Saturday, July 26, 2008

DNS in danger..or should I say, the Internet

As we all know, Dan Kaminsky found a very efficient way to poison DNS resolver caches. The vulnerability and the coordination work (very well done Dan & all folks involved!) has been discussed extensively by the IT blogosphere and -press, CERT:s (US-CERT / CERT/CC and CERT-FI for example). The internet operations community and DNS server operators should be very well informed.

I am still worried. Why?

The patches are not at all completely installed. Windows users should be already quite cleared, thanks to the coordinated release of Microsoft patches at July 2008 MS patch Tuesday. According to several reports like the one generated by (links here and here), the implementation situation on the real resolving nameservers is a bit on the weak side, mildly said. The patches available to BIND implementations are not
final and have shown to have major performance problems especially on Solaris enviroment. So I fully
understand the ISP:s who are very concerned on their patch situation.

Why this vulnerability is so special? DNS is one of the fundamental services that makes Internet tick. It is the white pages of the ┬┤net, binding all domain names to the related IP addresses. The ability to disturb this database - totally unnoticed by the end users - is really really nasty.

Just think of it:

Someone changes NS records of Google at a major ISP resolver stack. All Google-related traffic of the ISP customers (opening page of Firefox, Gmail etc) goes where the attacker wants. Hmm, a nice drive-by exploit code to Firefox opening page?

A major bank webbank A-record is redirected to Somewhere Else. How many webbank users type https:// at the browser URL line?

Need I say more?

I hope the ISP:s do their best to get their infrastructure protected. And good luck to ISC for their efforts
in finding a complete solution at the BIND issues. The really challenging part is how to patch all SOHO NAT firewalls and WLAN boxes...this is one of the very first times when we need a patch the black box with blinking lights at the bottom of the cupboard. Globally.

It must be July. The mainstream press has been surprisingly quiet on this one.

Let's be careful out there..

Labels: , ,