Slashdot Mirror
Ten Percent of DNS Servers Still Vulnerable
maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."
This is strikingly similar to the Cisco OS debacle, where a patch had been available for some time, yet Admins failed to patch their hardware on their own. Yes, it's a pain in the ass to take your network down, but look at the alternative...Hacked!
"Simplify, simplify, simplify!" Thoreau
230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.
Okay, let's have it for unclear writing!
Seriously, what does this even mean? Of the 250,000 that are vulnerable, 230,000 are vulnerable, 60,000 are vulnerable, and 13,000 are vulnerable.
Okay, that clears it up.
Somebody poisoned the water hole!
This is not suprising at all especially considering the history of DNS and it's mainframe components. They will always be vunerable, especially for people who do not have the proper PPS setup. I wouldn't be suprised if it's more then 10%.
It's tacyo YO!
with almost all of the potentially vulnerable ones they only said really that 73k of them were vulnerable to something... and only 10k of those "definately" were.... 73k = 2.92% The onlther 230k might not have been vulnerable at all, they just think there's a chance that they might be. This, ladies and gents, is called sensationalism...
The same person also does Qmail Rocks. Of course djbdns and qmail is much more secure than bind and sendmail.
Fight Spammers!
Some security companies have called this technique pharming.
Phor phuck's sakes! I've had enough of this phreaking 733T-speak from the phucking security compaines! It was original with phreaking; it was mildly amusing with phishing; now it's just annoying.
Why not just leave the terminology as "DNS cache poisoning" and be done with it?
[/rant]
"I don't get it." -- ObviousGuy
Don't Know Standard patches
-- Tigger warning: This post may contain tiggers! --
...or for any other DNS exploits, for that matter?
Any good tools to (or sites to help) check for those?
A lot of these new vulnerabilities have the "phat" theme as dictated by the industry's leading security researcher/rapper Prompt Master Chizzy. Expect an RFC soon on the new naming convention.
I don't trust any of this newfangled DEE EN ESS hooey
My favorite sites are:
66.35.250.151
198.133.219.25
47.249.48.50
TDz.
Stealing? For important information websites should use HTTPS (certificates detect DNS spoofs).
Exec 1: We at our company want a an attack name with attitude. It's edgy, it's "in your face." You've heard the expression "as easy as stealing from a baby"? Well this is an attack which makes it "eezzay!". Consistently and thoroughly.
CEO: So it's speculative, huh?
Exec 1: Oh, God, yes. We're talking about a totally outrageous paradigm.
Exec 2: Execuse me, but "speculative" and "paradigm"? Aren't these just buzzwords that dumb people use to sound important? [backpedaling] Not that I'm accusing you of anything like that. [pause] I'm fired, aren't I?
CEO: Oh, yes.
CEO: The rest of you start thinking up a name for this funky attack. I dunno, something along the line of say... farming, only more dangerous and 1337.
Exec 1: So, Pharming okay with everybody?
All: [reclining in their chairs] Yeah...
Didnt ISC release a warning to stop using forwarders on BIND4/8 several months ago? Guess it'll take a major attack, in which thousands of people lose personal information, for people to act on the warnings.
If it is not hard, you can always write a better one -- but it would be TomDNS.
Fight Spammers!
Someone's gotta speak up for the poor admins. Not all of them really are morons for not patching. There are cases where the patch breaks more than it fixes. In these cases, it's often more economical to just leave the vulnerability there (hey, at least you know about it) than to try to patch it. SQL Slammer caused some serious problems with IIS because the 'patch' for the bug it exploited was part of a large update that required a lot of man-hours to clean up after. Of course, there are plenty of moron admins out there too, I wouldn't want them to feel overlooked... >.>
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
Especially since the pharmaceutical companies have a much better (and prior) claim to the name for using organisms to produce medicines.
How can we best turn this into a debate on evolution?
Golly, it sure seems like these DNS servers suffer from unintelligent design.
FLAMEBAIT!
A Short Story By Douglas Adams
A large flying craft moved swiftly across the surface of an astoundingly beautiful sea. From mid-morning onwards it plied back and forth in great widening arcs, and at last attracted the attention of the
local islanders, a peaceful, sea-food loving people who gathered on the
beach and squinted up into the blinding sun, trying to see what was
there.
Any sophisticated knowledgeable person, who had knocked about, seen a
few things, would probably have remarked on how much the craft looked
like a filing cabinet - a large and recently burgled filing cabinet
lying on its back with its drawers in the air and flying.
The islanders, whose experience was of a different kind, were instead
struck by how little it looked like a lobster.
They chattered excitedly about its total lack of claws, its stiff
unbendy back, and the fact that it seemed to experience the greatest
difficulty staying on the ground. This last feature seemed particularly
funny to them. They jumped up and down on the spot a lot to demonstrate
to the stupid thing that they themselves found staying on the ground the
easiest thing in the world.
But soon this entertainment began to pall for them. After all, since
it was perfectly clear to them that the thing was not a lobster, and
since their world was blessed with an abundance of things that were
lobsters (a good half a dozen of which were now marching succulently up
the beach towards them) they saw no reason to waste any more time on the
thing but decided instead to adjourn immediately for a late lobster
lunch.
At that exact moment the craft stopped suddenly in mid-air then
upended itself and plunged headlong into the ocean with a great crash of
spray which sent them shouting into the trees.
When they re-emerged, nervously, a few minutes later, all they were
able to see was a smoothly scarred circle of water and a few gulping
bubbles.
That's odd, they said to each other between mouthfuls of the best
lobster to be had anywhere in the Western Galaxy, that's the second time
that's happened in a year.
The craft which wasn't a lobster dived direct to a depth of two
hundred feet, and hung there in the heavy blueness, while vast masses of
water swayed about it. High above, where the water was magically clear,
a brilliant formation of fish flashed away. Below, where the light had
difficulty reaching the colour of the water sank to a dark and savage
blue.
Here, at two hundred feet, the sun streamed feebly. A large, silk
skinned sea-mammal rolled idly by, inspecting the craft with a kind of
half-interest, as if it had half expected to find something of this kind
round about here, and then it slid on up and away towards the rippling
light.
The craft waited here for a minute or two, taking readings, and then
descended another hundred feet. At this depth it was becoming seriously
dark. After a moment or two the internal lights of the craft shut down,
and in the second or so that passed before the main external beams
suddenly stabbed out, the only visible light came from a small hazily
illuminated pink sign which read The Beeblebrox Salvage and Really Wild
Stuff Corporation.
The huge beams switched downwards, catching a vast shoal of silver
fish, which swiveled away in silent panic.
In the dim control room which extended in a broad bow from the
craft's blunt prow, four heads were gathered round a computer display
that was analysing the very, very faint and intermittent signals that
were[?] emanating from deep on the sea bed.
"That's it," said the owner of one of the heads finally.
"Can we be quite s
That is exactly my point. I could write a better one too, if I had spare time. Contracting full time and suing spammers take more than 200 hours a week. So many spammers to sue, so little time.
Fight Spammers!
DNS Cache Spoofing is not the only nasty trick available to DNS hackers; There is a (still) relatively unknown vulnerability afecting the vast majority of nameservers today, and one that is not easily resolved by patches alone.
Check out my paper about this, its called DNS Cache Snooping, and allows for a bunch of interesting tricks. It afects most of DNS Server/Cache combination implementations and is triggered by an extremely common misconfiguration, one that allows for the whole of the internet to use a given DNS server as their primary DNS server.
Luis Grangeia
DNS cache poisoning doesnt stop at tricking people out of their money. At defcon Kaminsky also showed how it can easily be used to do things like email misdirection, which I think is much more of a big deal.
To me the whole scam of phishing or now pharming seems flawed. Why aren't all the phishers already in jail? No psychologically criminal person can fail to see that the whole operation relies on an actual server hosting a fake site for some amount of time, and an inevitable trail right back to the scammers door. There are plenty of existing fraud laws with teeth enough to put away the perpetrators, so why no action? Even odder, the main victims of these attacks are the worlds clearing banks, organisations with enough weight to raise their own armies if needed, and yet phishers are not being put down. Why?
Can I get a list of these vulnerable servers so I can.. umm... see if I'm on it and patch my systems? Yeah.. that's it.
You create your own reality - Leave mine to me.
Run your own DNS server.
/etc/resolv.conf and point to 127.0.0.1.
apt-get bind9
Edit
I've been doing it for years now...
Given that it is djbdns, I'm not worried, but having a test suite for vulnerabilities is a good thing.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I'm confused about this one too. This is what I THINK is going on with this exploit. Hopefully, someone who ACTUALLY knows will correct my mistakes. :)
One of the possible ways to set up a DNS server is as a 'forwarder'. This means that it doesn't do lookups itself, but rather passes all DNS requests to another machine, gets replies, and then sends replies to the clients. One reason you might do this would be to distribute DNS load in a big ISP; you have a few machines that do the actual outbound DNS determination, and then the cache ripples back to the servers that are actually talking directly to the clients. DNS is fairly low-load, relatively speaking... this architecture would date from when everyone was deploying 50Mhz machines as servers. I'll call the local BINDs 'caching' servers, and the one doing the actual lookups on the internet the 'point' server.
So in and of itself, this architecture isn't a problem. But one of the features of the DNS protocol is that any server can send back more data than what was actually asked for, even data that is totally unrelated to the main query. Caching BIND servers by default trust their point server. And, when functioning as a point forwarder, BIND4 and BIND8 apparently just pass along queries they receive without checking them. The point BIND assumes that the caching BINDs are checking, while the caching BINDs assume the point BIND is checking, and the packet never gets checked for sanity at all.
So Joe Hacker snoops around... he tries to find DNS servers on your network. Once he finds one, he queries it for a name in a domain he controls. (or he initiates a connection to a webserver on the same machine, which may cause the same DNS lookup). He watches for the request to his DNS server coming from a DIFFERENT machine. That often indicates a forwarder configuration.
So he waits for his cached info to expire, and does it again... except this time, his reply packet includes extra information, "Oh, by the way, www.microsoft.com is on joes.evil.server.here." If BIND4 or BIND8 is the functioning as the master lookup in a forward configuration, it just passes along the packets it receives. And when BIND is in a SLAVE configuration, it just trusts what it gets from the forwarder. So suddenly, your whole network is connecting to joes.evil.server.here instead of www.microsoft.com. And if it doesn't work, oh well, next DNS server... this is a very low-profile attack. You have to really be LOOKING for it to be able to see it.
Apparently, the workarounds are A) don't use a forwarder configuration. There's no real need for this anymore, even a cheap 1ghz machine with a gig or so of ram will serve tens of thousands of clients. B) if you MUST use a forwarder, use BIND9 (or, presumably, DJBDNS) as your 'point' machine. BIND9 does sanity checking when it's on point.
Hopefully I got this right. I haven't been paying much attention to this before, because I (rightly) didn't think it affected me. If I'm wrong, PLEASE correct me, I hate to spread misinformation.
We were fighting people doing this 10 years ago. Some of the second-gen (meaning they used at least some technology rather than outright and direct use as is) usenet spammers and flooders and email spammers were doing it. The new uses to which this is being put are news, but DNS poisoning is not. IIRC, the icq.net servers were so compromised after having been bought out by AOL and put to new use.
I'm betting there's still a problem with admins that don't want it fixed, because they have given permission, or worse, for their servers to be used thus with some plausible deniability. Arranging this was the origin of the second-gen spammers.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
You're all a bunch of imposters! Well, you'll never get my valuable posts here, buster!
The news.com article is short on specifics about what the thousands of servers are actually doing, but there's better info at Dan Kaminsky's site: http://www.doxpara.com/
t
This powerpoint presentation has some details: http://www.doxpara.com/Black_Ops_Of_TCPIP_2005.pp
Dude, what's your problem? Security prophessionals sometimes need to make up words that sound new and specialized. Can't you just embrace the ph-speak like the rest of us?
Besides, it gives reporters a chance to attend Blackhat where they can learn the new lingo.
Oh, you're going to love this article too: Phlooding attack could leave enterprises high and dry
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
It has been some time but Mice and Men has (had) a cool tool for this. They also make a damn good DNS server I ran for about a half a decade before I decided the "free as in Beer" part of Bind was too attractive.
I'd strogly reccomend DNS newies read their site and consider thier products. They do good stuff. If Bind were not so ubiquitous I'd still be running QuickDNS.
Why isn't this said when a microsoft issue comes about, and there has been a patch for some time... it's always bad microsoft!!!
Now that's it's Bind, it's the admin's fault?
I read
Your sig is an urban legend. See snopes for details.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
While there are always some who fall for the most obvious scam, theses attacks are becoming more professional by the day, and no company can afford to absentmindedly blame their users (yes, I work for a company that sells anti-abuse services, we've been on the cutting edge of this for a while).
The article writer references the term "Pharming"; while DNS cache poisoning is a form of Pharming, its much bigger than that. Its basically a variation of Phishing, where instead of actively sending enticements to vist your site, you place a site out there (usually a mispelling of a Brand) and wait for victims to stroll by. Since its passive, its harder to detect than Phishing (we have a solution of course). But not all Pharming is evil, some is just irritating. Some sites are just out there to collect a wee bit o' ad revenue from every typo that hits them, just 100 hits a month can make a no content site profitable when done on a grand scale...
You are in a maze of twisted little posts, all alike.
We should send these 10% of servers to Mars in place of the 10% of astronauts who will get solar radiation cancer.
Are they vulnerable for this, and if so to what extent, (what versions)?
Serge
I think there should be an internet user license program. I know it smells like some way of identifying people and all that, but it doesn't have to be any more than a driver's license does at present.
I'm thinking of something along the lines of a radio operator's license with different levels and qualifications and all that. Then people who are said to be administrators of web hosts and stuff like that would be required to posess a certain level of knowledge (and potentially a certain level of pay?) and ability. If it is shown that they do not demonstrate the proficiency required for some reason, then their license should be revoked or downgraded.
Furthermore, certain levels of internet "safety" and "security" ratings should be given to all software, firmware and hardware products that run on the public internet. The consumers can be better aware of the quality of the products they use on the internet. (Examples might include a rating for MSIE having a lower security rating than Firefox because of that whole ActiveX thing... or a Linksys firewall/router giving the users behind it a certain rating of security over a Windows box connected directly to the public internet.)
Not only would we be able to leverage these sorts of licenses and ratings to have a better and safer internet, but we would be able to have a more conscious set of consumers who just might be able to look at the label to determine that product A is better than product B. They will no longer need to get an education in how the internet works just to get their home computers on the net... and we'll be less likely to deal with all those spambots and zombies out there as well.
Although I dont think that DNSReport.com will check for this particular issue, it will at the very least point out many possible issues with your dns configuration.
Paranoid tinfoil hat crowd say Y here, everyone else say N.
...are 20 year olds who count computers and networking as their prime hobby.
Some of us are 40, with kids, houses, and other interests that make some server in a hard-to-get location with hard-to-get downtime less than appealing to patch. And then there's management's attitude towards it -- you patch, after hours, and you don't get paid. OK...
I can remember when patching all night was kind of fun. Now I call sleeping kind of fun. I get paid to do my job, but not to bust my hump doing it.
I'm with the Bureau of Analytical Design & Heuristical Analysis Coding for Known Extensions & Requirements, and I deamand you hand over to me that list of most vulnerable servers immediately... for security inspections purposes... or something... yeah.
---
Karma is bullshit without reasons
Support the FairTax
For trusted networks, couldn't the problem be mitigated by limiting arbitrary DNS queries to the trusted network? You could still allow queries from the Internet for your authorative domains.
This would prevent the attacker from directly causing your server to query for his domain.
The allow-query and allow-recursion directives should accomplish this.
However, you would still be vulnerable if a query to the hostile domain is performed from inside the network.
Today I received a standard phishing email, except this one was different in one important way. The link to "please to update your details" went to http://www.paypal.com/ (not even any i18n tricks in there). I thought maybe the spammer had made a mistake, but after reading this, it all falls into place.
He may have just wrote it for himself and it just took off.
I worked with Ratko Tomic, who wrote an assembly language library to replace the standard libraries for MSC and Turbo C. He added functionality to make it easy to make TSRs. It was faster and smaller the the compiler's libraries. He wrote it for another person, so that he would not have to deal with triavial user interface code. It was turned into a product. Maybe it was the same for Dan.
Fight Spammers!
don't you me phorwarder?
o/~ Join us now and share the software
I love people who think DJB owes them something because he wrote some code. If you read some of his papers, he sure does have a big ego, but if you take a look at the papers and software he produces, it's pretty darn flawless. If you could produce unbelievably fast and secure code as quick as him, you too could get cocky.
That's what admins/geeks are. Think of the classic 'Hackers' movie, and the big admin with the password of 'God'. Admins love thier l33t Perl, C, TCL, Shell scripts because they do everything they need. We have contests as to who can make code that does something in the fewest number of lines (many references on Slashdot) and who can make the code decievingly complex (again many references).
DJB made something that fits with his views. He made it available to the public and people liked it so much they started to use it. The best part about DJBs stuff is that it does it's job and does it well.
I hear the big anti-qmail and anti-djbdns debate all the time about people who want tons of features in there. All of the features you can want are in patches, and patch collections that you can safely add. DJB has a mail system that does what he wants, and does it securely. He's not willing to accept patches into the mail distro because it taints its quality. That's his choice.
He wrote the code, he puts it up there. If you like it, use it. If you don't, avoid it. If you want features, make a patch for yourself or for others.
He's a smart guy who produced some damn good software that has a following for good reason. He doesn't want patched binary distributions floating around, as security issues in those reflect negatively on his word. As well, it keeps those who don't take the time to learn the basics of administration from operating misconfigured qmail installations. All good reason- I'd agree with most of it.
-M
when you see the word 'Linux', drink!
Check the uid. It is much lower than yours.
emerge bind; /etc/init.d/named restart seems to work pretty well
Cool. You can share it with your LUG at the local library. Now pardon me while I return to rearchitecting an 8,000 server environment.
Intelligent Life on Earth
The DNS cache poisoning has been reported long time ago by Jon Lasser from Security Focus Online. As a response to that i created this page :
"Secure Bind 9 Example"
http://crashrecovery.org/bind9.html
Robert
What the badguy actually does is:
- gets queried for www.badguy.com by target.com
- delegates authority for HIS nameservers to ns.yahoo.com, for example; so he says:
- www.badguy.com NS ns1.yahoo.com
- www.badguy.com NS ns2.yahoo.com
- ...
- ALSO includes fake mappings of the form:
- ns1.yahoo.com A 1.2.3.4
- ns2.yahoo.com A 1.2.3.4
- ...
- so target.com contacts "ns1.yahoo.com" at 1.2.3.4 and asks to resolve "www.badguy.com"
- since ns1.yahoo.com is *actually* a name server under bad guy's control (bad guy controls 1.2.3.4), ns1.yahoo.com returns how to get to www.badguy.com
- then in future queries for www.yahoo.com, the name server will ask 1.2.3.4 for the IP for www.yahoo.com and send that reply to the requestor
Much better explained hereAs DJB says, the "work around" is not to accept authoritative mappings (e.g. ns1.yahoo.com A 1.2.3.4) from anyone but yahoo.com.
[parent deleted]
That's rather long winded but the bottom line is DJBDNS will not believe any answers that don't come from the corect servers. BIND is a whore and will believe anything, even out of balliwick answers. Big problem. Well understoood for a long time.
The technique you describe above is how EK stole the internic.net domain a decade or so ago. He sent you mail, which bounced, your machine looked up up his MX record by asking his server to return the bounce, and got wrong internic.net A records when it did. Bang, there goes the internic.
Cute huh?
Need Mercedes parts ?
Microsoft announced its current market share for DNS servers was at a steady 10%, but says it hopes to increase this figue in the coming years.
More on this at 11...
- Victim gets email (allegedly from user@target.com--doesn't really matter) containing link to www.target.com
- Victim clicks on link and in response victim's local name server send a query for www.target.com
- Malicious guy interposes and spoofs a response to victim NS query: saying "I'm www.target.com and here is my [fake] IP"
- Then victim connects to fake IP (spoofed paypal site)
So that really describes a timing attack on name server replies. Assuming you're not on the same network as the attacker this requires BOTH: very good timing (getting a response back to the requestor before the real name server does) AND having that response be a valid spoof (i.e. your NS query contains an ID#; the NS response must echo back that number. It's a 16-bit deal... so the attacker may need to spoof 65,535 packets... or expected 32,767). Of course your local name server MUSNT already have a cached value for www.target.com else it won't even generate a requestAnother kind of DNS cache poisoning (what I think as the more doable one, unless you're using old, old BIND with predictable query IDs):
- Send you an email from www.badguy.com and get you to respond to it... or embed an image hosted at www.badguy.com in the email so that your name server has to figure out how to get that image. Whatever: basically get you to try to resolve badguy.com
- Then your name server figures out how to get to www.badguy.com (maybe through
.com) and then once he gets the name server for www.badguy.com, that name server actually responds and says: "badguy.com delegates to www.ns1.TARGET.com and www.ns2.TARGET.com" AND says "www.ns1.TARGET.com is at [IP address of name server under control of badguy] and www.ns2.TARGET.com is at [IP address of name server under control of badguy]."
- So then when you LATER try to go to www.TARGET.com, you'll ask the name server www.ns{1,2}.TARGET.com, the IP of which is a name server under the control badguy.com.
Also there's scenario 3: badguy.com sends an NS request to your NS that contains fake info that he hopes your NS will cache...Anyway, NB that yours could also be a Unicode hack; i.e. a name that looks indistinguishable from www.paypal.com but actually is different.
http://www.schneier.com/blog/archives/2005/02/uni
It seems the most accurate explanation of cache poisoning is lost beneath most people's threshold - please mod it up. Yeah, I know it replicates information from djb's article, but it's still useful for lazy people :).
Note however that finding out what servers to trust when you get an A record for www.yahoo.com in the additional section (or something like ns1.yahoo.com which is probably more likely to be spoofed) requires an extra DNS lookup in some cases - your nameserver can't possibly know which servers are authoritative for yahoo.com without an extra query. djb doesn't say how he achieves this in the article, it would've been an interesting read.
Also, you can use any other record that has a domain name in the rdata (or right hand side), like MX and SRV, for example.
1) At a certain financial site users receive feedback assuring one that the site is legit. The feedback includes a picture and message that were designated previously. If I surf there first and find that the DNS directed me to the right site can I then surf to other sites with certainty?
2) What about using the IP address as opposed to URLs (is that the right term) or word address? Are DNS used if one types in an IP address?
Some while back, I was working as a sub-contractor to a contractor working at a government facility. Due to some needed new features and security holes, it was decided that all the Cisco routers would be upgraded to a new IOS. The work was scheduled for a weekend when the entire facility would "go quiet". The planning was immaculate -- with time alloted for each router IOS upgrade, time set aside for new IOS patches, and reloading the working data. Through some rather long weekend hours, the Cisco router upgrades went smoothly and efficiently. Only the lead technician (for security reasons) was to go around and reload the working data (router tables) -- which is when the most basic of problems rose up and bit this "weekend project" in the ass.
All the routers were then required to be rolled back to the old IOS, IOS patches, and the router tables reloaded until the following "long lost weekend". It turns out that the new Cisco IOS had a bigger memory footprint than the original, and with the new patches applied there was not enough memory to completely load the router tables.
Check the memory requirements of the new IOS, patches, and router tables prior to proceeding, and install more memory as needed. And if you are fortunate enough to have a spare router to test the upgrades on prior to the main rollout, test there first.
YMMV
We need no stinkin user interface. REAL PROGRAMMERS don't need no stinkin user interface.
Fight Spammers!