Patch domain name servers now, says DNS inventor
Seriousness of situation can't be overstated in wake of flaw disclosure
Computerworld - Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now.
The vulnerability and the attack it enables are among the most dangerous to have been discovered in the DNS protocol so far, Mockapetris said in an interview with Computerworld Wednesday morning.
"It's absolutely critical for IT managers to upgrade their software. They want to make very sure that the caching servers on their perimeters are up to snuff," Mockapetris said. In addition, they need to also ensure that client devices such as DSL modems that might have DNS software embedded in them are properly patched. "The time to fix is now. The clock is ticking," before exploits against the flaw become widely available, he said.
The so-called DNS cache-poisoning flaw was discovered earlier this year by Dan Kaminsky, a researcher at security firm IOActive Inc. The vulnerability gives malicious attackers a way to very quickly redirect Web traffic and e-mails to systems under their control. Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw, as are client devices with embedded DNS software.
According to Kaminsky's description of the problem, the weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. The vulnerability essentially allows an attacker to poison a DNS server cache by injecting forged data into it.
The flaw exists at the DNS protocol level and affects numerous products from multiple vendors. The U.S Computer Emergency Readiness Team (US-CERT), which was among the first to be informed about the problem when Kaminsky discovered it, yesterday issued an advisory describing the issue and listing over 80 vendors whose products are affected by the vulnerability. Several of those firms, including Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc., Red Hat Inc. and name server vendor Nominum Inc., simultaneously released patches yesterday.
According to Mockapetris, who is chairman and chief scientist at Nominum, the kind of DNS cache-poisoning exploit discovered by Kaminsky is not particularly new in concept; it essentially works by trying to correctly guess DNS packet identifiers. What makes Kaminsky's exploit lethal is that it is far more effective at doing this than anything else before. "He has figured out a way to make the attacks much more dangerous. Someone using this technique can poison a caching server in about 10 to 20 minutes," depending on the kind of bandwidth that is available, Mockapetris said.
Mockapetris added that the software patches issued by the vendors yesterday are aimed at blunting the efficacy of Kaminsky's exploit by making it much harder to guess at the packet identifiers. Even so, he cautioned, with Kaminsky scheduled to make details of his exploit publicly available at the upcoming Black Hat security convention, expect to see concerted efforts by many to use the technique to break into DNS name servers, said Mockapetris. Internet service providers are likely to be among the juicier targets, since a compromise of one of their DNS servers will likely have a far broader impact than an attack targeted at a corporate server.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts