back to article Researcher's hypothesis may expose uber-secret DNS flaw

Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "People need to patch this, sooner rather than later."

    I'd love to Mr.Kaminsky. What exactly is "this"?

  2. Destroy All Monsters Silver badge
    Paris Hilton

    How does that work

    "and the IP address for a requested domain will be falsified."

    But that is useless as the forged DNS answer will be for ulam61177.com, and who goes to that place (forgery: http://cr.yp.to/djbdns/forgery.html).

    Right?

    So there is something missing. I can't remember whether the attacker may add DNS information saying in effect "btw, I also know about www.bankofamerica.com which has <evil IP address>". This being DNS, probably yes (Poison: http://cr.yp.to/djbdns/notes.html)

  3. Anonymous Coward
    Paris Hilton

    If Kaminsky's money were where his mouth is...

    The first I would have heard of this story was after the full public disclosure. Smells a little self-promoting, the whole "I have a secret, nyah nyah, but you have to wait for the details". A big shot like him should have direct channels to the relevant vendors, right? Why the press release in the first place?

    Paris because of the whole "look at me" thing.

  4. Anonymous Coward
    Paris Hilton

    Well, um, seems obvious, doesn't it?

    Considering that the issues are a lack of a random Transaction ID and/or random Source Port for recursive requests and the fact that DNS works with UDP packets (easily faked), anyone should be able to figure out that an attacker is flooding a DNS server with DNS result packets hoping that one will match. There's got to be a large number of DNS servers out there right now with a stale www.BankOfAmerica.com "A" record. Try hitting all of them and sending them a fake DNS result with a TTL in years. You're bound to poison a few of them.

  5. Anonymous Coward
    Anonymous Coward

    Speculation

    Kaminsky is the one up to it, if he doesn't want people to speculate then he shouldn't have announced.

    It could be anything, it could be as simple as a lot of ISPs house DNS records, compromise that server.

    Not revealing could be the hack itself; if someone says <insert popular net based application> has a security flaw, then you can bet a few will start to hunt there finding flaws.

    There are problems in all complex software, assuming he has found a flaw, and with the fact he had to read a dummies book, that indicates to me that the flaw is something the beginner's mind picks up. So, it is a fundamental rule or quirk of DNS that when used in a different way creates the problem, could even have been found via a typo. Most people working with DNS develop little rules, quite quickly, on how to get a domain up, and so don't test the errors, they just correct them until it works as expected.

    To find the exploit you look at something in a different way, Silence on the Wire is a good book on this. And if you break the rules or get overly inquisitive and then monitor the effect, that's pretty much how most exploits are arrived at.

    If he does have an exploit, then he should release, he is grandstanding, and if it is something that is based on a side case, workable only under particular circumstances he won't get kudos.

  6. Nexox Enigma

    Lots posted AC...

    I'd imagine that this isn't a simple rebind like Destroy suggests, since Kaminsky spoke about that plenty at last year's DefCon.

    I agree that full disclosure is the best solution in nearly every case, but if this is as potentially bad as it sounds (And I'd imagine that it is, given that Kaminsky came up with it,) then it could pose some really serious problems if it got out before much patching had happened.

    And you can't very well not tell anyone that there is a problem with the major service, because so many people have to get patches installed, and there aren't that many sysadmins out that who just jump right on every patch for every service that they run.

    That said - why don't we have a DNS replacement yet? I guess we'll get one right after everyone stops running SMTP.

    And judging by current trends, they'll both be presentation layer protocols running over http. DNS 2.0, anyone? Maybe we can include some sort of RSS / streaming element to get some VC interested.

  7. Anonymous Coward
    Black Helicopters

    @ Anon - it does seem obvious..

    I was confused by the secrecy surrounding the lack of disclosure, this flaw was already mentioned in the original article, i always assumed the "devastating" flaw must have been something worse than that. The problem of spamming to get the right transaction ID has always been a problem?? The immediate patch to randomise source ports would seem to indicate that there is something bigger and scarier outstanding?

  8. Anonymous Coward
    Unhappy

    Dont think of a pink elephant

    Request such as dont speculate, investigate, etc are clear flags and invitations to actually do the opposite. There is a fairly wide field or attackable surface in the IT world (OS, services, applications, etc - you know the drill) - all this request has done has to focus the minds and efforts on the nefarious amongst us on what 'could' be a very significant and massively disruptive flaw.

    Or perhaps it is nothing really (is he writing a book at the moment?)

    Well done for making the internet safer mate. Hope your new book sells well.

  9. chuBb.

    @ Anon - it does seem obvious..

    ummmmmmmmmm somthing "The immediate patch to randomise source ports would seem to indicate that there is something bigger and scarier outstanding?" how about prolification of broadband and bot nets???

  10. Anonymous Coward
    Paris Hilton

    There have been problems before

    Well I used to run a Primary and Secondary DNS server and discovered that my DNS was locking up and freezing, subsequently finding that someone was sending a request to my server for a poisoned DNS making mine crash.

    The only solution I had was to add a SOA record pointing the requested domain to a 3rd party site that causes any browser to lock up (something like www.goaway.com)

    I also used that site for people asking for the windows file that a common virus used.

    Strange how within 2 weeks I was not getting any hits for either....

    Paris because all the hackers in the world have their collective intelligence

    less than hers

  11. Anonymous Coward
    Paris Hilton

    Confused ...

    Since a lot of DNS software is open source (BIND etc.) - shouldn't it be really easy to work out from the new "safe" versions what the problem is?

    Or is BIND unaffected?

    Paris, because she probably hasn't been following this in detail either...

  12. Nick Kew
    Stop

    Deja Vu

    http://cr.yp.to/djbdns/res-disaster.html

    Once you've read it, look at the page's Last-Modified date. November 2002.

  13. Anonymous Coward
    Pirate

    The cat is already out of the bag...

    Original matasano blog entry that was pulled: www.matasano.com/log/1103/reliable-dns-forgery-in-2008-kaminskys-discovery/

    Copy of above: http://beezari.livejournal.com/141796.html

    If I can find it in less than 10 mins, so can the naughty people...

  14. AC

    "let me present the research on August 6th"

    and then says "people need to patch this as soon as possible"

    self publicising {sp} tw4t. whatever he has I've just lost interest in it.

  15. Anonymous Coward
    Paris Hilton

    There is a terrible flaw in this article - please don't speculate!

    Honest - otherwise the Black Hats will get you.

  16. Anonymous Coward
    Thumb Up

    Just patch it already

    The patch isn't from Dan, it's from your vendor (nearly all of them)... and your vendor tells you that your DNS resolver has a security hole. You might not like the hype, but that doesn't seem like a good reason to not install a security patch from your vendor.

    Install the patch. Ignore the hype. Then you're safer.

  17. Anonymous Coward
    Anonymous Coward

    Umlaut

    Please add the dots above the u (über). It looks sooo ugly otherwise. Thank you.

  18. Destroy All Monsters Silver badge
    Pirate

    Re: The cat is already out of the bag...

    Great read. Well written.

    So indeed this relies on the DNS protocol behaving innocently to strangers coming at it with candy, combined with bad random number generators, which has been known for a few years: http://cr.yp.to/djbdns/forgery-cost.txt

    100% amateurism.

    Please wake me up when the Internet has become Serious Business.

  19. Anonymous Coward
    Stop

    if you didn't write a nameserver, STFU

    all the ACs (yeah, myself included) need to STFU. Kaminsky is reliable (see previous research), and Ptacek and others have vouched for him. Hell, Vixie vouched for the severity of this hole and for the coordinated release model, and he knows more about DNS than any of you wankers. The whole community has been nothing but a bunch of whiny brats since this came out - "oh noes! somebody has some knowledge that they're not sharing with meeeeee".

    this whole entitlement mentality is really getting old - I don't agree 100% with Dan telling people not to discuss it, but given the severity of the hole, I think he's totally justified in making that kind of request. What would you rather have - open discussion to satisfy our collective sense of ego, coupled with massive exploitation of what is arguably the most critical piece of Internet infrastructure ... or having to just keep our collective mouths shut about it for a couple of weeks? I swear, it's like a worldwide collective of four-year-olds who just can't STAND that somebody has a secret they're not willing to immediately disclose ... everybody who NEEDS to know about the hole early (in order to e.g. write patches for a nameserver) has been contacted. If you aren't in that group, untwist your panties and wait till Aug 6 with everybody else, patch your shit and hope your ISP does the same.

  20. Anonymous Coward
    Anonymous Coward

    I really hope this is not true.

    Hum, seems to me that Flake is going for the ‘look at me, I discovered a hole, gosh I’m clever’ award without first considering what his actions may amount to in the REAL WORLD.

    Yes, well done, you may have spotted something, but you also gave the game away to criminals who make our online experience more of a minefield than an enjoyable experience. Internet users are forced to hide behind firewalls, routers and god knows what else to get the privilege of having to sift though ten million pointless MyGuff pages in order to find what they want.

    Now Flake goes “I think that I could seriously screw things up if I did this”. How the hell can he justify making this hypothesis known without first providing a proof of concept and then letting major owners of DNS servers know without informing everyone?

    It’s one thing to discover a hole, show that it’s genuine to the folk who need to know and then complain that nothing has been done. At least that way, people who need to know have the opportunity to fix the problem. But it’s another for some idiot to masturbate his ego to the potential determent of all of us.

    If exploits based on his verbal flatulence do get produced, would some citizen kindly post his address so I can pay a personal visit to this moron and teach him the error of his ways by kicking his gonads into the back of his throat?

  21. Anonymous Coward
    Go

    @righteous indignation from AC

    You present a false dichotomy between

    1. disclose fully, wait weeks for a fix while at the mercy of bad guys

    2. Kaminsky's theatrics, then vendor fixes, then full disclosure

    How about:

    3. private communications with vendors, vendor fixes, then full disclosure

    ?

    Who ever questioned Kaminsky's reliability? We're just wondering about some apparent Parisian attention whoring. You really should work on your reading comprehension. Whiny much?

  22. Ed
    Stop

    Re: @righteous indignation from AC

    Actually, most of the complaints about Kaminsky's behavior have not been about his attention whoring, but rather about the fact that he mentioned a problem without saying what it was.

    I personally agree that private communications with vendors, vendor fixes, then full disclosure is best, but only because there are morons out there who don't understand how to not publicly speculate in order to demonstrate how awesome they aren't. (I say aren't, because if they really had a clue, they'd STFU. We really do not want to give the bad guys any more assistance on this than we need to.)

    In a slightly less than ideal world (the ideal world wouldn't have this problem, and wouldn't have people attempting to exploit it), someone like Kaminsky would be able to give the warning to the rest of the world like he did such that those people who have a mission-critical dependence on a few IP addresses (which is to say, most companies) could put those addresses into /etc/hosts or the Windows equivalent until they get their systems patched.

    For what it's worth, I've done this on my home system. My work systems don't have access to external DNS, and actually don't depend on the IPs of other systems (instead, they are systems that other computers depend upon.) My work systems do have /etc/hosts entries for all of the other systems in the cluster, however (one /etc/hosts file, maintained by cluster revision control). However, the work systems weren't tweaked in response to this; they are just set up like that as a convenience item.

  23. Anonymous Coward
    Anonymous Coward

    Re: @righteous indignation from AC

    > How about:

    > 3. private communications with vendors, vendor fixes, then full disclosure

    Which is precisely what happened. Do you all really think CERT would tolerate anything else?

    (and I found that by a simple search, I wasn't privy to any internal info)

  24. Anonymous Coward
    Anonymous Coward

    Vulns, Vixie, and Kaminsky

    As one of the network engineers for a large hosting company, whose DNS servers are authoritative for over 558,000 domains, I have to say that the prospect of what Kaminsky is stating is throwing red alarms, at a minimum.

    I heard about this vulnerability (as did my coworkers) from the NANOG lists, and finding out that Paul Vixie was boot-quaking over it, really set us ablaze. We're operating a much more secure setup than many (filtering proxy in front, round-robining, and cache-scavenging, in addition to firewall rules/ACLs in front) but we have a duty to our users, ultimately, to be aware and to assist them in updating their own nameservers to patch for this vuln.

    I have to agree with some posters here that yes, there is a large amount of hype surrounding this revelation, but the majority of those who are contributing to the flames have absolutely no clue what the vulnerability is, nor how it would be implemented in an attack.

    I think that once the root servers have been patched against this vulnerability, and the majority of the major network operators/GSPs have managed to either protect their authoritative servers or patch them, this will be a blip on the radar.

    Now, I do know that there are other vulnerabilities that have not, and will not be released to the public, until the facilities that are subject to the vulnerabilities have been patched and/or secured, and I feel that this may fall into that category - to an extent.

    Comments welcome. :)

  25. 2Fast
    Thumb Up

    Kaminsky

    did the right thing he found this metasploit and kept it under his hat and got in contact with cisco and microsoft back in March. I've been busy patching my servers and hopefully other companys will follow im testing it to the point where im actually running the exploit so far so good although my patch on linux went a tad wrong.

    Fair play to the guy for doing it this way.

  26. Andy McKnight
    Pirate

    Subdomains

    "Destroy All Monsters" wrote "that is useless as the forged DNS answer will be for ulam61177.com, and who goes to that place"

    Current thinking is that the problem lies in subdomains. Hammer a DNS server with requests for ulam000001.theregister.co.uk, ulam000002.theregister.co.uk etc until you get a hit. In each packet, request an additional RR return for an additional DNS response for ns1.theregister.co.uk and when you eventually get a hit on the random subdomain you just poisened ns1.

    http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html

This topic is closed for new posts.

Other stories you might like