IP protocols/software

New Internet Poison Gets Instant Antidote

Vendors are patching up a domain name server (DNS) vulnerability disclosed to the public yesterday, blocking a flaw that could be exploited to hijack certain Internet domains.

The underlying security problem, known as DNS (domain name server) cache poisoning, is something that's been around for some time. What's new is that researchers have uncovered a more effective way to do it, although they kept that discovery under wraps until a patch was ready for distribution.

"Everybody was used to 10-foot floods of these attack packets, so they built 20-foot dikes. Now, we found a way to get a 100-foot flood, so we've made 200-foot dikes," says Paul Mockapetris, chief scientist at Nominum Inc. and the inventor of DNS.

DNS translates IP addresses to host names or vice versa: For example, it's responsible for sending "www.lightreading.com" requests to, er, well, some IP address or other. Cache poisoning happens when someone fools a DNS server into delivering a wrong result, and routing traffic to some other site.

Cache poisoning takes advantage of inherent flaws in DNS. DNS servers need to exchange information sometimes, and it's possible for an intruder to fabricate a message a DNS server will accept. It's relatively easy with older DNS versions, and, even with newer ones, it can be done through perseverance and luck.

The big deal about the new vulnerability is that it could speed up that guesswork. "Somebody figured out how to get multiple bites of the apple and attack the same domain name more often," Mockapetris says.

Researcher Dan Kaminsky of IOActive Inc. found the problem six months ago, and the industry has been working since then to patch it. Cisco Systems Inc. (Nasdaq: CSCO), Microsoft Corp. (Nasdaq: MSFT), Nominum, and the Internet Systems Consortium Inc. (ISC) -- the source of the Berkeley Internet Name Domain (BIND) that's used by most DNS servers -- were among the entities involved.

There's a more secure version of DNS called, cleverly, DNS Security Extensions (DNSSEC), but Mockapetris doesn't consider that the answer. "To complete the analogy [the floods/dikes thing], it's more like issuing everybody a submarine. It's complete protection against any kind of flood, but it limits what you can do, and it's fairly costly to implement."

It's going to take time for DNS servers to get the new patch, and some might never get updated. But there's no need to punch the panic button, says Mockapetris: "DNS is far from the weakest link in the security chain for the average user."

But if you're feeling hungry for a sense of danger, try this: While Kaminsky hasn't disclosed his cache poisoning trick to the public, it's possible that someone else has found the flaw and is trying it out. Nobody would know, since nobody's been on the lookout for it. "Whether it's in the wild or not is something we'll be looking for," Mockapetris says.

The U.S. Computer Emergency Readiness Team has posted information about the vulnerability here.

— Craig Matsumoto, West Coast Editor, Light Reading

COMMENTS Add Comment
Pete Baldwin 12/5/2012 | 3:36:24 PM
re: New Internet Poison Gets Instant Antidote Forbes is reporting that carriers haven't made moves to patch it. gee, what a shock.


Kaminsky is apparently going to reveal some of the details of the exploit, at Black Hat in August.
Pete Baldwin 12/5/2012 | 3:36:02 PM
re: New Internet Poison Gets Instant Antidote There's some debate on the NANOG mailing list as to whether *this* is the exploit Kaminsky found:


....or whether it's just an ordinary cache-poisoning technique. I'll admit: I'm not savvy enough to tell the difference. Anybody else?
Sign In