From the desk of: Sam C. Chan

Advisory:   Server Vulnerability - DNS Poisoning

August 8, 2008  

This is a pertinent update of a current IT security event, surrounding the much anticipated Dan Kamisky speech on Wednesday at Black Hat Expo.

What is it?

  • DNS is the server that performs look-up and translation from domain names to IP addresses, which are needed for actual access by browsers and email, etc.
  • DNS Poisoning is the malicious tampering of someone's DNS server, in order to cause an innocent access to legitimate sites to arrive at rogue sites, where information capture and other nefarious acts can be performed.
  • A whole slew of efficient attack techniques had just been discovered, to take advantage of a long-known architectural-level vulnerability of the DNS mechanism.
  • Within your IT infrastructure, your workstations may rely on your own DNS servers, which in turn depends on your ISP's DNS servers. Actions needed.

Status:   Exploit in the wild and active
That means someone had already written actual program code to exploit this vulnerability and launched attacks. Copycat variants and enhanced versions will soon follow. So it's no longer a theoretical risk. It's happening in earnest.

How does it happen?
DNS uses UDP protocolinherently insecure due to unverifiable IP source (1-packet self-proclaimed address, no handshake). It is relatively easy for spoofing by rogue hosts. This has been going on for years, as some of you already have experienced. A newly published technique reduced attack time required by orders of magnitude. Voilà, certain success with trivial efforts.

What to do? 
Patch all DNS servers: Randomization of IP source port + Transaction ID can partially foil (exponentially increase efforts of) attacks. Microsoft has released all relevant patches on July 25 . On the Linux side, it's a bit more complicated (case-by-case). Note: DNSSEC (the "next gen" DNS) is in draft & RFC phase, still years away from ratification and implementation.

Quit talking & fix it already!
For tier 1 (retainer) client sites, it's already completed and notified last week, during routine patrol of your neighborhood. If you're a tier 2 (ad hoc T & M) client, contact me to authorize & schedule (if I haven't prompted you already). Tier 3 clients (no SBS/Linux): This is not applicable, as you don't operate any DNS servers in-house.

All that mumble jumble? How about just a summary?    Fine. Take your pick:

  • A serious flaw has been discovered in the architecture and current implementations of DNS, affecting all DNS servers out there, including Microsoft and BIND (used in Linux and Mac), enabling attackers to carry out DNS poisoning at will, and succeed within 30 seconds (demonstrated). Interim patches with mitigating tactics are mandatory, until a final solution is available. Otherwise, wide-spread phishing/pharming incidents are bound to happen as attacks ramp up in the coming months.
  • This is the newest, baddest security attack. It'll crash your hard drive, melt down your network, leak your secrets, ruin your sex life, and cause your hair to fall off. The only way to avoid it is to unplug your computer, and duct tape all your windows.
  • Sum ting wong. Call Sam!

Okay, okay...  Seriously:

  • Over-simplification won't provide any meaningful insights, other than stirring up fear and confusions, and therefore counter-productive.
  • This document addresses a target audience ranging from business executives to typical computer consultants.



Visions * Integrity * Perspectives Solutions, not products. Expertise, not hype. Rationales, not ideologies.

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us