Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


How to Secure Your Network from Kaminsky's DNS Cache Poisoning Flaw



 By: Sandy Wilbourn
2009-04-28
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. How to Secure Your Network from Kaminsky's DNS Cache Poisoning Flaw
  2. DNS Security Starts with the DNS Server
  3. Additional Defenses with Routers, Firewalls and IPS

Rate This Article:
Poor Best
How to Secure Your Network from Kaminsky's DNS Cache Poisoning Flaw
( Page 1 of 3 )

Savvy network security administrators recognize that multiple defenses offer the best protection against insidious security threats. Knowledge Center contributor Sandy Wilbourn explains what the Kaminsky DNS cache poisoning flaw is and how to secure your enterprise's network from the Kaminsky DNS cache poisoning flaw.

The seriousness of the recent DNS cache poisoning vulnerability, discovered by security researcher Dan Kaminsky, raises the bar for network security administrators and should provoke development of a comprehensive plan to address this insidious threat. Every enterprise has a caching DNS server and is thus a target of the Kaminsky DNS cache poisoning flaw.

A Kaminsky DNS cache poisoning attack consists of two steps:

Resource Library:

Step No. 1: The attacker sends fake DNS queries, or questions, to internal caching DNS servers. These queries are for domains that the caching server will not have cached, so it will have to generate subsequent queries to authoritative servers on the Internet.

Step No. 2: The attacker then sends a barrage of fake answers to each fake question, attempting to spoof the answer from the authoritative server. To succeed, the attacker has to correctly guess various query parameterssuch as Transaction ID and User Datagram Protocol (UDP) source portbefore a valid response from the legitimate authoritative server reaches the caching DNS server. There are some additional technical details about the fake answer that will be discussed later in this article.

If the attacker succeeds in getting his or her fake answer accepted by the caching DNS server, the consequences are quite serious. The poisoned DNS entry can be used to redirect Web traffic, e-mail or any other IP application to a malicious server controlled by an attacker.  Since the DNS points users to their destinations, it is completely unaware that the traffic is being diverted.

Protecting against the Kaminsky attack

As with any security vulnerability, the best approach for protecting against the Kaminsky attack is to employ multiple defenses. In this case, traditional firewalls and intrusion prevention systems (IPS) can be part of the solution, providing an initial defensive shield that will reduce the number of fake DNS query requests and responses.

But most firewalls and IPS will not stop a fake DNS response from poisoning the DNS cache if the DNS query parameters match. This means it is a primary consideration to ensure that the DNS server itself employs the best possible defenses. Put another way, DNS security starts with the DNS server.





  Reader Comments: How to Secure Your Network from Kaminsky's DNS Cache Poisoning Flaw
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Sandy Wilbourn
 


xr۸0{\5|km]mGJɶkŲ,%^I*EBER9%]%3nBKd<3%\@h4?y$sW7-gDڮ9)ٝfߧGo-zIӻ@@eZNULrJԶnT7n[#3P/W?aW᳙,Q :#:UGP55Κ]ٚ#7Gp2 X M$0krZ'jZ6(CLez(Zwz@~Uh{⻶eMao}{Xd;YBT|@Jk4ًʯᐨqGoadwy4;U'iS[7Sա(v2%v+>6^;r9Fȹ׳o[nh=Tݑ}:{R'-XdUZL wb6S!1kkTը>lYG|ݑ|YCXw:QtA3Mu֟CԿ($fҀ 8#/yy̧ u"˭#Uֶg5^q3ܙcgtZEؘ*ozcn>LjX=:/yӝfؖqwh ͡JZUQ by_):Eo[¥̝ wƨ5?~+eUeݽh]H [wn5-%ZAۇh:i\t>7Ƀ59N |'DR*rP8$ȇ¤;|5 3P먍T卒^jy%Բ_/hv$ꡑ1O=˧H0В^8rjN'SK׼ju<>;j5O|~bP+Mz(#1hgxk_-:OO.9['.9\qŝyN4Aq'3 j__[~\? /mxR&:aZ+U}IͽGbsr$j]~::o$ׅcY>靐;Bey#$7{W=R(y30si2)߆I&w[ V4X 4+@_H@'LY1P3Z$j923=Xj MH5Ŧ]`)ehFS{$%/\P%P샖_΢2jFчTwIQa#ax<ό+_\RG 2 p*^뻹Ȇ4l*kGeuJVd];3E֏FZTpx36OWҽ\t;v"blR莓H Yq"|euXyqj.3+ЍEhnVtH70=s3O/>05AE%h-DCwMPIeg!@uKALΝbrkmM~]Ӂ4}мa yjS〧!Tfgg,zu= | w){k:GT[-[X6x G͙A RN\Q@' dQJ ds4.'P(BHP!9 \99 ł?P>zZ*&RP*mz2ai[F\ߪ%M*_9ڹa+  9P8)uʥ;vT-=t~guu; ЙтP t1N(̕>F XXèԪX*X[ SD2nP\-ҵ瓩;Ҧ{\Sv;Za6OMV!P\ LcCLmRM}Bu߲ӧ㎃WK.ZYɰ\R ~l"zds˰2XArmw٘Aut\IҘN HrfsM~NVPQ@1"^Ot/5aNjN~SeF3[!䊛7!T#fx:qv*7[;$!UT7uDq" ֚0섾 .c,|=ϊ0$ u`n̂_HE"}[kp y|@*&j~1 b h bNzqEn@aaIta3:x"RB3]?72[!* 2~x&VB{ZYUKâZTp*:?CUFQHSj p/q}\u/?1YkN(}zMMW>3nA.ά ; '3F@=&&{-K[eؑ|x!_(ƨOMqс,u`< tv87V=<@; vQ#liH}gc5 f nUQ=KjJvg ` \7~,pO$+YZH]bRXEG?znqiM)D{pj)?FMS؇Qcm/ kRٯTҞNj (뵿9KNGV32A1"9OF\q v´I~ r?M܎XAuk+:sD ݼ8 |3PJQ׉gR!܎02V&B(JyP[Jp9ԃ ` RUˇFWӇM U!WTՀN>MGnRH|X%W:iv<$ce N UbPQKJB'aC.:'-ֶ&svaFpawͅg7c{X> Bk5)`J&B_v\_Iўb2衃O451qq̎3{QmYZC6ifDz}PagMٸU v|eZU ՂV'aftXл t{.ˤKggk7}óAwXy*?y*⃪Fr@*5]*; 3e0FPR,W1<ʼ'r]N6._-Jaza2 T:HPK Y| #"Ԅ֟; ˕~w?l)ɁHHD>D^kz{ynxB gz Dssb^f}iwoz}Uݷ K -$~|8ZƇ&tȾYMw $ȅ XfOճ"qrҺ ]:lay:p0\^ !9аQvCB|Is޹y)%{u.E's5B AHևzW!zϛnfS L k3d8)0'hdqH15{0lzikB_Kyʼn]9kI*D|=d_5湜gHܰX p0cv^ΊCs~mXLXoH=(_!aPH]T dI{y]N αFO @@np+z!NUE,$Ke=ғ2M4;W Nx{| rψEщm}mn/b~C<B</M?p<$mY{pңWJqkg9#$CebS`Յ{_Λs; i!Q27{KP .Mu>7R2MDY{.Nm{6-~=w`RvPR)&\z*I[˼ ݖ6` 9 2)!MN]F RL PlO&y=%lQ1 i(KBi%lbTH{RoN{ٸ4<1ަmWxvIa붱yx32i1(5^q.H>bG)-H T䵤 W[YgUH.~B/R L8)Xz@0PH倜|1}~YU߯H3q,t#-ȓ^p`'q` h;eƫPf}uyEB 3~ݾCM62-SZ~D Rf-MNij&ǎs{$gr0 $T0p|nwcLdll8RbШo-rj9٦prP\k9>n` ܭ՟k.sjR?#W^ڭ?#08QRʭRUXa,4 9R-Xx,q*<6[Z{x[n!0Br0+qqolcݶ30(r/9<2[F`/V/I 1rO~@'C3vqDDiVnSiҌG/.>DM<3DQp'K. {FH޵b D.Ýy5[f-`Guy­.ǽ_zw6Q ]G-d΀̃SJBI0}*({%m2'b:ah1HKȀ͂ "A>s爛 ?V2вhc\(3plxn@D~ VC9W?,mEGljqXPѫ~SdBĉcEK$ K ґ0lt;7L^JZEa~7DxC"!5DxCD4D6v/b+"}>iJ&߽>셈{.d՟ [ '!:FA}[ZUR*Zݔ Nh-_jRnζwq)| #}_<0pP&"M'RF:;dݲ}7Նa0W ^ |' popCp^,`ᠷh}ۋ M۔bJE1m˜6 a{& ?/1Rc8tŤʾR/gO"$O4QCd;D_=;B<=7RR-D[E۵/;'ґLO @=׿ͻljҩnAA 0] DP6l}[M tSyv8T`ǙT azęJb6aYZ84DRo$QE$Ilb6kua.D!l\Q *먙kpUYW[xqqqq JiX^=8>ߕXx /a%}P0ԂZmc0{ïIyTnah}0CdX6`~zXn~lSsDﳾ0 {՟̆T}'*mcrSl'WNm%-Q)$2=(HBz|1?lVOJ[kgh Y}5"]CH|F^vL)˕BZZ +q~"KgHg/0gzX߉^ iAlHOC+ɲ`"rb_;/}ԝ,eea]viL_oZr63Ǻͥ,3Hla|Y^^<H O7cx z (cQ7.vSx]}XOXOXOXO_T+m=zc*]P ϥ;hڵa_!U $@U~C˵# n$5/o;>n")py<"ۖϙןD xk%ٕc%q;ҁ8{i +@xW3iێ3!>W&{vg]}l!ֽ ႘I]Iy a@jpcԷ( obg]wl ms;Bo#_)k%|%GnN@8+&.WGꁗ2ޗnlNuS^zM\Bū}LCŗoArW|kfNz0๛ l߼ !٩)/ͤm Z!ߤ Cm_mL<+ U+yt ȊhkkٵqdyN[mV.JhILn8n}*ozlïnBif-2ĚUa+I錂qnrIX'5s+xhșQ0^I@=\MOb>8XBO~{0 פ{ t:$ 8eQ 9|j~5~i/m~͋#CW- /"5l{;pO/}-GEbd맟@.h א]i&P&'\v4mֳ>iW60t8;7Iص=eO) })V5ӢCṉ?S{jTnĽY/^Oq\dE'y{Hd'1 3MÛ)*b ?@~ LuMxy%o멿& &cu*4!Nv Ś`  _WI¢XtOD 2E!! $ BtU)Ds!:(-VFX:v"ZOx$ǍYV./> l?QX2! E7 $?876ǜMEfA儏aT9>MU}u5b?=G/ttAj-biAc2·[S1a#RA5-0)j5*z JDahj1* g>)F<+FLΧjzZC졭B[7 V]^q=o7/ݙAVnVt&[wnV#Kn@ Rߧ# R"x-!x4ئƗZiC瓔KpʭGm4 {?a^-TsZ.Wz`NUOZՔV-{dĔEl_O4rֈ/A 4TO`G=zԑ8nx#/bZN{c$!Y.l|걐V mX,kG J&~C0g~$ l;sXx7Mw5=R%ENFx0T =Pv/0s{IF^Y0ѱ;̜(9f;VdRjW3>3B[s^?rbS~jb=;KNA\d3-nіTm}yVң]F5bx +3Kq @G"NȁXJ0_[z%|#+#mDis6tEuF7bW17JzM[#;áexi)=ruxb*1bFզɝ$~axgzdm_~£B^*oG?Zy>ߕ߉-̳i@8#:&|xMLSxkC7)({ʞޒ?q?ڀk#fE~:xdW@6ɭ=B&3' ُ0wS'BNyqnX{+$ʼOI^I P46:7͏H9h^wϛ^V k?swB"#Z=g/{] }"`i$ŃOxD8.*+ra |0ޝ!k:,ֽ'_M}K4 l  \Q-vr)GogoZEWW ƈn]dÀ3[UŰDĤ c 4FH[~gnq79m6O-i`Kk‚0'x n>^z1")(Ĵ0 (78/a9=c+bvژN1!{su9ߺ!Kqfzy/u?pJ*A)vqY@y#DDCz@!kC1P7MJvs >K7Lh0vA>0<(SG]ĝ?]w7aPo ́@&Vpϒwy :tVQ=1e&|0)s)aR;BQ@<Pt4'/ҟ7,X2| >܇>Rh̘_[*uUԾRk]j)q\]y} YV^"?ӄ\I O ?$-G쎆=d2=fM _i4UIW^sAk3m[8j?V9|9\~9m]4/Z\`%FoT/湾xQ(Xt %EdzʌTN{|EKs!Yx9K xU< /gELyx&0>^wD0/& F^ ӄacH qrrvllť6Vg%^Nˢ5%Ǯ!uee#=uR@\Js#E )nyG/2?gAYF? mog^dE\]d_O'Ct@t2%e}\BˌW@?WӅw3߅w3e__>eg1π| 3ڿΠZ'I72qS*R~A/2ȋ৬|B]fC~<`;z'^˰s3ce_7ˀ/q\Hں<$BR; +]Q->9-{[I2sח e|*,XW&eV>&cˬ$=)>7旤Jxո]@&;JػRWe[M'ik(s3gao{dZ#+m":FF*oND6KA1wQ' L2f~4ĎlOAprc>v=_x&`j?&SO-ph;:ُG{w8 <0/qކrH'+;}4(^wi3Q* 95íEYRw8z{zY)W8#~yRzHq޿l|hDg6'[5}NoM:RNO ?(RKtAc̝O)NBhعO>vٛ!F+8\` ;#}öЇFr@*5VZ*;"\±Gs1XC*R%}e`_*V&K h[Rp視7 y8ao%[z?"z…^>FGG5]H, æᄽN௠!ľ` }3P}gq'=u]t XN4Gܙ߷|GjVɤmMXelI]*B1 tأ1pgj[Ì,!aނxql4VQG[*Hf9C*gؒV@'T H[&c`" >oQ^ܽ]N* Ym4<^&A|3˸ 5Fd#jMr5XNO/gɱF?] _@'R>d.>""< Cuy9R"ɗ(/hpz7^N-Ӆ'Fd!w*a51l']1">𾙄׌̟w0m&ĤƤA>hd1Rk #͘Pb틜ՍPFĊ 1We6M6 O0mCrGO 5G'^Jgd }u'+6d{neW.j@@rƶね=|ݬg62r b2Oty'Wx033ac&"l }_ |n9{3wٕCIw" ?[>JL’7gCD)[>'0$zI/lB*9"`7ezLTgZl-Eǭi|};{/IkcG}c[Vhل]K"l9F>Z _Oπ&o&>!#R.iЄΧap륎hhU|>cy nj} xut#AY9-Q0"p,^^f hl}̀ XsQ&נ <ݛCHʍ/A.StK 6[ W"3c`6MepNSc ΋;53'MrΦ<OWtm%ct< ^|:um떮Egu ݎ¦m/y8" #V|BR}P/(:NOes{Z %^^H›*z?|X^b 0,*0%{8u PѪf" a|"NoЧn%/ـ@2=V*v&e6RmS-(-]?X71Ȟg<u}۲|lږa=tkbCΌ6   =[=܊;~C1F`묞˓ lI12, $8jVI6;;:7&iy-ccC v_ʉ~ph[?"Y>A wvǰYP!Ƨ7OЧUHF> T.9ϭn/]2H"<-cw:go|>]H̳`!,ӊ`v"V윔KJLΡnlpQ!EVF)7 5P.~XD]n-%_B@w: 5εCgG>+? } S99/s@|/I›}XI|aAt1GtF)W3nrm+ CSqk7[ByڹIvw$gꎾZv@;kt[_ayB{FLl4ևy*?[7nxQ㇫Χ),h#/)jLꤙ $rŇdA|g?0m\}^l6{_!*ﭩeTU~$7Mѓec.d_)V kqC۩ W۰M*_d%rR׬ EiQ}"'2{f'Qbn؄;A6BJFkl{6M1Jn&*