Slashdot Mirror

← Back to Stories (view on slashdot.org)

"DNS Forgery Pharming" Attack Against BIND 9

Posted by kdawson on from the better-hope-sitekey-works dept.

Monley writes "Help Net Security is running a story about a severe flaw in BIND's implementation that allows fraudsters to efficiently predict generated random numbers without the need to control the route between the user and the DNS server. (Here are HTML and PDF versions of the paper.) Using this vulnerability, fraudsters can remotely forge DNS responses and direct users to fraudulent websites, which can steal the user's sign-in credentials and do other mischief. The flaw was discovered by security researcher and Trusteer's CTO, Amit Klein." The ISC has released a patch to BIND 9.

10 of 105 comments (clear)

  1. Re:wow... by Anonymous Coward · · Score: 1, Interesting

    And what to you propose, Troll!

    I won't run DJB's authoritative server as it violates the spec by not answering queries that have the recursive bit set. (The spec doesn't require honoring the bit, just answering the query out of what is knows would do).

  2. Re:New by countSudoku() · · Score: 2, Interesting

    We'll thank goodness the people who are claiming the exploit *also* happen to have a product to defeat said exploit...

    "Existing desktop security solutions cannot protect against this type of attacks since DNS forgery pharming does not involve the user's computer or the DNS server but rather the cached data on the DNS server. Mutual authentication solutions, such as Trusteer's Rapport, which strongly authenticates the destination website and prevents access to unauthenticated websites, can defeat the attack."

    How convenient! ;)

    What version of BIND is going to have the fix? I've got 9.3.2 at the moment.

    --
    This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
  3. Re:New by Charles+Dodgeson · · Score: 4, Interesting

    How long has BIND been using the same random number generator? I'm a little bit skeptical that Mr. Klein is the first person to consider the possibility of mimicking its behavior

    If you read the PDF, you will see that a good history of this kind of attack (and previous responses to it) are detailed. Apparently there has been is history of research into this kind of attack, with various counter measures. But the new attack (which seems like it would apply to almost all versions of BIND9 takes a different approach at "cracking" the PRNG which looks like it could be run against real-world servers.

    I don't pretend to understand everything (or even most things) in the PDF, but it looks like solid research to me.

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  4. djbdns by jsdcnet · · Score: 2, Interesting

    I've been using djbdns for years. It takes some getting used to if you're coming from BIND-land but it's worth making the effort.

    --
    no longer working for cnet
    1. Re:djbdns by Antique+Geekmeister · · Score: 3, Interesting

      Try looking at the copyright on djbdns. None, I repeat *none*, of Dan Bernstein's technically excellent solutions have propagated to broad use because of his extremely poor documentation, installation instructions, violations of the UNIX FileSystem Hierarchy, unwillingness to allow others to fork his code even for ease of packaging reasons, confusing licensing, etc.

      The functionality of clever tools like QMail and djbdns and daemontools has thus wound up sidelined and ignored by mainline developers. There are numerous lengthy and well-frounded rants on this, such as http://linuxmafia.com/~rick/faq/index.php?page=war ez#djb. And like the absurd licensing conditions of Pine and the University of Washington wu-imapd, the refusal to accept input or insights from others or cooperate with its packaging for more stable configurations has led to their being discarded from most distributions.

    2. Re:djbdns by Anonymous Coward · · Score: 2, Interesting

      No, Djbdns is not acceptable. Its list of root name servers is five years out of date, and there is a remote denial of service security problem which has not been fixed. Heck, it won't even compile in any Linux distribution from the last three years or so.

      And, no, you can't fix these issues and distribute a "djbdns-fixed.0.1.tar.bz2" file with the fixes in place, because djbdns is not open source.

      djbdns is dead and has been dead for years now.

  5. Jeezus freaking A Christ by m.dillon · · Score: 3, Interesting

    Why the hell is bind trying to implement its own random number generator? It's a piece of junk compared to the random numbers modern BSD OS's generate via libc.

    -Matt

  6. Re:wow... by Wdomburg · · Score: 2, Interesting

    I personally like my DNS servers to follow the relevent standards personally.

    Of course I could go ahead and run the recommended DJB configuring using rsync + openssh to propogate zone files. Then I would avoid the 10 vulnerabilities filed against BIND9 over it's seven year life span, but open myself to the 40 or so against OpenSSH, 30 or so against OpenSSL, and 10 or so against rsync.

  7. Re:So.. if BIND9 sucks.. what is an alternative? by elp · · Score: 2, Interesting

    Don't forget DJB's legendary personality as well.

    I've been using PowerDNS to manage several thousand domains for almost 3 years and its been the best thing I ever did. Besides being GPL it has an SQL backend so doing things like changing the TTL for 300 domains takes a few seconds instead of the slog or scripting nightmare with BIND. I use mysql replication to keep my slaves uptodate which is also flawless. Load average handling around 150 queries a second is less than 1%

    There is a postgres backend for it as well although I have never tried it.

  8. Just an idea by master_p · · Score: 2, Interesting

    Shouldn't login into a web site be bi-directional? not only a user logs in a web site but the web site should log in a user by submitting to the user a password (let's name this password back-password).

    The login sequence should be:

    1) user submits his username.
    2) site submits the back-password.
    3) if back-password is correct, user submits his password.

    By using bi-directional login, if the site is spoofed, the login process will fail, unless the spoofed site knows the back-password.

    After login, communication should be encrypted so as that no 3rd party can eavesdrop on the communications.