Thursday, July 17, 2008

DNS Goes Bad

There has been an enormous amount of concern on the Internet after the recent announcement that a severe issue has been discovered affecting almost all DNS servers.

The researcher and security guru credited for finding the vulnerability is Dan Kaminsky. He found the issue around six months ago, by complete accident.

We can all be grateful that Kaminsky responsibly disclosed this specific issue, as this vulnerability could have had severe consequences and ultimately he would have been able to obtain a hefty amount of money from the right (and wrong) people. In his words: "DNS goes bad, every Web site goes bad, and every e-mail goes... somewhere."

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.

Giants in the IT industry came together in March 2008 at Microsoft's campus in Redmond, Washington, where they engaged in secretive research to address the issue and come up with patches that could be released simultaneously by multiple vendors.

The meetings included Microsoft, Cisco, Sun and as well as the Internet Systems Consortium (ISC), creator of BIND (the most commonly used DNS server on the Internet) among others, and 16 researchers including Kaminsky.

"This hasn't been done before and it is a massive undertaking," said Kaminsky.

Microsoft released a patch for this vulnerability on Tuesday, 8 July with its 'Black Tuesday' updates.

What does DNS poisoning do?

DNS translates domain names to IP addresses (those numbers you can never remember) and is at the core of many Internet services. For example, www.itweb.co.za translates to 196.30.226.221.

This specific issue, which was discovered by Kaminsky, can allow attackers to poison DNS servers cache and essentially route Internet traffic in any way they want and effectively, impersonate any site they want.

This allows for 'phishing' attacks to be far more damaging. This is because even if you have entered the address correctly into the browser, you may still end up at a fraudulent site. The list of possibilities goes on with many other protocols.

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.
As a short description, phishing attacks can often be described as when attackers set up fraudulent Web sites to impersonate an authentic Web site. This is done to trick the user into disclosing sensitive information such as credit card numbers or banking details. Needless to say, the consequences of this attack could be severe.

We would definitely see a lot of pharming attacks. If this had to have been exploited in the wild, e-commerce and banking Web sites would have been greatest affected by the attacks.

Pharming is when a specific Web site's traffic is redirected to a bogus Web site. Many users would fall victim to this attack and not even know it. End-users would not even be aware they have provided very useful information which is harvested by the attackers. Similar to the attack in January 2005, the domain name for a large New York ISP, Panix, which was hijacked to direct to a site in Australia.

I recommend restricting access to the name server, filtering traffic, running local DNS cache, disabling recursion, and implementing source port randomisation.

I hope that the public and everyone reading any advisories pertaining to this issue will test their DNS servers and ultimately apply the relevant patches as soon as possible.

Most technical details of this vulnerability have been kept under wraps for now. This has been done to give administrators and users more time to patch their servers. Kaminsky will, however, disclose all information about the vulnerability at the BlackHat conference during August.

While many servers will automatically apply the relevant patches for this issue, a large number of servers are still vulnerable.

Those that are unsure if they are vulnerable to this issue can visit Kaminsky's Web site at http://www.doxpara.com/. From there, they will be able to see whether their name server is vulnerable. The relevant patches should be applied as soon as possible for servers that are vulnerable.

Kaminsky has said: "People should be concerned but they should not be panicking." There is still time for servers to be patched.

Kaminsky has also called on a number of security researchers to look for more issues, as he believes there still may be a number of undisclosed issues in DNS. He is also willing to let a finder of an issue come on stage with him at Defcon (2008 security conference), according to his blog.

ISC has so far encouraged DNS administrators with servers behind port-restricted firewalls to review their firewall policies to allow this protocol-compliant behavior.

No comments: