Just a Matter of Time Before DNS Attack Code Might Surface

PC World

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon. Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, says one security expert. The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday.

Read full story: PC World

Related topics: Cybersecurity, DNS

Comments

Re: Just a Matter of Time Before DNS Attack Code Might Surface Fergie  –  Jul 22, 2008 8:28 PM PST

The most shocking part of this entire circus act is that the majority of the Internet infrastructure (read: ISPs) seem to be completely ignoring this warning.

Not easily scared, but that should scare the piss out of us all. Really.

- ferg

Actually I'm beginning to wonder.... Simon Waters  –  Jul 23, 2008 12:10 PM PST

After hearing about the Kaminsky announcement (but not the details) I sat down and worked out how long I'd expect it to take for a DNS spoofing attack to control a domain on a typical ISPs recursive DNS server and came up with 2 hours, so I assumed Dan's results would make this much worse. But it looks like my answer was basically the same as Dan's, although no doubt Dan produced the tools to do it, and it sounds like in practice it is slightly quicker than I calculated.

My assumption was that one successful spoof would allow you to control the DNS of the zone the spoofed record was in (on that server). It is this assumption that I've believed since I understood how the DNS worked (circa 1995), that I believe was not apparent to everyone involved, even though it is implicit in the notes to the 1995 presentation by Steve B at Usenix.

As such I'm fairly sure some bad guys have known how to do similar attacks for many years. Indeed I assumed this was one of the main rationales for HTTPS. So some of the comments may just be a case of different folks having different understandings of just how easy DNS spoofing is?

In terms of risks, I believe poorly maintained authoritative servers are a bigger threat to the DNS than these spoofing attacks. This threat also applies to any of those authoritative servers that allow recursion, and Paul V and others have been tracking down those authoritative servers offering recursion as part of the follow up to this CERT announcement. Such servers present a much better target to would be crackers, as you then control any of the DNS beneath that server for everyone (not just those folks who use one ISPs service), and possibly any parts of the DNS that have name servers beneath those zones.

A quick two line script here is still pulling data from name servers mentioned in the root zone. It spat out several errors about servers not even existing (!) that are named in the root zone (non-existent of a record makes some spoofing attacks easier), and suggests nearly 10% of the most important name servers in the world still haven't disabled recursion.

So whilst I agree the fix is worthwhile, I have some sympathy for the view that it isn't a grand shift in the risk.

Just a Matter of Time Ali Farshchian  –  Jul 23, 2008 3:19 PM PST