Slashdot Mirror
Network Attacks Via DNS
Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."
"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."
yawn
I have to wonder what protocol they used as DNS does allow for both UDP and TCP (TCP when the messages is over 512 bytes IIRC)
Rus
Cheap UK and US VPS
nt
(Be sure to remove the couple of spaces Slashdot added to the code in the background="..." strings.) /*
3 . Copy this text into a file named userContent.css and place it
i t.gif"] {
g if"] {
] {
Sick of the baby-shit tan color scheme?
Then enhance your experience by installing this CSS style sheet.
How to install:
1. Install Firefox: http://www.mozilla.org/products/firefox/
2. Install URIid: http://extensionroom.mozdev.org/more-info/uriid
in your personal profile *.slt/chrome directory
4. Restart Firefox
Goodbye fugly unreadable colors!
HISTORY:
v 0.1 - Initial revision placed into the public domain
Props go out to Anti-slash (http://anti-slash.org/)
- The United Goats
Goats United for Freedom
*/
body#it-slashdot-org table tr td table tr td[background="//images.slashdot.org/slashcorner-
background-image: url("http://images.slashdot.org/slc.gif") !important;
background-repeat: no-repeat !important;
background-position: left top !important;
background-color: #006666 !important;
}
body#it-slashdot-org table tr td table tr td[background="//images.slashdot.org/slashbar-it.
background: none !important;
background-color: #006666 !important;
}
body#it-slashdot-org table tr td table tr td table tr td[bgcolor="#A69D78"] {
background-color: #006666 !important;
}
body#it-slashdot-org a {
color: #006666 !important;
}
body#it-slashdot-org table tr td table[bgcolor="#FFFFFF"] tr[valign="middle"] td[valign="TOP"][align="LEFT"] {
background-repeat: no-repeat !important;
background-position: left top !important;
background-image: url("http://images.slashdot.org/title.gif") !important;
}
body#it-slashdot-org img[src="//images.slashdot.org/slashtitle-it.gif"
display: block;
-moz-opacity: 0.0 !important;
opacity: 0.0 !important;
}
body#it-slashdot-org td[bgcolor="#EBEBE1"] {
background-color: #CCCCCC !important;
}
body#it-slashdot-org font[color="#A69D78"] {
color: #006666 !important;
}
body#it-slashdot-org tr[bgcolor="#A69D78"] {
background-color: #006666 !important;
}
body#it-slashdot-org iframe {
display: none !important;
}
nessus has been pointing this out as a security hole in it's scan results for at least 3 months now...
Layering services over dns has been a discussed topic in books / seminars for at least a decade already.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
This story seems quite similar to a previous one about using DNS for communications, from LayerOne. Incredibly stupid to use for mainstream communications, but perfect for hackers, with low data requirements, anyway.
That is should change my bookmark to http://66.35.250.150 now?
...Microsoft plans to release a security update to Windows XP which will secure the DNS hack. For all future internet usage, please enter in http://216.239.57.99. It's not a bug, it's a feature.
It would be cool if it didn't suck.
to somthing called DNS poison. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.
BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.
Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and 2) Linux comes with BIND as it's default name library.
Alternative like djbdns should be used.
some good people could break into the nameservers of a large ISP such as AOL and send out spoofed NS records for update.windowsupdate.com or whatever it is and deploy linux to all windows users.
Warning: this update may require a reboot.
I've set control lists for DNS for a long long time.
After the IP over DNS tunnel came out... it was actually a bit necessary. Our staff would do anything to get out of doing work...
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Wouldn't large amounts of DNS traffic look suspicious? Especially if they originated from one machine.
The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.
BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.
So they are both equally "insecure" from that perspective.
HAND.
I've set control lists for DNS for a long long time.
The use of ACLs is not secure because an atacker may spoof easily the IP address.
Is a good way , yes, but not the ONLY and FINAL way to protect our networks.
Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.
This colour hurts my eyes.
In Soviet Russia, DNS looks up you
this page, problems remained up until (at least) BIND 8.2.2-P5. Pretty sad since this attack has been known for ages (especially since it's so easy to prevent).
HAND.
The Bill of Rights is the cornerstone of American freedom. During the debates on the adoption of the Constitution in the 1790s, its opponents repeatedly charged that the Constitution as drafted would open the way to tyranny by the central government. Many states would not have signed the original Constitution without knowing that these amendments would be added. These amendments became known as the Bill of Rights, which Americans have cherished, protected and fought for for over 200 years.
.html
The Patriot Act rushed through Congress and signed by President George W. Bush is a major step toward a totalitarian state in which individual liberty is crushed by the whim of police and corporate demagogues masquerading as patriots.
The Patriot Act:
http://www.epic.org/privacy/terrorism/hr3162
* Violates the First Amendment freedom of speech guarantee, the provision allowing the right to peaceably assemble, and the provision allowing the right to petition the government for redress of grievances.
* Violates the Fourth Amendment guarantee of probable cause in astonishingly major and repeated ways. The Fourth Amendment to the Constitution reads: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons of things to be seized." The Patriot Act, now passed and the law of the land, has revoked the necessity for probable cause, and now allows the police, at any time and for any reason, to enter and search your house. Under the act they are not required to even tell you why.
* Violates the Fifth Amendment by allowing for indefinite incarceration without trial for those deemed by the Attorney General to be threats to national security. The Fifth Amendment guarantees that no person shall be deprived of life, liberty or property without due process of law, and the Patriot Act does away with due process. It even allows people to be kept in prison for life without even a trial.
* Violates the Sixth Amendment guarantee of the right to a speedy and public trial. Now you may get no trial at all, ever.
* Violates the Eighth Amendment (cruel and unusual punishment).
* Violates the 13th Amendment (punishment without conviction).
From the ACLU's objections:
* It minimizes judicial supervision of telephone and Internet surveillance by law enforcement authorities in anti-terrorism investigations and in routine criminal investigations unrelated to terrorism. (Unrelated to terrorism? WTF? That means anything. Maybe surveillance of those expressing political dissent? Ya think?)
* It expands the ability of the government to conduct secret searches in anti-terrorism investigations and in routine criminal investigations unrelated to terrorism. (Again - unrelated to terrorism? That means anything. If you disagree with the government's policies publically then this applies to you).
* It gives the Attorney General and the Secretary of State the power to designate domestic groups as terrorist organizations and block any non-citizen who belongs to them from entering the country. Under this provision the payment of membership dues is a deportable offense. (That means, among other things, that Bush and Ashcroft can decide that even obviously peaceful organizations are terrorists, and under this law, can put them in jail).
* It grants the FBI broad access to sensitive medical, financial, mental health, and educational records about individuals without having to show evidence of a crime and without a court order. (I can't help you if you don't see the danger in this).
* It could lead to large-scale investigations of American citizens for "intelligence" purposes and use of intelligence authorities to bypass probable cause requirements in criminal cases. (This could apply to anyone).
my standard iptables rules only allow some ISPs dns-servers.
Vote for Nader in November!
The title of the post is misleading. DNS can't be actually used to attack a network, only to slip sensitive data by firewalls.
I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.
If you can send data in any form you can tunnel anything you like over it. Why is this news?
The $500 guantee is worthless. How many hours do you think it takes to audit the djbdns source code? Anything more than 50, and you'd only need to make $10 an hour at your current job to make it a very unprofitable way to spend your time.
(Also: Who judges the "entrants" for the $500 prize? That's right, DJB does, and there are no formal rules as to exactly what qualifies as a security bug).
HAND.
Surely we all know that "DNS" comes at the top of the list of the Internet's vulnerabilities? Tunneling data; many bugs in DNS software over the years; vulnerability to DOS: Surely we all know this already - why is this news?
DNS was an afterthought - but it seems to me a very necessary one, and one we will have to continue to live with.
---
BDOS ERR ON A:>
That is why any GOOD sysadmin will set up the system so that there is a single DNS server for the plant, and that server and that server alone is allowed to send and receive DNS packets to the greater Internet - all other machines are to use the local DNS server.
Not only does this GREATLY reduce the amount of DNS traffic a shop produces (by caching all requests locally) it helps prevent this sort of foolishness by requiring all packets to be well formed DNS packets - else the server drops them.
Then, you can block any client that makes more than a few requests a second.
Yes, it is easier to set up a firewall to be very porous to outbound traffic, but it is more secure to deny all direct access, and force clients to run through proxies for the various services.
www.eFax.com are spammers
There was an old slashdot story eons ago about people using DNS tunnels to abuse the free dial up lines used for setting up a dial up ISP account. Covert comms over DNS is nothing new, but oddly it doesn't seem to have ever caught on.
Hi,
I've read somewhere that there are some "implicit" rules in the Firewall 1 default configuration that let DNS through anyway.
Is that true ? I have the eval CD here, but haven't had the time and the resources to test it.
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
That flaw in most firms' network security leaves a vulnerability that can be used by hackers to sneak intellectual property outside a company, communicate with a compromised server inside the company,
In other security news alerts, there was a major hole disocvered in SSH. It turns out if a hacker installs a rogue SSH daemon on the server, he can do nefarious things with it.
Note that LDAP is fully capable of doing host name resolution, there's even an RFC for it (AFAIK the one that specifies how to store POSIX user info also specifies how to store host names).
And in fact, DNS can be used for user details via Hesiod.
Both LDAP and DNS are hierarchical federated database systems. Personally, I find current LDAP implementations to be more manageable, better designed, and generally nicer (can set very fine grained permissions) than current DNS implementations. A name system based on LDAP rather than DNS would be fully feasible and IMHO as or more globally scalable.
But we must distinguish between DNS-the-protocol and DNS-the-implementations - It would be possible to have the same piece of software answer both DNS and LDAP queries from the same database. Hey, hello Microsoft Active Directory! But MAD is nasty for other reasons - so where are the Open Source projects to provide a slapd plugin for DNS protocol lookup to openldap databases? It should actually be pretty simple, maybe it's so simple no-one is interested hacking on it....
"Last year, another security expert demonstrated a way to send dribs and drabs of data across the Internet by hiding them in network packets"
Thought of this almost two years ago. Run OpenVPN over UDP port 53. I figure a fair number of firewalls may not analyse UDP DNS traffic to see if it actually is UDP DNS traffic. Haven't had a chance to try it out though.
Thinking big picture, you realise that once opportunistic IPsec becomes available, and with IPv6 it will be, any device in the network trying to interpret traffic, such as firewalls and proxy servers, will become just about useless.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
http://slashdot.org/article.pl?sid=00/09/10/223024 2&tid=95
and the current version of nstx:http://nstx.dereference.de/nstx/nstx-1.1-beta 5.tgz
Has been discussed on /. long time ago:4 2.shtm l
;-)
http://slashdot.org/articles/00/09/10/22302
The tool mentioned works like a charme and is very usefull in many commercial WLAN hotspots
Incorrect, it is open source. It isn't GPL. There's a big difference.
... which is impossible to do with GPL nor with current-day Open Source licenses, since none of these currently offer any means of protecting the interests of the original developer. The field is totally slanted against the originator and in favor of redevelopers.
What DJB is trying to do is maintain some semblence of artistic control over his design
The Artistic License is a validated Open Source license which originally sought to retain a measure of artistic control for original developers, but it never actually worked as such, totally lacking teeth. That's not surprising, since both the Free and Open movements are more interested in guaranteeing the right to fork (without using such words of course) than in supporting the creators of novel ideas.
but many find it come He8e but now
The DJB license does not do that (and even prevents modified source distribution). End of story.
HAND.
Imagine that I own ISpy.com, and a user does a lookup on "user.jsmith.passwd.12345.ispy.com". Your server, in the middle, will forward that request to the NS for ispy.com more or less unchanged. And it doesn't have to be this obvious - it would certainly be easy enough to come up with some form of steganography appropriate to use in DNS.
Not that proxies are a bad idea, but in this case proxies will not prevent the attack. Mostly, they'll just give you the ability to log the attack easily.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
While DNS insecurity exists, would someone please use it to change this color scheme?
Yes, I know about changing it. to whatever., but working around a bad UI is even worse than working around bad security.
http://www.linux.com/howtos/LDAP-Implementation-HO WTO/dns.shtml
"It should actually be pretty simple, maybe it's so simple no-one is interested hacking on it...."
Or maybe they already have, and you just didn't look.
As the AC above states, BIND hasn't been vulnerable to DNS poisons for many years.
Because system administrators are anal and fail to realize that software like BIND is not written to be secure.
Not sure why you say this, ISC have released a constant stream of patches since BIND was released and every announced security hole has been fixed. Not only that but they even added options to chroot the daemon and run it as an unprivileged user. They also have links on its homepage to guides on how to chroot the entire server.
The BIND company sells paches for their software.
No, they sell support, go read their website. Patches are, and have always been, free.
Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and
Er, you have to know the crusty details of DNS to be able to write proper zonefiles and configure named.conf otherwise you'll struggle.
2) Linux comes with BIND as it's default name library.
Except BIND is a server application, not a library. Linux's DNS library is part of glibc.
Stop slandering the ISC, they do a great job providing some very useful software and they also fix it when problems crop up.
IP Tunneling Through Nameservers. And you can apparently stop that too, but I doubt it's very efficient unless you whitelist domains unauthenticated clients can look up.
Trollem mirabilem hanc subnotationis exigiutas non caperet
I wish it was so simple. There are two most important problems with djbdns, though. Namely:
Don't get me wrong, it is quite a solid piece of software (the laughable cracking contest notwithstanding) but it is not a complete DNS implementation (zone transfers, anyone?) which wouldn'd be such a big deal if it was free software, because anyone (myself included) could make it RFC compatible in few weeks (months at most) but unfortunately it is not.
Also, you should learn about BIND9 (and even BIND8) in the context of cache poisoning. It is not as big of a problem as you seem to believe.
Most people use BIND for two reasons indeed, but those reasons are:
I am sure many--if not all--GNU/Linux distos will come with djbdns as soon as it is released as free software, for--as I have already said--it is quite a good piece of software, for a one man project.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
OK, let me repeat.
:-)
Throwing arbitrary data in DNS -- NOT a big deal.
Even doing network tunneling over DNS -- ALSO not that big a deal; NSTX has been doing this for a while.
DNS radio is new. By segmenting audio into small chunks, we actually get universal caching of the streaming signal -- a functionality we've never really had before. Generally, audio broadcast over the Internet falls apart after a few thousand users. Based on this ring-buffer-into-BIND architecture, combined with the utterly minimal bandwidth load of Speex, we should be able to host audio for a much greater number of listeners.
The entire suite of incoming attacks to firewalls are also new. DNS trusts the hierarchy to tell it the next hop to its target name; since I can acquire second level domains in the hierarchy for minimal cost, it's trivial for me to insert arbitrary destinations along the DNS route path. In technical terms, whenever a recursing resolver comes to my name server to resolve a name, rather than providing an answer, I can redirect that request to another, supposedly authoritative server. That server can be at any address -- even one I cannot IP route to -- but if the resolver communicating with me can route to that address (say 10.0.1.11) my communication will reach that host. If there's an SSH over DNS daemon running on 10.0.1.11, I've now achieved incoming connectivity to the network of my choice, completely bypassing firewalls and a trojan's need to poll.
Recursion on dual hosted interfaces is not even necessary. There are large numbers of applications that, upon receiving untrusted traffic, execute DNS name lookups. Most commonly, they are reverse PTR lookups, but occasionally there are other types (MX from mail servers, most notably) that can be easily induced. When they are induced, the hierarchy is followed. When the hierarchy is followed, the attacks previously discussed start working. In practice, this means an IDS triggers the DNS server to start proxying traffic between an external attacker host and an internal trojaned machine. Nasty.
There's some other stuff -- check out the slides and the code -- but long story short, there's some new stuff out
--Dan
I not only have seen script kiddies trading private exploits for sums at least an order of magnitude greater than that, but they were selling it to multiple buyers. I am talking about script kiddies, not professionals, mind you. Even $100,000 would be laughable. $1,000,000 might start looking interesting for people not willing to make any serious usage (industrial espionage, etc.) of their exploits. But $500? Please don't mind if I die laughing. See also The Fallacy of Cracking Contests essay written by Bruce Schneier in bloody 1998.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
are more of a problem than covert channels. Every cell phone is a covert channel out of a business. Since DNS can't be used to deliver advertisements, I don't see a business threat here. It may be a concern to a military installation though.
Oh well, what the hell...
Actually, the definition of "open source" used by OSI (launched by Eric S. Raymond, President, on November 22nd, 1998) is remarkably similar to "free software" definition used by Debian (officially founded by Ian Murdock on August 16th, 1993) and GNU (initially announced by Richard M. Stallman on September 27th, 1983).
Please let me quote The Debian Free Software Guidelines from Debian Social Contract, Version 1.0, ratified on July 5, 1997:
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
This article is a lot like this one posted on Slashdot a few weeks ago. That article contains a link to Kaminsky's presentation (PPT) on this subject, apparently given at the LayerOne Technology Conference.
Guess what? DJB is extremely arrogant (as many clever people tend to be).
You failed to answer my point about who gets to judge the "entrants" and the rules of the contest.
Look, it's a simple matter of economics: Auditing code is mostly tedious and there are sufficiently many ways of earning much more money (and with a guaranteed payoff!) auditing code that no amount of spite is worth it.
HAND.
No, they don't. Open Source is a trademark held by the OSI.
Please read at least the first line of the Open Source Definition:
Open source doesn't just mean access to the source code.
Note that opensource.org invented the term "open source" - it was not in use to describe software until they had that meeting where they invented the term - so they certainly get to say what it means.
DJBDNS is "disclosed source". Big difference.
Xenu loves you!
Daniel Bernstein's salary is completely irrelevant. $500 is not any less miserable (or laughable, for that matter) if it is given by someone who is poor.
It is hardly irrelevant in my opinion:
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Not necessarily. Being distributable wouln't hurt, though. Being compatible with the DNS standard would also be a plus. Don't get me wrong, I am all for alternatives to BIND, but djbdns cannot even be distributed as a simple rpm or deb package not messing the whole bloody filesystem, for God's sake.
If you want a name server with such a strong emphasis on security, use MaraDNS--at least it's free software. Unfortunately, like djbdns, it is not RFC-compatible, but at least it can be made so, with no strings attached.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."