Home / News

Just a Matter of Time Before DNS Attack Code Might Surface

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon. Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, says one security expert. The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday.

Read full story: PC World

By CircleID Reporter – CircleID's internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Re: Just a Matter of Time Before DNS Attack Code Might Surface By Fergie  –  Jul 22, 2008 9:28 pm PDT

The most shocking part of this entire circus act is that the majority of the Internet infrastructure (read: ISPs) seem to be completely ignoring this warning.

Not easily scared, but that should scare the piss out of us all. Really.

- ferg

Actually I'm beginning to wonder.... By Simon Waters  –  Jul 23, 2008 1:10 pm PDT

After hearing about the Kaminsky announcement (but not the details) I sat down and worked out how long I'd expect it to take for a DNS spoofing attack to control a domain on a typical ISPs recursive DNS server and came up with 2 hours, so I assumed Dan's results would make this much worse. But it looks like my answer was basically the same as Dan's, although no doubt Dan produced the tools to do it, and it sounds like in practice it is slightly quicker than I calculated.

My assumption was that one successful spoof would allow you to control the DNS of the zone the spoofed record was in (on that server). It is this assumption that I've believed since I understood how the DNS worked (circa 1995), that I believe was not apparent to everyone involved, even though it is implicit in the notes to the 1995 presentation by Steve B at Usenix.

As such I'm fairly sure some bad guys have known how to do similar attacks for many years. Indeed I assumed this was one of the main rationales for HTTPS. So some of the comments may just be a case of different folks having different understandings of just how easy DNS spoofing is?

In terms of risks, I believe poorly maintained authoritative servers are a bigger threat to the DNS than these spoofing attacks. This threat also applies to any of those authoritative servers that allow recursion, and Paul V and others have been tracking down those authoritative servers offering recursion as part of the follow up to this CERT announcement. Such servers present a much better target to would be crackers, as you then control any of the DNS beneath that server for everyone (not just those folks who use one ISPs service), and possibly any parts of the DNS that have name servers beneath those zones.

A quick two line script here is still pulling data from name servers mentioned in the root zone. It spat out several errors about servers not even existing (!) that are named in the root zone (non-existent of a record makes some spoofing attacks easier), and suggests nearly 10% of the most important name servers in the world still haven't disabled recursion.

So whilst I agree the fix is worthwhile, I have some sympathy for the view that it isn't a grand shift in the risk.

Just a Matter of Time By Ali Farshchian  –  Jul 23, 2008 4:19 pm PDT

Add Your Comments

 To post your comments, please login or create an account.



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Brand Protection

Sponsored byAppdetex