The flaw works because of the distributed nature of DNS. The Internet is just far too big for a few computers to have all the addresses for every other computer or service that is connected on-line. So what happens is when your computer needs an address it asks someone else who in turn generally asks "around" for the answer for you. First your computer talks to your company's or ISP's domain name servers for www.google.com, that server in-turn will ask other ".com" servers for who answers for "google.com" and then it'll ask google's servers for the address of www.google.com. Because of the distributed nature just mentioned, if someone can respond to your local name server faster than the real servers do then their fake response will "win" and can provide the answer to the question "Where is www.google.com?" This is called DNS spoofing or cache poisoning, pointing to the fact that once your ISP's server has gotten the wrong answer, it will hang onto that information for a period of time (at the hackers choosing) and will kindly give that information to any other customers of that ISP.
Now DNS spoofing is certainly not new, it's been known about for well over 18 years with a number of improvements to the attacks discovered in recent years. However up until now, everyone thought the exposure was limited because it was a race condition that if it failed, and frequently it did, you'd have to wait a long time to try again with the same low odds of success. What makes this new flaw so critical is that the attacker holds all the cards. If they have the ability to perform a query or name lookup against a recursive server (by using a user's web browser for example), then they can continuously perform the attack until it is successful. On top of this, Dan Kaminsky made the connection that if the attacker can run this race as many times as he wants, then he can use a feature built into the heart of ALL DNS implementations that would allow him to overwrite information these caches thought they already knew about. It has been shown that this form of attack can be executed within about 10-15 seconds under the right conditions. So this is certainly something that is of great concern, and in the short time that the details have come out we have already seen a number of exploits in the wild.
Now, onto more of what I originally wanted to point out about the effects of this flaw.
Why is this such a big deal? Because everything we do on-line depends in some way on DNS. Not only is it how your browser finds the websites you read, but it is also used for so many other services. DNS was never intended to be a security platform in it's current form, however the explosive growth of the Web and connected nature of life on-line has placed unanswered expectations on DNS to be the trustworthy source for directory information. If someone can manipulate your DNS lookups and redirect your traffic to their own systems, they could perform a number of nefarious tasks including, but not limited to:
- Steal your Usernames and Passwords to online services, bank accounts, etc
- Inserting their own Ads or use your computer to perform Ad Clicking scams for their own profit.
- Redirect email for entire domains to be filtered through their own servers
- Redirect any or all web traffic for any domain through a proxy under their control (wpad auto proxy discovery is considered evil).
- Watch your IM conversations with friends and family (if they're not encrypted).
- Infect your computer with malware by getting it to download unsafe "fake updates" for various programs that don't verify the executables they download.
- Other forms of Drive-by downloads that install malware - Now become a whole lot easier...
- Breaking the trust relationships you have with certain web sites, SAAS sites, intranet resources etc.
- Causing disruption or manipulation of other services such as NTP, FTP.
- Potentially stealing credentials from employees of companies that allow their users to connect to webmail and SSL VPNs by first connecting to non-SSL based websites. (Majority of users will not notice they don't get magically redirected to https://secure..xxx.com/) Note that this same flaw will affect the numerous financial institutions that hide SSL from the user until they click submit on an insecure HTTP based login page. If you want it to be secure, you should only allow secure connections and educate your users about how to securely connect to you!
- This attack is also unique because it can affect places you might not even be thinking about yet, it is a truly cross-platform attack. For example, what DNS server does your Windows Mobile device use? Your BlackBerry or iPhone? What automated connections/activities might they be doing?
For everyone else in corporate America, while you may think you're less of a target, or think you're protected by your firewall -- unfortunately, you are not. I suspect we will see the attacks escalate to using other web-based or mutli-part zombie attacks to compromise larger numbers of organization's name servers and in turn would increase the risk of more computers being infected with malware. So think about the resources you'd need to put behind that cleanup and get the patch deployed now.
Now, it is clear that this patch alone is not the ultimate answer, but it does give us a little more time. There are some other attacks that can still take place even with these fixes. It makes it harder, but nobody would claim impossible for other attacks to still take place. The jury is still out if the final answer is DNSSEC or something else that will have to come along to solve this problem in the long-term -- we've leveed far to much security burden on DNS over the years and it time for an overhaul.
I should also mention that the industry does need to look beyond DNS security to enable more end-to-end security as well, these DNS attacks simply make the "monkey in the middle" that much easier to perform, there are other more complicated attacks we need to prevent as well.
Please patch responsibly...