Ten Percent of DNS Servers Still Vulnerable

maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."

Admins - Take some initiative!

[bigwavejas]

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches? Instead, it takes an article like this to get them off their asses to take action. It shouldn't be this way.

This is strikingly similar to the Cisco OS debacle, where a patch had been available for some time, yet Admins failed to patch their hardware on their own. Yes, it's a pain in the ass to take your network down, but look at the alternative...Hacked!

Re:Admins - Take some initiative!

[Kainaw]

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches?

You are assuming the fix is a patch. I get vulnerability reports for my servers every week. The issues are never patches because I check for new patches every day. I get vulnerabilities that have no patch of any kind, yet I'm expected to somehow rewrite all of the software on the computer to fix the vulnerability. If I could do that, I wouldn't be working here. I assume that I am in the same position as most admins, I have to wait for the patches to come out and hope nothing bad happens while I'm waiting.

Re:Admins - Take some initiative!

[Bi()hazard]

The fix in question here is available. The BIND webpage has a scary warning box on the right with details. Everyone should be upgrading to the new version.

But it's not surprising that there's still vulnerable servers out there. In fact, I'm surprised the total is so low. Aside from the few admins who just aren't doing their jobs, these kinds of things often run into bureaucracy. In many organizations, upgrades have to be thoroughly tested before release and there's standard schedules for patch cycles. An admin who wants to simply stick a new version of something on the production server may be told to wait until approval comes. That could take a while. And occasionally you'll have some crappy system that doesn't work well with the new software, and they're stuck rolling back until the problem is solved.

I had a friend who worked at a small ISP that had some serious security issues. The guy who should have been patching things "resigned"-something to do with the smell of pot lingering in his office. Anyways, the position went vacant for a little while and the task fell to the two new interns, my friend and another girl. Coincidentally they were both young women and had no experience relevant to the job, proof of quality hiring practices. To make a long story short, the (not terribly large) customer database got hacked and the company was sued. The owner, who had been heavily in debt already, vanished completely. Naturally the whole thing went down in flames and my friend didn't even get a reference out of it.

Most of you are probably sitting there thinking this story is too outlandish to be true. Haha, well, this is the internet so you never know what to trust, but you know there's places out there where things just aren't done the way they're supposed to be. It's shocking what goes on, and there will always be vulnerable servers around.

Getting it down to the numbers in the article this quickly is actually pretty good. The real lesson here is that you need to insulate yourself from the fools who won't take responsibility. Always assume 10% of the internet is out to get you, because they probably are. Hey, I don't even want to think about what 10% of slashdotters would want to do to me.

Re:Admins - Take some initiative!

[Burdell]

In the case of the Cisco IOS problems, nobody knew there was a problem
to be patched. That was the biggest part of the problem: Cisco's
silence.

When you run services that must be up 24x7, you don't donwload every new
IOS release and load it on dozens or hundreds (or more) of devices just
because there was a new release. IOS often has more new bugs in each
release than bugs fixed; when you find a release that has the features
you require and is stable with those features running, you don't touch
it until you find a bug, require a new feature, or Cisco announces a
security problem.

I run a relatively small network, and I'm looking at having to upgrade
around two dozen devices running IOS in six cities (a number of which
require visiting an unmanned office because some things can't be
upgraded remotely) plus another dozen or so devices in our spares
inventory in two cities. I'm not going to upgrade any operating devices
until I can test new releases in a test setup. All of that takes a lot
of time, which means something else has to get pushed back.

What?

[ucahg]

230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Okay, let's have it for unclear writing!

Seriously, what does this even mean? Of the 250,000 that are vulnerable, 230,000 are vulnerable, 60,000 are vulnerable, and 13,000 are vulnerable.

Okay, that clears it up.

Phor God's sakes!

[Zab+UvWxy]

Some security companies have called this technique pharming.

Phor phuck's sakes! I've had enough of this phreaking 733T-speak from the phucking security compaines! It was original with phreaking; it was mildly amusing with phishing; now it's just annoying.

Why not just leave the terminology as "DNS cache poisoning" and be done with it?
[/rant]

Re:Phor God's sakes!

[TheSneak]

-Pharming!? Who the hell makes up these names anyways?

-He's new sir. Guy by the name of "Daffy duck".

-You realize of course, that this means war...

How can I check my own DNS configuration for this?

...or for any other DNS exploits, for that matter?

Any good tools to (or sites to help) check for those?

What about DNS Cache Snooping?

[kossak]

DNS Cache Spoofing is not the only nasty trick available to DNS hackers; There is a (still) relatively unknown vulnerability afecting the vast majority of nameservers today, and one that is not easily resolved by patches alone.

Check out my paper about this, its called DNS Cache Snooping, and allows for a bunch of interesting tricks. It afects most of DNS Server/Cache combination implementations and is triggered by an extremely common misconfiguration, one that allows for the whole of the internet to use a given DNS server as their primary DNS server.

Luis Grangeia

Email redirection

[Deanalator]

DNS cache poisoning doesnt stop at tricking people out of their money. At defcon Kaminsky also showed how it can easily be used to do things like email misdirection, which I think is much more of a big deal.

Can I get a list?

[PhraudulentOne]

Can I get a list of these vulnerable servers so I can.. umm... see if I'm on it and patch my systems? Yeah.. that's it.

Re:How can I check my own DNS configuration for th

[Malor]

I'm confused about this one too. This is what I THINK is going on with this exploit. Hopefully, someone who ACTUALLY knows will correct my mistakes. :)

One of the possible ways to set up a DNS server is as a 'forwarder'. This means that it doesn't do lookups itself, but rather passes all DNS requests to another machine, gets replies, and then sends replies to the clients. One reason you might do this would be to distribute DNS load in a big ISP; you have a few machines that do the actual outbound DNS determination, and then the cache ripples back to the servers that are actually talking directly to the clients. DNS is fairly low-load, relatively speaking... this architecture would date from when everyone was deploying 50Mhz machines as servers. I'll call the local BINDs 'caching' servers, and the one doing the actual lookups on the internet the 'point' server.

So in and of itself, this architecture isn't a problem. But one of the features of the DNS protocol is that any server can send back more data than what was actually asked for, even data that is totally unrelated to the main query. Caching BIND servers by default trust their point server. And, when functioning as a point forwarder, BIND4 and BIND8 apparently just pass along queries they receive without checking them. The point BIND assumes that the caching BINDs are checking, while the caching BINDs assume the point BIND is checking, and the packet never gets checked for sanity at all.

So Joe Hacker snoops around... he tries to find DNS servers on your network. Once he finds one, he queries it for a name in a domain he controls. (or he initiates a connection to a webserver on the same machine, which may cause the same DNS lookup). He watches for the request to his DNS server coming from a DIFFERENT machine. That often indicates a forwarder configuration.

So he waits for his cached info to expire, and does it again... except this time, his reply packet includes extra information, "Oh, by the way, www.microsoft.com is on joes.evil.server.here." If BIND4 or BIND8 is the functioning as the master lookup in a forward configuration, it just passes along the packets it receives. And when BIND is in a SLAVE configuration, it just trusts what it gets from the forwarder. So suddenly, your whole network is connecting to joes.evil.server.here instead of www.microsoft.com. And if it doesn't work, oh well, next DNS server... this is a very low-profile attack. You have to really be LOOKING for it to be able to see it.

Apparently, the workarounds are A) don't use a forwarder configuration. There's no real need for this anymore, even a cheap 1ghz machine with a gig or so of ram will serve tens of thousands of clients. B) if you MUST use a forwarder, use BIND9 (or, presumably, DJBDNS) as your 'point' machine. BIND9 does sanity checking when it's on point.

Hopefully I got this right. I haven't been paying much attention to this before, because I (rightly) didn't think it affected me. If I'm wrong, PLEASE correct me, I hate to spread misinformation.

The internet license

[erroneus]

I think there should be an internet user license program. I know it smells like some way of identifying people and all that, but it doesn't have to be any more than a driver's license does at present.

I'm thinking of something along the lines of a radio operator's license with different levels and qualifications and all that. Then people who are said to be administrators of web hosts and stuff like that would be required to posess a certain level of knowledge (and potentially a certain level of pay?) and ability. If it is shown that they do not demonstrate the proficiency required for some reason, then their license should be revoked or downgraded.

Furthermore, certain levels of internet "safety" and "security" ratings should be given to all software, firmware and hardware products that run on the public internet. The consumers can be better aware of the quality of the products they use on the internet. (Examples might include a rating for MSIE having a lower security rating than Firefox because of that whole ActiveX thing... or a Linksys firewall/router giving the users behind it a certain rating of security over a Windows box connected directly to the public internet.)

Not only would we be able to leverage these sorts of licenses and ratings to have a better and safer internet, but we would be able to have a more conscious set of consumers who just might be able to look at the label to determine that product A is better than product B. They will no longer need to get an education in how the internet works just to get their home computers on the net... and we'll be less likely to deal with all those spambots and zombies out there as well.