DNS vulnerability has been the talk of town since early July when Dan Kaminsky revealed that a flaw in the DNS software can allow a form of attack called DNS cache poisoning.
On Wednesday, at the Black Hat conference held at Las Vegas, Dan Kaminsky addressed anxious attendees and explained what the fuss is all about. He revealed that the DNS,which acts like the on line version of the 411, is the component which decides and controls how and where on line information gets routed. Say, you type in www.google.com and hit enter, it is the DNS that takes care of the request and opens up the web page you wanted. This holds true for any similar requests you make. (For those who do not know, 411 is a local directory number widely used in the US and Canada)
That was just a basic example of what DNS does.
What DNS cache poisoning can do is to alter the association between the domain names and IP addresses. This is an alarming scenario. A simple example would be like hitting www.google.com and the website that opens up maybe www.yahoo.com – or any other website that the hacker chooses to -- as they now have control where on line information gets routed. Although the example above is a tad far fetched, what can happen is that the hacker could flood a DNS server with multiple requests for similar-sounding domain names -- confusing the server into querying a root server for name server/s handling lookups for these domains.
After the July 8 announcement, Kaminsky had requested security researchers to not reveal details about the vulnerability so that affected entities could have enough time to patch . However, security researchers Halval Flake and an analyst from Matasano Security on July 21 did post details about how the flaw worked.
Kaminsky estimates that there are about 35 known and unknown ways to execute this attack. After the announcement, almost 80 technology vendors have been working overtime to fix the bug – and it seems to be working. Information Week reports that the percentage of vulnerable unique name servers that subjected themselves to self –test on Kaminsky's blog has come down from a scary 85% to about 50%. However, that still isn’t enough – as even Fortune 500 companies have had issues patching the bug due to issues with NAT (Network Address Translation)
As for the bug being actually exploited by hackers, a reported incident from AT&T suggests that its Internet Services DNS cache server was altered to replace the cached entry for www.google.com with another web page that served advertisements. Although not a critical security flaw, it did highlight the dangers about the bug and that Kaminsky's concern is warranted.
For more, you may check Dan Kaminsky's blog where your DNS server can also be subjected to a vulnerability test.
No comments:
Post a Comment