Jul 092008

Tuesday a big story broke that could have impacted millions of web users. A researcher discovered a major security flaw involving the Domain Name System (DNS), and instead of selling the information or using it to market himself he went to major internet vendors and discussed the vulnerability with them. Today Microsoft, Cisco, Sun and BIND (via the Internet Software Consortium) issued patches to this problem, before the bad guys could exploit. Good report from Rob Vamosi of CNET:

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, “the severity is shown by the number of people who’ve gotten onboard with this patch.”

He declined to name the flaw as that would give away details.

On March 31, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix.


Here’s a description straight from Dan himself off his DoxPara Research blog:

I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.

It was a good day.


For the most technical, here’s the US Computer Emergency Readiness Team (US-CERT) Vulnerability Note, which includes a long list of the vendors affected:


I spoke with a DNS expert I know well for some context around the announcement. He confirmed the magnitude of the potential problem, saying that it puts the majority of web nameservers at risk for DNS cache poisoning.  He also noted that the initial reporting portrayed the problem as being with the DNS itself, which is true to some extent.

But BIND and Microsoft nameservers are particularly susceptible to cache poisoning, due to a weakness in how the query response number is randomized when the recursive server responds with the proper IP address. Other name servers, like PowerDNS, are much less at risk.

Here’s how he tried to describe the attacks to me in layman terms. The attack sends repeated queries for the same resource record (IP address) to the recursive server, which causes multiple open queries to be opened.  Think of these as tickets started but not completed.

Then the attack also sends a number of answers using spoofed addresses to make it appear they are coming from the legitimate nameserver for that resource record.  What the attacker is trying to do is “guess” the socket number and transaction ID of the actual, correct response.  So the machine asks a server for an IP number, but then floods the server with false answers to that same query, racing to see which answer gets accepted first by the resolver.

Because of weak randomization in many nameservers, the attacker was highly likely to eventually hit on a correct transaction address, which means the resolver would give an answer the attacker assigned, not the correct IP address. That false answer would then be cached by the server, and every request for that IP address would be given the new, fraudulent destination. And users might never know the difference.

This description makes sense, based on this from the CNET story that refers to beefed up randomization:

Kaminsky said he will release details in time for Black Hat 2008, on August 7 and 8 in Las Vegas. However, Microsoft in its security bulletin said its patch uses strongly random DNS transaction IDs, random sockets for UDP (User Datagram Protocol) queries, and updates the logic used to manage the DNS cache.”

Kaminsky did confirm that the patches released today will increase DNS randomness: “Where we had 16-bit before, we now have 32 bits.”

Beyond the technology, this is a very heartening story of collaboration and discretion in the name of the greater good. By waiting until Microsoft, BIND and others could issue a patch for this problem before making any public statements, a great deal of online harm was avoided. I’m sure Kaminsky will get the royal treatment at Black Hat, and it sure sounds like he deserves it. Dan, here’s a big thank you from this Internet user.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>