Patch domain name servers now, says DNS inventor
Seriousness of situation can't be overstated in wake of flaw disclosure
Computerworld - Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now.
The vulnerability and the attack it enables are among the most dangerous to have been discovered in the DNS protocol so far, Mockapetris said in an interview with Computerworld Wednesday morning.
"It's absolutely critical for IT managers to upgrade their software. They want to make very sure that the caching servers on their perimeters are up to snuff," Mockapetris said. In addition, they need to also ensure that client devices such as DSL modems that might have DNS software embedded in them are properly patched. "The time to fix is now. The clock is ticking," before exploits against the flaw become widely available, he said.
The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security firm IOActive Inc. The vulnerability gives malicious attackers a way to very quickly redirect Web traffic and e-mails to systems under their control. Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw, as are client devices with embedded DNS software.
According to Kaminsky's description of the problem, the weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. The vulnerability essentially allows an attacker to poison a DNS server cache by injecting forged data into it.
The flaw exists at the DNS protocol level and affects numerous products from multiple vendors. The U.S Computer Emergency Readiness Team (US-CERT), which was among the first to be informed about the problem when Kaminsky discovered it, yesterday issued an advisory describing the issue and listing over 80 vendors whose products are affected by the vulnerability. Several of those firms, including Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc., Red Hat Inc. and name server vendor Nominum Inc., simultaneously released patches yesterday.
According to Mockapetris, who is chairman and chief scientist at Nominum, the kind of DNS cache-poisoning exploit discovered by Kaminsky is not particularly new in concept; it essentially works by trying to correctly guess DNS packet identifiers. What makes Kaminsky's exploit lethal is that it is far more effective at doing this than anything else before. "He has figured out a way to make the attacks much more dangerous. Someone using this technique can poison a caching server in about 10 to 20 minutes," depending on the kind of bandwidth that is available, Mockapetris said.
Mockapetris added that the software patches issued by the vendors yesterday are aimed at blunting the efficacy of Kaminsky's exploit by making it much harder to guess at the packet identifiers. Even so, he cautioned, with Kaminsky scheduled to make details of his exploit publicly available at the upcoming Black Hat security convention, expect to see concerted efforts by many to use the technique to break into DNS name servers, said Mockapetris. Internet service providers are likely to be among the juicier targets, since a compromise of one of their DNS servers will likely have a far broader impact than an attack targeted at a corporate server.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts