale without proper peer review is seen as a no-no in some circles, and Kaminsky had apparently violated a cardinal rule.
Recognizing this, and taking lots of heat from other researchers, Kaminsky let others into the fold and shared his findings. The interesting aspect, and what set more people off on a tangent, is that while Kaminsky shared information with a select few, he asked other researchers not to speculate.
This request went over well for some while others took offence, using the logic that speculation was all anyone had because no one other than a handful of people knew the full details. The point was made that it was presumptuous to assume that by keeping people in the dark, the Internet, and by proxy the DNS servers used online, were safe.
Then something happened. Thirteen days after the original disclosure of the vulnerability and release of the patches, Halvar Flake, known to others as Zynamics.com CEO Thomas Dullien, speculated on his blog about the DNS flaw.
The theory Flake posted was confirmed by Nate of Root Labs as legit and, not too long after that, Thomas Ptacek of Matasano Security posted a blog confirming the same.
"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat," Ptacek wrote. His post, with the full details, explaining everything you would need to understand the DNS vulnerability in simple and easy to follow terms, was pulled, but it was already too late.
Ptacek’s post was apparently a mistake: "It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it... We dropped the ball here," he said in another posting offering an apology to Kaminsky for the blunder.
"Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well. Dan did phenomenal work on this research… That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out," Ptacek wrote.
And yet the drama is still unfolding, with Matasano taking criticism for the details being leaked, and charges being levelled that it was intentional, not accidental.
Adding to that is the Full Disclosure debate, now alive and kicking and rearing its ugly head once again. The story that has played out since July 08 is one that has existed for a long time online, only now there is a well-documented display of what normally happens in private e-mail and discussion forums. Kaminsky did good work, and needs to have that work noted.
The larger aspect to the story, as demonstrated by the recent AT&T DNS attack, is that before the modules were released, and before the code was published, there was time to patch the DNS servers. Even now, as proven, ISPs and business giants such as Apple Inc. are not patched; this could turn into an ugly issue for some IT departments if they don't act quickly.
AT&T had no comment for The Tech Herald on the DNS issues that were reported by HD Moore, however it told SecurityFocus that: "AT&T employs best practices in the management of its DNS infrastructure... Upon learning of the recent vulnerability and patches available to defend against it, AT&T immediately obtained the patches and began testing and certifying them for production use. Having completed that certification, AT&T is now expediting the deployment across their entire production infrastructure."
If you want to keep track of the vendor list, simply click here.
The official CERT advisory can be found here.