Thursday, July 31, 2008

So what is all this hype about the DNS being broken?

As you have no doubt heard by now, there is a security problem with DNS or the Domain Name System that has gotten a lot of attention lately. You may be wondering exactly why all the hype, there are security problems everyday right? Well, unfortunately, this problem is at the core of the Internet -- DNS is a foundation infrastructure that allows us to use cool names like and that are easy to remember for the services that we use. You're computer uses DNS to turn the names into numbers or IP Addresses that it needs to connect with these services. The most recent flaw is unprecedented due to how easy it is to exploit, and how severe the consequences can be. Please bear with me for a minute as I attempt to explain the vulnerability without too much of the gory technical details.

The flaw works because of the distributed nature of DNS. The Internet is just far too big for a few computers to have all the addresses for every other computer or service that is connected on-line. So what happens is when your computer needs an address it asks someone else who in turn generally asks "around" for the answer for you. First your computer talks to your company's or ISP's domain name servers for, that server in-turn will ask other ".com" servers for who answers for "" and then it'll ask google's servers for the address of Because of the distributed nature just mentioned, if someone can respond to your local name server faster than the real servers do then their fake response will "win" and can provide the answer to the question "Where is" This is called DNS spoofing or cache poisoning, pointing to the fact that once your ISP's server has gotten the wrong answer, it will hang onto that information for a period of time (at the hackers choosing) and will kindly give that information to any other customers of that ISP.

Now DNS spoofing is certainly not new, it's been known about for well over 18 years with a number of improvements to the attacks discovered in recent years. However up until now, everyone thought the exposure was limited because it was a race condition that if it failed, and frequently it did, you'd have to wait a long time to try again with the same low odds of success. What makes this new flaw so critical is that the attacker holds all the cards. If they have the ability to perform a query or name lookup against a recursive server (by using a user's web browser for example), then they can continuously perform the attack until it is successful. On top of this, Dan Kaminsky made the connection that if the attacker can run this race as many times as he wants, then he can use a feature built into the heart of ALL DNS implementations that would allow him to overwrite information these caches thought they already knew about. It has been shown that this form of attack can be executed within about 10-15 seconds under the right conditions. So this is certainly something that is of great concern, and in the short time that the details have come out we have already seen a number of exploits in the wild.

Now, onto more of what I originally wanted to point out about the effects of this flaw.

Why is this such a big deal? Because everything we do on-line depends in some way on DNS. Not only is it how your browser finds the websites you read, but it is also used for so many other services. DNS was never intended to be a security platform in it's current form, however the explosive growth of the Web and connected nature of life on-line has placed unanswered expectations on DNS to be the trustworthy source for directory information. If someone can manipulate your DNS lookups and redirect your traffic to their own systems, they could perform a number of nefarious tasks including, but not limited to:

  • Steal your Usernames and Passwords to online services, bank accounts, etc
  • Inserting their own Ads or use your computer to perform Ad Clicking scams for their own profit.
  • Redirect email for entire domains to be filtered through their own servers
  • Redirect any or all web traffic for any domain through a proxy under their control (wpad auto proxy discovery is considered evil).
  • Watch your IM conversations with friends and family (if they're not encrypted).
  • Infect your computer with malware by getting it to download unsafe "fake updates" for various programs that don't verify the executables they download.
  • Other forms of Drive-by downloads that install malware - Now become a whole lot easier...
  • Breaking the trust relationships you have with certain web sites, SAAS sites, intranet resources etc.
  • Causing disruption or manipulation of other services such as NTP, FTP.
  • Potentially stealing credentials from employees of companies that allow their users to connect to webmail and SSL VPNs by first connecting to non-SSL based websites. (Majority of users will not notice they don't get magically redirected to Note that this same flaw will affect the numerous financial institutions that hide SSL from the user until they click submit on an insecure HTTP based login page. If you want it to be secure, you should only allow secure connections and educate your users about how to securely connect to you!
  • This attack is also unique because it can affect places you might not even be thinking about yet, it is a truly cross-platform attack. For example, what DNS server does your Windows Mobile device use? Your BlackBerry or iPhone? What automated connections/activities might they be doing?
Now you might be asking, why am I providing all these possibilities, won't the hackers like these ideas? They may, but the truth is most of them are already well known, I just want to raise awareness by discussing the concerns in one place. I fear that people in charge of name servers at many companies are not putting enough emphasis on getting these patches deployed, in fact we have seen some major ISPs have been slow to respond and have already been affected. The bigger they are, the more customers they have, the larger the target in these early stages of awareness. Granted, there have been performance and other deployment issues related to the patches, unfortunately there is little time left for testing, add some more resources to the problem and get it deployed!

For everyone else in corporate America, while you may think you're less of a target, or think you're protected by your firewall -- unfortunately, you are not. I suspect we will see the attacks escalate to using other web-based or mutli-part zombie attacks to compromise larger numbers of organization's name servers and in turn would increase the risk of more computers being infected with malware. So think about the resources you'd need to put behind that cleanup and get the patch deployed now.

Now, it is clear that this patch alone is not the ultimate answer, but it does give us a little more time. There are some other attacks that can still take place even with these fixes. It makes it harder, but nobody would claim impossible for other attacks to still take place. The jury is still out if the final answer is DNSSEC or something else that will have to come along to solve this problem in the long-term -- we've leveed far to much security burden on DNS over the years and it time for an overhaul.

I should also mention that the industry does need to look beyond DNS security to enable more end-to-end security as well, these DNS attacks simply make the "monkey in the middle" that much easier to perform, there are other more complicated attacks we need to prevent as well.

Please patch responsibly...

No comments: