Home / News I have a News Tip

Just a Matter of Time Before DNS Attack Code Might Surface

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon. Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, says one security expert. The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday.

Read full story: PC World

Follow CircleID on
Related topics: Cybersecurity, DNS
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Just a Matter of Time Before DNS Attack Code Might Surface Fergie  –  Jul 22, 2008 9:28 PM PDT

The most shocking part of this entire circus act is that the majority of the Internet infrastructure (read: ISPs) seem to be completely ignoring this warning.

Not easily scared, but that should scare the piss out of us all. Really.

- ferg

Actually I'm beginning to wonder.... Simon Waters  –  Jul 23, 2008 1:10 PM PDT

After hearing about the Kaminsky announcement (but not the details) I sat down and worked out how long I'd expect it to take for a DNS spoofing attack to control a domain on a typical ISPs recursive DNS server and came up with 2 hours, so I assumed Dan's results would make this much worse. But it looks like my answer was basically the same as Dan's, although no doubt Dan produced the tools to do it, and it sounds like in practice it is slightly quicker than I calculated.

My assumption was that one successful spoof would allow you to control the DNS of the zone the spoofed record was in (on that server). It is this assumption that I've believed since I understood how the DNS worked (circa 1995), that I believe was not apparent to everyone involved, even though it is implicit in the notes to the 1995 presentation by Steve B at Usenix.

As such I'm fairly sure some bad guys have known how to do similar attacks for many years. Indeed I assumed this was one of the main rationales for HTTPS. So some of the comments may just be a case of different folks having different understandings of just how easy DNS spoofing is?

In terms of risks, I believe poorly maintained authoritative servers are a bigger threat to the DNS than these spoofing attacks. This threat also applies to any of those authoritative servers that allow recursion, and Paul V and others have been tracking down those authoritative servers offering recursion as part of the follow up to this CERT announcement. Such servers present a much better target to would be crackers, as you then control any of the DNS beneath that server for everyone (not just those folks who use one ISPs service), and possibly any parts of the DNS that have name servers beneath those zones.

A quick two line script here is still pulling data from name servers mentioned in the root zone. It spat out several errors about servers not even existing (!) that are named in the root zone (non-existent of a record makes some spoofing attacks easier), and suggests nearly 10% of the most important name servers in the world still haven't disabled recursion.

So whilst I agree the fix is worthwhile, I have some sympathy for the view that it isn't a grand shift in the risk.

Just a Matter of Time Ali Farshchian  –  Jul 23, 2008 4:19 PM PDT

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform