Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


DNS Protocol Flaw: Don`t Panic, Just Patch



 By: Brian Prince
2008-07-14
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The exploit, discovered by IOActive's Dan Kaminsky, takes advantage of a fundamental flaw in the DNS protocol. Organizations should move quickly to patch vulnerable DNS servers. Kaminsky says the bug can be exploited to redirect Internet traffic but the problem has been solved by implementing port randomization.

Despite the fact that few people know all the technical details of the bug affecting domain name servers that security researcher Dan Kaminsky reported July 8, there is no shortage of opinions on it.

As we all should know by now, the exploit discovered by Kaminsky, director of penetration testing for IOActive, takes advantage of a fundamental flaw in the DNS (Domain Name System) protocol. While Kaminsky is tight-lipped about the specific technical details of the bug, which can be exploited to redirect Internet traffic, he has said the problem has been solved by implementing port randomization.

"I've pinged at least a few customers, and I'm seeing very large tech firms already moving on this," Kaminsky told eWEEK via e-mail. He said he plans to unveil details of the vulnerability at the Black Hat conference in August in Las Vegas. "Realistically, they could move pretty fast if they were under active attack. I'm trying to give people a little more time to test than that, but we'll see what they can do with it."

Resource Library:

His disclosure last week was greeted with an initial round of skepticism, in part due to the fact he is keeping details of the situation close to his vest. To be sure, DNS poisoning attacks are nothing new, but if his finding is indeed on the money, it could make life that much easier for attackers.

Depending on who you talk to, keeping the details of the attack under wraps has made Kaminsky either a grandstander or a hero. Regardless, his discovery was enough for major vendors such as Microsoft and Cisco Systems to coordinate the release of a patch to address the issue. US-CERT meanwhile has included a number of workarounds and mitigations for the flaw, such as disabling recursion on any nameserver responding to DNS requests made by untrusted systems.

"It is worth pointing out that 'split-brain DNS' does nothing to mitigate this flaw," Kaminsky said. "Really, if it recurses, you have to patch or you have to decommission."

With the details unpublished, attackers may be a step behind the good guys on this one. Still, patches can theoretically be reverse-engineered. The bottom line: If you have a recursive server, you don't have to panic, but don't drag your feet. Always better to be safe than sorry.





  Reader Comments: DNS Flaw: Don`t Panic, Just Patch
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ksȲvf`i9mCgwR IG'ˍ7!3>Nw؆zdeeefeeUe#ogDmU71IIvjj.3轗%y!I=Wevu3Jh4=GRQu=تg4j4;ẍ>뱜we>B_@jG @PL1B1Y٘cɈusccm0 f E҉=J'IIJrGDqjuɷ#(<6 F&GKAT$NUwlX ɳ#r$*FXP~F$!ǎ4~S{/Cp_C{U+R7"wlni_Wם^'gם)_̲1<JPFf(W?#;Cjqsںy\7=rڽ&I՞NTp3䏵VklxmuH|x䎺540llZ-Jd[ݓ׫6Pyd$Y)r"?/ !}W<jr2C2q/lw,jt_ϰnOEtAM)8 .)J!BN3tQE !\J!=!8Q%e~=bfUS<8ZoV͉*]XYujZlLwE?遂KoߵqnH{⧋v؆)F0 ,heݴsÒcR>LGãUJPZ;a^T1p-^n3B eu:RgS=̟<04ZG:ԩalZK DQ"|Pd6mdX-ƙ ,70}HO!¤ p V8=Uu@N҇: 7s!FR#mv=@WT[(7? ; K`pm&;xk z90С4T=a>qjR*3<C]׶}3Bȁ{0`s;0աaǀTiZ%{r%Eabn ȥIWG!-i]R@Az68 -,rr< "arGBA .<ҦBIKڹLX:HأXB YX/_b23C$ɤi";7rB.G _3-Muc{@ *|Ѹ7=K9Һ< S'MXIKD%\Ew,[t 3AP|ѡ!n~l9:f3,35g?0q}aY k9wtݴ٢԰`81 0Z|Ch 2i0}Ms SJ`ݒn̜07ÚL ~Dg詁m>(L5iuϙܑMú[A߄T 9u \Ʉ r}͚X 4ؐ)|&B_n<Gy%&+)\=P/()'+T1g0dz?P;Gq=1S7RZC+>q^i.;[@Oe]Zr(Uע%fcP*틟a]hk%|/~$74Bɶ/^[aaPK~噎ŗZZG"JM`8W "CɥHl?Zm3@=-pR7l{`(`b^VMG,Mc9Z*(J4%j<-[`B]PeܠQ@п,olVCax5Z'AеMW7D\ܲO*'lp>eHۙ^DR'[c{cm1J8.hxd\&,[b)0sg6SPa|ia;m/ eSKQ:Om VGA>Ӝh2F ÑaHU0UIBKHLZ`!?R#ck@Lf2T3`M`R#4t ZlFV9 4}Z0$]rɭ#©1j!| *2`DPG;rSUeQalˣuewP0cXe[;pMٞ :FS-c@]O=6$!OT_'R}'Xk5.=D{*#DAw\/աE% P-W`EDcǖڹ|OuqM9&`n`RaH|L<GuqӞrFVyYBf7#zT+bZ>NB9/UjJT{}|3/72~2js}أ< _p9M?7^oO*zC?SMK\s>%\aQaƖ]4FXXH] ˏ͎OCTS_!?gP.Q9嫠07K5vo vrihbGHex]r@ XQ.g?Y7)DHȘ-qVCY=w7R-~T z9@  OXqHؽO“689n:+@%5Lr Z+::j9g+á ,ćͪ#fi>L:k}]\+j1Ͼ_N ^t|h#Qt `!Kx{ZCbS>;t`l#Rq9k*k~:+l?g`̦s{_=,UXc փ0 JǸ}j3Gnl*r_?J=[L4GxbZ`;7==%(4OQ `dm ea =N1\[n{?I a9p驔rgHT(EUTČe橲o;Uԩ7O;ԙ|^Q*~%UHU<+S?YTnX ǸNB֢%3RZ5;c HsB5x)af%qhʈg x=Rb k(4a[,]/8ʚ=?\1Z9n|!}BR^&28;=h)3OHi?pQRil} zsD&S+DN[3pu*NxS!O0;F}` $9=ǛP6Ɠ4ɨˎk)uєyjj : Stl (4H P)Yy9Y'iM$_M)i&'ءXG7g һj^nNpVHpo6+Psq붱Iyp5dgKe " KpkP I<+ c ;|E?J[L>XZ4ՒoeW!> ?9Gs`e5|>*G,?vuϯ+۾N-ßtt,-o$ۑEt2TiX'3X3=hbrӅ[dojw`{t =z;Ojw]G꜌ٵDU~zo蚳)o.CLĶvp߂؍ /G.x9r kQD=%7^`v(u[c]9E$kă(QaaHK.}<﷯Ik 09nJs $jAT{9wfv{.HeNh>HАcշݜ8_8# <f/zvvQW1hhCw+d~OY)eyP1gn萇vlLcI"\[a{wCy $]d%^F&vZpA2M#}ݾJfxӼ4hјAhfil|Wnkcc7٥~fjP >^=ˤa2]a fYj=rK"J]&ZDNpw5V {QN9|}W%0ʪց<9d/ h3\|I,Ro14+M*uTWngO量B45Qx h@E-)mNN^>f 'T(\ڌ uvlzY̲63@I bBהݠԢSos;L`f|SxZ*Y_~{G$J-8|Q$/3X(^AY%4hl]e9wvՁlc|^ʗKy|`%^+8EAF;$|E} dvK/йR+4 a6 `6A˼D 4Qy{,7+rgK#Y +t2q)͏lW괥aZU6b͠$0U 4˂to?Ge&}"uυvU6e׃geO:5{ŠƃH@E3ۤ)L `! a`" cF!ŀ VmlSz+JJERO'RH¦it*ug3|>Γ"p3CUECkoFolU|{*6)UP.oզBiS8,-vi$p8$jԞޮ?c rL8泅40%= b3FcIMϛMYS%վɴM8h_WoqBFGWF7^O&44W[Dܔ9/Μ]FV+0.]P;7PE  |lI3u@з7 "=0gU+4o tqanƬ!z@'+ݨ`IϥNU\8, L|M1lQ-#ށa<'XztYÛ*<#ъyy>~0X eOT1+l oo w/ $w>JثA".ج #ֲMiVJ/AM ِ^5uRh[c'7p'p43%^#],Ͷrtc#<(~{A-pxr 9żX/Vo3OKDT-.b ԴTҚ>s68tХ&6 qݟ`t> @G A8koHجӍmJo QK@@R[8+StiPW瑫tPV֙GoP zB_mlZr]Ϡ-O(Q&}Y}zmx\P L' 4 eC d޴MKi^>|I=ێ^ ڎIq;!$FzH5|~,pHx":a{Zdغmkgzc) GH+0$ܯOTSZ@B2]S0,< zįgg иqΠ "e<z}J2_L]) .;',P٪R=HTQ *WXo^>i@uhM HI=3u C},y, ͟e ~{f}Qz}fh^Wmy#nLH֛!a#T]^y MGxɑV|O˞yl> +6ƕ=zXdO1|{.&G1t=Çi, p`0 4rǶ73"I|ܷ'AI {MjoO$'2X԰ܯ {#ְ+lī0)/OLApQMOyo-po'-ķzf55 +.b ŵQ6}7 q lw~ÀvڈK39}PشB!WV4^ [ذ8: #kԣ80Ha}BzmYΥS.6Ke>XBjBzcg7[Ɲ&&d~K2@04kIkB]I2Ʊ~OS&y*8LZp3:R >;֑-'.t~vϳYul>Uن7D%i\ƫ"x6 =C.UWE[ÓyX 'ݒCTa%1Y#z9\j@Z/ :àIjD):aFC)x+[ s0[ oCpd_7nc|vd'?KD)P'O~n' N7Hw;AXd*LA|<?NF19Q q'10P1z{JbE="#Oˊk('>?o+|uܷo N o|o-qIXsD F¯' #G?Pw; DvW83ixY4>(C^P^=’wM\1cמYpUW,,WVVAXAC.9"'"KH*]N|`jl?QXҩfLzm͸_-V/z SkwqݗǶJzܥ/+y91(f-fr] bʅ1sٟJ_\Q OuζAs둞Jby[u9Mį!EEQIߘH0Y飏ji+ M09ꭸ$0-ÖC0v&^fGP1$0qxo/|D_7"|BlN3+C0d+vd"m]%ꮱIwKDwg|{ }w :nQ/W^P9 Pm̼HGb )7>N!1K=?-Ąk 3`ېU|0XV$ʽOɴCebH] EC `=? q}nB~hvew=d.Xk``\xsΞux@ !>A=vOꂜ9$l0W)4g:K,]'{!uu} l  \Q-:q4eZ}*E \Ð3{~nP^qED#PhbGBCws uǤۭp4aBRD=fڄۈX&: tKf،6'ǁlPFK<1J \-@ebqr9yb/@ (J ,PF: /  !n Q&@ؔ(͍$u~gpfK)'6X`{T燋+yuwe~tt:Ġ0͆SZgkPk7 6tQ(b8M Uۇӟy{)ۺ9P\bHn%TB<౸P,0-Ōz+|E))I]U0uMGT0 =b3brOTvcѼ:JNפINm|;\;Kr>-$lknI|[sm}=^}=\;Lpa&G_sueR0,g?ehE)3C9ULj6þ;OWΓ∾(ah,.6Uk$;G(%lFyj1,o:Ll+3N+MphO!u{It/ۙF`RZl<%JIɿ'MfJ~)-A'O>)Lg>iuwZFuRCL2%i|y |*e|.)i)\ ϋHO˔_~/)gGJ_^%e\]_M?]/rqWP*5u )^s }/iп/)BȿIIh&࿛u2A~3EΚWpz~;s_4ST}VKӔCOgC2_`kW)t.3 {5̭L_:W'V|]!,|rFWXV鄘Vq2O,y=Uҍ&#K=u7l>|aR1'ͥeoGa[Gܻğat=PΛ@Kn l8ڍR^CG0nsOk|>bÝxv'U]Y;X;Yo[췡^2,䒥9q}2ى3فKj2ayD:l{$4x\·jX_=rG܌:X';,w`/烫6Kfz}2չ_ϳ_9(c$xH-M Գ8 !r骯rfhNoBGcn`'>LIƙ Ap|R3v俓k$2 q2tJE Yqi3rX:L3BAH# .=M^%t FPBC]3CX.ḇ=o-%~Gk( |D@ |:&Tcejf"fRՍCt8c+x;@` fǁg5v;BfCra{ ϛQo{ɤK4lV{[2gډxvKgu¿6@Ǚx,N~f+gMcUޡQ7âR-3|:UA|#% .LESzqoW#L#v0J6{Q*x2ц`oN$4.Ĉk,8%f]&2; zJ11-GO3`Ơ=Q^IZ-C7Xvʀ_o@n=N6"fGٷ]y ůD|݆Ϟ|Ga,\~LiӳzmOWm bM,JT-"EK5 D >b/ O3L+IU#wb/zb X6^a?ŋI=' MȮ+fAj|nX{!fՇ0Qwt=K++%"TvKh0e`-݂91r^ m{PN`>x((" "H "s{B|%؄Zs]dBZx~)͟f9fo%FXHVSd,ӧ&u&͙o_1``a?^ (TUǨz :Aϐ\x߃AF{&W v,='DπjUMDf΢P5mczlo()y+9ن^*HuԶx+""ⅰx?B 9ax^9"Z1gART~{J]*P=eZPO:] v"8%Yz/;qo=Guc_Vx CBر\8#I:.~ieˏz|)H@%[b1G(]! ""_Sasomy>ⲁE":}`S h(t6> Oc'LXji%r>ebV.qmeFۧ_ޓ-[$@<O"/xv4aeDQ /Tvy(s*>ݠKA1Z<&[z>kK_"a*|?oeN{:x M-IS`v/-Ǭ JnS.!O3й?-}*y[M:@W%`/=H]S|9NmRjãōGXǸW[Oc V\3z7ZЎk36E' Cga+b2PMYhc 1G,@]փPv! C`*=F" ţ8Z*bJ#ىZS֡CAĜBJ>eg쇶܌DŽ2K"4isoq=dWJw# 3gGsayq@Ԃ#'NNg@|OI4{b%yKS3 _e۾5.|G5o;|R:-W LpX|ׯ,p 3_ꙟXx7}5Ye +|Sc#BO(SÁjPyy3Rv!Az {{vΠ1.VAJ!On5ЃeXҨ+59~YfS4iopv5\\MW٫׳$K0`'m~_ب`(rHN=?sDm^@H@孙i2"+ ƩRf?1Dctopa<$ATާcX*;>5L_bZ%nJ+߈ ^&KN:/m;苍 GY} :2cT.boFD<_k;Ad/1p}}<(Ӣ2&*בZ Ex ZNWLŻ1άK*9Xe4􁬉n0@4M$  M~ߕzUq$L{d`(\tlXdrZM ಋct a;GTo֚M^Y-q/U'[( MMI8īx@g/֟NB2`j jabf: .Ku$; te"p3-KKͱ~$W{8;Yf@:sa0ɲWGYqYa8Ƚy_c̻ W{k#z+-hMb6 8`$_/Gjxov!BȠ!i*~ ct|qcgjR+@`s$8oG@߄gZlnуrE19;v"II ~w.Lա'p"C"!t\A.L 8-s~߉n:HʨHx!-YnXA"0aɅk dw|$R$j;nIē-2CBiO-,Os` J}]qF|YYAjl=ɱiU3y_PGQθ"(Q#{4!h@/>bS&Bh$C>/*+ɻ kp+|v7`U ixA=vֲѿ!8\gZ9(&#xI zMFd1$5[|P}Tj~X+a"^! T3pe4KױiShTsw # tbͬe9M/f KX2MfWd<=k <h-ق. א{ٗNGV_WB: zբ/(a20Wreߴ;G+O룄#\yueK ȣs[LN`borWVs1^_A5^f7OC0  %#t T`8BPE!} bȘCf!ɡrP-b܂Bf{oA\G\bz ۔a>7 e Z?PMTʱ(zW+L̬8