Dan Kaminsky, the security researcher who first sounded the alarm that the entire Internet was in grave danger due to a widespread vulnerability, has revealed in front of a packed audience at the Black Hat security conference the details behind the initial subterfuge — and potential problems that could still pick apart the Web world as we know it.
At the heart of the matter is the Domain Name System (DNS), which handles Internet addresses and routes traffic accordingly. If a DNS server gets compromised, the addresses running through it can be spoofed without an end user even being aware of the problem. It would be like following a car navigation system with turn-by-turn directions to a bank and never realizing that the directions in fact led to a fake building that was only pretending to a be a bank.
So yes, Web browsers can get sent to the wrong sites, or e-mail can get routed to the wrong servers. If a hacker with nefarious intent is laying in wait at the destination, what seemed to be a safe and secure communication could be watched, copied and put to use to empty bank accounts, steal identities or jump-start careers in the field of corporate espionage.
The details of the DNS flaw have been out in the wild for weeks; meanwhile, administrators have been working overtime patching servers all around the world. While many servers have been adequately fixed, many have not. If the attacks have been available and lurking in dark alleys and in broad daylight, how come official reports of actual DNS poisoning exploits based on this known vulnerability have been nearly nonexistent?
Dark Answers
“The vulnerability is that your DNS gets poisoned. You can tell if your DNS is poisoned by looking at your cache [in a DNS server], but what you can’t tell is if any user queried your data, got back bad data, and then acted on it. DNS doesn’t log queries, so you have no record of it,” Mel Beckman, a California-based system administrator for multiple name servers, told TechNewsWorld.
Say, for example, that a customer went into a grocery store and used cash to buy tomatoes that had been tainted with salmonella. The grocery store could eventually learn that it had sold some bad veggies, but it couldn’t necessarily figure out which customers actually bought them.
“So we may never know if anyone got DNS poisoning for, say, Bank of America and went to a phony Bank of America and gave up their account information,” Beckman added. It’s impossible to identify if someone’s credit card information, for example, was stolen via DNS spoofing or some other method, he added.
“There’s a disconnect between detecting the problem and detecting the people affected by the problem,” he said.
Funny Games in China?
Despite the lack of victim-specific evidence, there are exploits working the world’s DNS servers over right now, Beckman said.
“There are a lot of Chinese sites that are actively trying to exploit the flaw to the point that some major network operators are blocking all traffic from China,” Beckman said. “Some customers are finding this out as they try to get some of their Olympic coverage from China,” he added.
It doesn’t help that many DNS servers are some of the oldest servers in data centers. Because DNS servers typically have fairly light loads, they don’t need to have a lot processing power and memory. But now, Beckman said, “some DNS servers are falling over just from the attack traffic.”
More Than Web Pages and E-Mail
Kaminsky also noted that DNS is woven into the fabric of our electronic lives well beyond the scope of Web sites. The DNS flaw could be used a variety of ways, including stalwart protocols like File Transfer Protocol (FTP) and Secure Socket Layer (SSL).
“The troubling part is that the fix isn’t ‘permanent,'” Rich Mogull, an independent security analyst for Securosis.com, told TechNewsWorld.
“The attack still works, it just takes much longer to execute. As a result, it’s absolutely critical that organizations monitor DNS and deploy other protective measures to detect and stop the attack,” he explained.
“Dan’s fix slowed it enough that we can detect and respond to it, but only if we use additional security controls, like IDS/IPS (intrusion detection system/intrusion prevention system) on top of the patch,” he noted.
I was trying to find anyone who has experience with Bluecat. They provide DNS protection services and I’m possibly looking to get it for my business. Their product listings are here https://www.bluecatnetworks.com
Can you guys tell me your personal experiences or do you think their services are necessary for me. I run a chain of restaurants in Toronto.
"The vulnerability is that your DNS gets poisoned. You can tell if your DNS is poisoned by looking at your cache [in a DNS server], but what you can’t tell is if any user queried your data, got back bad data, and then acted on it. DNS doesn’t log queries, so you have no record of it," Mel Beckman, a California-based system administrator for multiple name servers, told TechNewsWorld.
To challenge this quote, I would say that traditionally you can get visibility to who and when a client has made a query to the DNS server. Knowingly, you have to put your DNS server into Debugging mode for an AD DNS server or Query logging mode for a linux DNS server; both these options have a expensive resource cost that would impact the response times from the server. I think it is worth mentioning that enterprise DNS products like Infoblox have solved this issues and provide the visibility that is critical for remediation or forensics by developing a DNS server based on BIND without the resource overhead of turning on query logging. Something to consider if your organization is looking for solutions against DNS Exploits. I have many safe and satisfied customers where I have recommend Infoblox as a DNS solution.