Advisory:
Server Vulnerability - DNS Poisoning
August 8, 2008
This is a pertinent update of a current IT
security event, surrounding the much anticipated Dan Kamisky speech on
Wednesday at Black Hat Expo. What is it?
- DNS is the server that performs look-up and translation from
domain names to IP addresses, which are needed for actual access by
browsers and email, etc.
- DNS Poisoning is the malicious tampering of someone's DNS
server, in order to cause an innocent access to legitimate sites to
arrive at rogue sites, where information capture and other nefarious
acts can be performed.
- A whole slew of efficient attack techniques had just been discovered, to
take advantage of a long-known
architectural-level vulnerability
of the DNS mechanism.
- Within your IT infrastructure, your workstations may rely on
your own DNS
servers, which in turn depends on your ISP's DNS
servers. Actions needed.
Status: Exploit in the wild
and active
That means someone had already written actual program code to
exploit this vulnerability and launched attacks. Copycat
variants and enhanced versions will soon follow. So it's no longer a
theoretical risk. It's happening in earnest.
How does it happen?
DNS uses UDP protocol—inherently insecure
due to unverifiable IP
source (1-packet self-proclaimed address, no handshake). It is relatively easy for
spoofing by rogue hosts. This has been going on for years, as some
of you already have experienced. A newly published technique reduced attack time required by orders of magnitude.
Voilà, certain success with trivial efforts.
What to do?
Patch all DNS servers: Randomization
of IP source port + Transaction ID can partially foil (exponentially
increase efforts of) attacks. Microsoft has released all
relevant patches
on July 25 . On the Linux side, it's a bit more complicated
(case-by-case). Note: DNSSEC (the "next gen" DNS) is in draft
& RFC phase, still years away from ratification and implementation.
Quit talking & fix it already!
For tier 1
(retainer) client sites, it's
already completed and notified last week, during routine patrol of
your neighborhood. If you're a tier 2 (ad hoc T & M) client, contact me
to authorize & schedule (if I haven't prompted you already). Tier 3
clients (no SBS/Linux): This is not applicable, as you don't operate any
DNS servers in-house.
All that mumble jumble? How about just a summary?
Fine. Take your pick:
- A serious flaw has been discovered in the
architecture
and current implementations of DNS,
affecting
all DNS
servers out there, including Microsoft and
BIND (used in Linux and Mac), enabling attackers to carry out
DNS poisoning at will, and succeed within 30 seconds (demonstrated).
Interim patches with mitigating tactics are mandatory, until a final
solution is available. Otherwise, wide-spread phishing/pharming
incidents are bound to happen as
attacks ramp up in the coming
months.
- This is the newest, baddest security attack. It'll crash your
hard drive, melt down your network, leak your secrets, ruin your sex
life, and cause your hair to fall off. The only way to avoid it is
to unplug your computer, and duct tape all your windows.
- Sum ting wong. Call Sam!
Okay, okay... Seriously:
- Over-simplification won't provide any meaningful insights, other
than stirring up fear and confusions, and therefore
counter-productive.
- This document addresses a target audience ranging from business
executives to typical computer consultants.
SEE ALSO:
|