Slashdot Mirror
Kaminsky's DNS Attack Disclosed, Then Pulled
An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak."
Reader Time out contributes a link to coverage on ZDNet as well.
Kinda makes you wonder what they're getting out of it.
How we know is more important than what we know.
What sort of tease posts this story without the details contained in the pulled Matasano post?
http://demosthen.es/post/43048623/matasano-briefly-had-a-post-up-about-the-dns-flaw
Give an evil genius some credit, 2 hours tops and half that time's spent reading /., most of the other half on other evil online things; like pr0n and goatse.
Walk with Music;
I mean they coordinated this massive "patch" that's supposed to fix it. Now that it's fixed, it's not a secret anymore, or it this one of those cia secrecy where the reputation of those involved is at stake?
...about these Monsanto DNA attacks for some time...
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
i have matasano's blog in my google reader feed and the whole post is still available... very interesting article but i think it's better for Dan to fully disclose it than the matasano team
Q: Why is starting a post in the Subject: line annoying?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Doxpara.com, the blog of Dan Kaminsky who first discovered the vulnerability, has also been updated.
In case of Slashdotting, here's the full update;
Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (Theyâ(TM)re ready for your traffic.) Thank you to the many of you who already have.
I got this much and am working on extracting more but hitting a roadblock.
Matasano Chargen  Blog Archive  Reliable DNS Forgery in 2008: Kaminskyâ(TM)s Discovery. Well the cat is finally out of the bag. I suspected this was how the
the cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan ... One of them involves mucking about with the QID in DNS packets and
and the other requires you to know the Deep Magic. First, QIDs
Bobâ(TM)s a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4.
Mallory would like the answer to be 6.6.6.0. It is a (now not) secret shame of mine
that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my
job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part
of poisoning DNS. If Iâ(TM)m Mallory and Iâ(TM)m attacking Bob, how can he distinguish my packets
from Aliceâ(TM)s? Because I canâ(TM)t see the QID in his request, and the QID in my response
wonâ(TM)t match. The QID is the only thing protecting the DNS from
Mallory (me). QID attacks began in the olden days, when BIND simply incremented the QID
with every query response. If you can remember 1995,
hereâ(TM)s a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373?
You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM.
All are quietly discarded â"- until Mallory gets Bob to query for
WWW.VICTIM.COM. If Malloryâ(TM)s response gets to your computer before the
legitimate response arrives from your ISPâ(TM)s name server, you will be redirected where
where Mallory tells you youâ(TM)re going
Support my political activism on Patreon.
There were other issues regarding this patch that still have never seen the light of day, not even a note in passing.
In the hours after the initial vendor announcement and the following 2 days, the .com.au name servers were returning useless and corrupt answers.
I don't have any output from the issue any more, but I can make it up :P
eg. dig example.com.au NS
; ANSWER
(none)
; ADDITIONAL
(correct A records for the missing NS)
This meant that your normal resolver could not figure out who the MX was for com.au domains unless it still had the information about the NS servers was still in cache. Since I had just updated and restarted all the local named, this cache was gone. It did not show in non-production testing as I didn't check a specific country name server, just google/yahoo.
Did anyone run into similar issues or even know of any news or blog reports on this? It seems to have been completely swept under the carpet.
Use Google search snippets to expose little details of the document...
I'm guessing some persistent folks will eventually be able to piece the bits together.
i.e. see how much you can piece together from the summary with the result shown by google. Adjust your search by including unique words towards the end of the snippet in one search to try to get the text that follows.
1
2
21 Jul 2008 ... One of them involves mucking about with the QID in DNS packets and the ... The QID is the only thing protecting the DNS from Mallory (me). ...
21 Jul 2008 ... If Mallory wins, the next 10000 or so people that ask that cache where WWW.VICTIM.COM is go to 6.6.6.0. 3. Then thereâ(TM)s that other set of ...
21 Jul 2008 ... Then thereâ(TM)s that other set of DNS vulnerabilities. ... Then letâ(TM)s set up an evil server with it, and register it as EVIL.COM. ...
21 Jul 2008 ... EVIL.COM, and watch how the QIDs bounce around; eventually, sheâ(TM)ll break the .... EVIL.COM and slipping strychnine into his ham sandwich, ...
21 Jul 2008 ... This will be Bobâ(TM)s unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice â" once when ...
21 Jul 2008 ... Which sends back a response with an unexpected (evil) Additional RR. ... Weâ(TM)ll come back to it. Alice has an advantage in the race, ...
21 Jul 2008 ... Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM. Aliceâ(TM)s advantage is not insurmountable. ...
21 Jul 2008 ... Aliceâ(TM)s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. ..
21 Jul 2008 ... Frequently, that server has to go ask another, and so on. .... And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! ...
21 Jul 2008 ... If Mallory wins, the next 10000 or so people that ask that cache where WWW .... COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0! ...
21 Jul 2008 ... Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. ... Because her response didnâ(TM)t just say CXOPQ.VICTIM.COM was 6.6.6.0. ...
21 Jul 2008 ... COM was: 6.6.6.0. Every resolver that points to that name server will now ... COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact ...
Well, as soon as he had posted that thing he got a Cease & Desist letter from MPAA for disclosing the intellectual property of Wachowski Brothers for The Matrix: Rebuttal. The movie was supposed to answer all the questions pertaining to the first movie and this attack was the secret way that Zion crafts used to hack into the Core. Of course, the Core refused to get its DNS servers patched because they didn't need anyone's help.
and running around the room screaming that the sky is falling.
An article over at the Register, states that this 'vulnerability' was discovered three years ago by Ian Green and published in a paper he wrote for the SANS Institute. While Kaminsky does deserve some credit for his organizational skills in getting people to act on this, that's about as far as his role goes. Since this has been known about for three years and we haven't seen anything 'in the wild' -until now that the media bandwagon is careening downhill on fire- just goes to show how hard this is to exploit.
Sig this!
This did occur to me earlier but seemed too simple.
Pick a few hundred ISP name servers. Craft packets with the the source address as that of your victim's name server's IP address and start sending them to the ISP name servers on your list.
Sooner or later, due to the non-randomized tracking number used by DNS requests, your false DNS replies will be accepted by one ISP nameserver. Because you set the TTL for the DNS record to be very high, the record will live in the ISP name server's cache for VERY long. Now all the ISP's customers will come to an IP address of your choosing when they type www.victim.com.
The internet is now 0wned.
What I was thinking is spraying the end users with spoofed DNS responses. Sooner or later, some would use your response to resolve the name but obviously poisoning an ISP name server is more profitable.
If this really is *the* attack then it was lame of the *researchers* to try and hide it. I am sure 1000s would've guessed it by now. The exploit is really simple with dozens of packet crafters out there
Here is hoping that the real vulnerability is a lot harder to exploit.
I have the entirety of the text of the article, since it's on my feed reader. You do not need to piece it together. Just ask me for it.
The futility of recalling the article should be a very good example of the stupidity in this "don't speculate about the DNS vuln" moronic exercise that is doing the rounds these weeks.
Rudd-O - http://rudd-o.com/
I've had enough. From now on, /. isn't /. for me. It's 216.34.181.45. I'm updating all my bookmarks.
Wait, why is it redirecting? I have a bad feeling about this. Itsatrick.
Do they also require a patch? They act as DNS for the local clients.
Did Matasano blog get broken into? "ecopeland" never posted there before
...is not just that you can race legit DNS servers for legit queries, is that you can request recursive resolution for bullshit DNS servers, while submitting fake answers WITH malicious informational records that let you poison second-level domains. So by requesting xxjk3j.google.com while submitting your own coolly crafted answer, you can make the victim DNS use YOUR DNS as authoritative for the future google.com replies.
THAT is the significance of the attack. THAT is what matasano pulled.
Rudd-O - http://rudd-o.com/
If this is the real deal, there's some bogosity here. This is certainly not a new attack or flaw in the dns protocol, any more than run of the mill dns cache poisoning is. Spoofing responses from the root servers (to hijack a TLD) is difficult; their TTLs are long, there are many of them (more unpredictability), and most DNS servers service so many requests that it's unlikely that your spoofed answer will be the first one to hit the server and thus poison the cache once the TTL for that TLD has expired. Spoofing responses from TLD servers is standard issue cache poisoning, and you cannot use it (any more) to poison a cache with an irrelevant record; BIND is going to ignore any NS, A, SOA, or other records for bankofamerica.com. in the additional or authoritative sections if the request was for some-domain-that-don't-exist.com. I'm back to where I was before; not seeing anything new here except a clever theoretical attack that would work much better if the TTLs for the TLD servers were on the order of minutes or hours rather than days. Either Halver guessed wrong, or the security community has been mislead about the severity of the issue.
Any idea when Apple might release a patch for Mac OS X Server?
I know compiling BIND from source is always an option, but most admins aren't going to do that.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Only because someone marked it interesting.
This is not the same. The problem is sub-domains not super-domains.
Does going to your local University and registering mail.google.com.myuni.edu mean that you're going to get a lot of phishing? Yes, but only for people searching with myuni.edu as their default search domain. (likely, only on MyUni's internal network, and then only for people who aren't super-seasoned salt-cured security people who automatically type "mail.google.com." every time)
This problem is that in pining for xxxx.google.com you can potentially ADD information that "Hey! I know what mail.google.com is too!" Since the super-domains match up, the DNS servers would go "right then, update my cache."
WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
For what it is worth. I see the whole blog entry in my google reader rss feed for Matasano.
This is sad.
Rudd-O - http://rudd-o.com/
I fail to see the point in pulling this information. The only people who will CARE about it are those who know how to exploit it, and they're the exact people who'll be able to find it regardless of if it's removed.
I wouldn't mind betting this will show up on Wikileaks pretty soon (if it's not already).
For those who've not heard of it: http://en.wikipedia.org/wiki/Streisand_effect
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Use djbdns which is immune to this attack. Dan Bernstein actually described this in 2002 http://cr.yp.to/djbdns/res-disaster.html
djbdns is not prefect but has been better than BIND which had it large share of bugs and security problems.
Mod parent down for not understanding the vulnerability.
they don't know shit unless it's in a fag comic book or a dungeons and dragons guide.
and your point is???
That is different - that's just advertising and silliness off the way the wildcard matching works for WHOIS.
The issue is when you can force the target to resolve blah.google.com to poison www.google.com and then include a glue response for www. in with the blah. response which is then accepted because the domains match at to the right of that level.
For all the hype, this attack is hardly groundbreaking. It strikes me as something that was used to coerce vendors into finally patching smaller flaws security people have been nagging about for years.
For those who want to read this here is the url. http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html
There is a write up on the register that suggests that while this may be Kaminskys attack, there is a possibility that it is another separate vulnerability.
Alright, so I'm not even someone who does DNS/networking stuff even for a hobby (just a math grad who skimmed the RFCs once or twice) so if I can figure this out from what's up now then any competent bad guy can as well.
Anyway my guess is that it involves a combination of the birthday attack and the request for multiple nonexistant nameservers. That is as the attacker you trick poisontarget.com into trying to resolve the following locations.
AAA.google.com ....
AAB.google.com
XXX.google.com
Now you forge a single response packet that works for all of these requests and send many different copies with different TXIDs. Thus to succeed you need only hit ONE of the TXIDs used in the real requests.
In these forged responses you also have a forged glue record (as suggested in some of the links) which gives you control of lookups for all of google.com at poisiontarget.com after a single success.
Then again maybe I missed something basic which means this doesn't work.
If you liked this thought maybe you would find my blog nice too:
http://beezari.livejournal.com/141796.html Ahhh, internet. (Not my journal, nor can I vouch for the veracity of the post-- but it seems to fit with other fragments posted and found)
There are over 36 million lines of COBOL code in the world, and they are all raping children.
The described attack's a nasty tactic. I hadn't thought of it, or rather I had but discarded it under the impression that all DNS software had changed years ago to filter out additional RRs that weren't responsive to the actual query to prevent exactly this sort of attack. I hope Dan's patches include such a filter.
Frankly, we should just do away with the subject line entirely.
Or /. could stop adding the Re:*'s for people and force them to type something.
what? are you one of those fags that like to get pounded up the ass by your dungeon master? do you suck dicks thinking about clark kent? fag.
You fail at life.
http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html
There will be more (new) announcements in the coming week or two. The DNS is gonna be fun for a while, unfortunately. We prefer it to be reliable and accurate.
# Hack the planet, it's important.
y ecopeland
0.
The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.
1.
Pretend for the moment that you know only the basic function of DNS -- that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.
Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bob's unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice -- once when he is called to the counter to place his order and again when he's called back to get his sandwich. If you're wondering, Bob likes ham on rye with no onions.
If you've got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. It's called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.
2.
Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.
First, QIDs.
Bob's a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would like the answer to be 6.6.6.0.
It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If I'm Mallory and I'm attacking Bob, how can he distinguish my packets from Alice's? Because I can't see the QID in his request, and the QID in my response won't match. The QID is the only thing protecting the DNS from Mallory (me).
QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, here's a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded --- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory's response gets to your computer before the legitimate response arrives from your ISP's name server, you will be redirected where Mallory tells you you're going.
Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bob's request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.
But there's a bunch more problems here:
*
If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.
*
If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, she'll break the RNG and be able to predict its outputs.
*
16 bits just isn't big enough to provide real security at the traffic rates we deal with in 2008.
Your computer's resolver is probably a stub. Which means it won't really save the response. You
According to the "confirmed" post by Thomas Dullien aka Halvar Flake (found via this PCWorld article), the problem might be even simpler than that. He issues requests for some non-existent domain in .com, instead of a non-existent subdomain in the domain you're attacking.
Can anyone confirm, or must it be subdomains?
See http://thefrozenfire.com/data/dnspoisoning.html for the whole deal, without the pastebin RAW formatting ;)
Parent may be off-topic, but it's still interesting.
Kaminsky posted a test to see whether your DNS server is still vulnerable (it seems that you'll need to allow scripts from toorrr.com). If the server is vulnerable, he appears to be recommending OpenDNS as a stopgap measure. Their nameservers are 208.67.222.222 and 208.67.220.220 .
If you're really paranoid, switch to OpenDNS first before running the test...
On a related note, doxpara.com = 66.240.226.139 , but I can't get anything but a 404 at the IP address. Should I be nervous?
I've posted up the full text of the article, and it'll stay up, assuming lighty doesn't fail miserably on me. http://www.jbip.net/content/text-mantasanos-article-detais-kaminskys-dns-attack
Interesting you say that. Whenever I get mod points, the subject line is one of the things I look at to see where to grant my mod points.
Reading every posting to see which ones are worth modding up would be too much work. I look for replies in a thread where the author has taken the effort to change the subject line from "Re:Re:Re:Re:Unoriginal First comment" to something relevant; these have a much higher chance of being insightful or interesting. The more concise and pithy the subject, the more I make sure I click on it to read; a subject line like "Not true: ABC is counterexample" conveys more information than "You're wrong!" and is correspondingly more likely to be modded up.
I'm not saying that a catchy subject line is enough to get mod points from me, but those are the ones I will read first.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Mod parent down for not understanding
YMBNH.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
http://www.sans.org/reading_room/whitepapers/dns/1567.php
[BEGIN PGP PUBLIC KEY]: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVI
reasonably well formatted .... except for the white-on black colour scheme. Makes me nostalgic for those 1980s CRTs.
And here's tptacek's grovelling retraction (which followed his drunken rant on DD at the weekend which firmly argued the public have the right to know and trying to stop public discussion is Wrong). I fear the Matasanto crew and Halvar are about to discover what happens when geeks allow their 'satiable curtiosity to run away with their sense of ethics. Halvar in particular posted a long self-justification (with mathematical functions!) trying to prove that public dissemination before BlackHat would be a good thing.
=== BEGIN PTACEK ===
"Earlier today, a security researcher posted their hypothesis regarding Dan Kaminskyâ(TM)s DNS finding. Shortly afterwards, when the story began getting traction, a post appeared on our blog about that hypothesis. It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.
We dropped the ball here.
Since alerting the Internet earlier in July about the upcoming announcement of his finding, Dan has consistently urged DNS operators to patch their servers. We confirmed the severity of the problem then and, by inadvertantly verifying another researcherâ(TM)s results today, reconfirm it today. This is a serious problem, it merits immediate attention, and the extra attention itâ(TM)s receiving today may increase the threat. The Internet needs to patch this problem ASAP.
Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well.
Dan did phenomenal work on this research. It was impossible to talk to him today and not know that he was sincere about coordinating a graceful disclosure and fix for the problem. That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out.
Thomas Ptacek
Principal, Matasano Security
Jul 21, 2008
A complete mirror of the original text @ matasano.com has been posted here
http://darkoz.com/?p=15
Enjoy!
Bind is evil, bind has the worst security track record except maybe for sendmail but that's not saying much.
I don't know much about the other options, I use djbdns, but PowerDNS looks fine.
1. Licence
2. With possibly the exception of qmail, you can put everything anywhere you like. The /service path location is only hardcoded in svscan, for instance, and the other weird paths such as /command are only used in the install scripts, which you probably don't want to use anyway.
3. I wish there was a credible alternative to djbdns. I only know of PowerDNS, haven't had time to try it yet, what about the others? Bind is a non-starter for me, just like sendmail (but Postfix is ok).
Okay, I don't dabble deep in DNS but I have a few quick questions. The RR thing is nasty because sub-domain authority implies domain authority. That's just silly and I'm stunned that something so simple is still true. I imagine there are a million and one "good" reasons for it, but it appears to be a gaping hole that could easily have been removed.
However, on the "let's spoof a DNS response" front - if a DNS server/client is being sent lots of spoof reponses, how long until they are picked up by a filter and blacklisted, tarpit'd or similar at the ISP end? This is the solution surely, even if you can send millions of packets with incorrect QID's and similar identifiers at a DNS server, like any other service at some point it has to say "you're trying to be naughty" and blacklist any packets, sound an alert, get the upstream filters to block such traffic etc. (This is, of course, assuming that there are at least some systems in place to stop or limit source-IP forgery in the first place). It might even be a good idea, at this point, for such servers to not trust their data, and constantly compare their copies with those available from the nameservers. If "fluctuation" of the data (between real and spoofed responses) is detected, then sound an alert on that domain.
How many responses does an average DNS server get that are invalid because of purely accidental causes (e.g. corrupted packets, mis-configured routers etc.)? Surely it's so few that it can instantly blacklist any suspicious activity, like trying to poison recursive caches in this manner.
I imagine that most home routers are extremely stupid and can't stop such things because they rely almost exclusively on the ISP's DNS servers to do their job and a flood of fake packets will not be picked up (this is, however, one of the reasons that I've always used "DMZ" or PPP half-bridge settings on ADSL routers to throw all external packets towards a real server rather than relying on some VxWorks firmware to handle IP-based attacks). But the servers? They *should* be filtering, cleansing and blacklisting packets even before you get into whether they have the most up-to-date patches, and a security fix to enhance the randomness of X etc.
It seems that the DNS servers are too trusting of "correct" packets that come as part of packet-floods of incoming data that is *obviously* false. DNS clients accepting data appearing to come from a trusted host is not nice, I agree, but recursive DNS servers should know better.
Or have I missed something incredibly obvious here?
I don't really care because my ISP wasn't vulnerable to this attack when I first tested it about 10 minutes after the first posting about its potential on the blog, and I'm pretty sure that they wouldn't have had any more advanced warning than anyone else.
Having said that, the DNS servers provided by LGfL's broadband supplier are, apparently, vulnerable. (London Grid for Learning, a London-wide schools extranet that virtually every London school, of which there are hundreds, use for their Internet connection, DNS servers, content filtering, etc. as well as their external content host). But, knowing LGfL and the way UK IT operations that are in any way involved with government work, that's not surprising at all.
http://digitalconsumption.com/forum/634-DNS-Bug-Leak
"If DNSSEC is such ajoke, then how do you explain it being the standard? Or do you propose that the IETF is a joke also?"
Please, DJB and others have written extensively on how the DNS related RFCs are pushed through by a bunch of BIND supporters and how poorly thought out and product-centricly they have been written. DNS SEC RFCs are primary examples, how many times are they going to put out new DNS SEC standards after they are shown to be deeply flawed? Let's stop going down the DNS SEC road to satisfy Paul's ego and start from a clean slate. He and his succubuses have been proven wrong on dns security issues time and times again by the guys they have fought a PR war against - DJB and others.
Nothing would wound Paul's ego more than to list the ways in which DJB has been shown to be right and he has shown to be wrong over the years.
Even on an issue as seemingly obvious as running an auth and a caching dns server as separate processes, the ISC related attack dogs hounded DJB relentlessly until Nominum said "the performance of BIND 9 (which we at Nominum wrote, BTW) sucks. So our server that we wrote after learning from our mistakes that we made on BIND 9, uses a separate process for auth and caching dns servers, just like DJB did all those years ago."
http://home.cc.umanitoba.ca/~altemey/
RFC3833, available here:
http://www.ietf.org/rfc/rfc3833.txt
is a threat analysis of the DNS system, and disclosed this vulnerability in 2004 (in section 2.2).
Dan J. Bernstein alerted the DNS community to this in 2001:
http://cr.yp.to/djbdns/forgery-cost.txt
http://cr.yp.to/djbdns/forgery.html
So why all the fuss on who said what and when last week? This is very old news.
Here is the blog post:
0.
The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.
1.
Pretend for the moment that you know only the basic function of DNS â" that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.
Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bob's unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice â" once when he is called to the counter to place his order and again when he's called back to get his sandwich. If you're wondering, Bob likes ham on rye with no onions.
If you've got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. It's called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.
2.
Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.
First, QIDs.
Bob's a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would like the answer to be 6.6.6.0.
It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If I'm Mallory and I'm attacking Bob, how can he distinguish my packets from Alice's? Because I can't see the QID in his request, and the QID in my response won't match. The QID is the only thing protecting the DNS from Mallory (me).
QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, here's a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded â"- until Mallory gets Bob to query for WWW.VICTIM.COM. If Mallory's response gets to your computer before the legitimate response arrives from your ISP's name server, you will be redirected where Mallory tells you you're going.
Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bob's request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.
But there's a bunch more problems here:
*
If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.
*
If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, she'll break the RNG and be able to predict its outputs.
*
16 bits just isn't big enough to provide real security at the traffic rates we deal with in 2008.
Your computer's resolver is probably a stub. Which means it won't r
Frankly, we should just do away with the subject line entirely. They generally just get filled with "Re:Re:Re:Re:Unoriginal First comment" anyways. It serves no purpose in a system like slashdot's, and causes things like the above.
While it does seem that most people don't bother with the subject line, that's not everyone.
http://it.slashdot.org/~DragonHawk/
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
if a DNS server/client is being sent lots of spoof reponses, how long until they are picked up by a filter and blacklisted, tarpit'd or similar at the ISP end?
DNS is UDP, these attacks assume a spoofed source address. So the responses are relatively hard to distinguish from legitimate responses. You could do deep packet inspection to try and recognize an attack heuristically, but that would be rather demanding from a CPU/memory standpoint. Keep in mind that big, busy caching resolvers can be answering tens of thousands of queries per second.
Blocking closer to the spoofing source sounds like it might work. But that didn't work for the spam problem. I don't expect it would work any better for this.
Throw in a bot net, and it becomes hard to isolate the source.
I don't see this as a trivial problem.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
lied about BIND8 and BIND9's complete rewrites,
Got a source I can check? (Or, to use the Wikipedia flavor, "Citation needed".)
I'm honestly curious.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
0.
The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.
1.
Pretend for the moment that you know only the basic function of DNS â" that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.
Bob goes to to a deli, to get a sandwich. Bob walks up to the counter, takes a pointy ticket from a round red dispenser. The ticket has a number on it. This will be Bobâ(TM)s unique identifier for his sandwich acquisition transaction. Note that the number will probably be used twice â" once when he is called to the counter to place his order and again when heâ(TM)s called back to get his sandwich. If youâ(TM)re wondering, Bob likes ham on rye with no onions.
If youâ(TM)ve got this, you have the concept of transaction IDs, which are numbers assigned to keep different transactions in order. Conveniently, the first sixteen bits of a DNS packet is just such a unique identifier. Itâ(TM)s called a query id (QID). And with the efficiency of the deli, the QID is used for multiple transactions.
2.
Until very recently, there were two basic classes of DNS vulnerabilities. One of them involves mucking about with the QID in DNS packets and the other requires you to know the Deep Magic.
First, QIDs.
Bobâ(TM)s a resolver and Alice is a content DNS server. Bob asks Alice for the address of WWW.VICTIM.COM. The answer is 1.2.3.4. Mallory would like the answer to be 6.6.6.0.
It is a (now not) secret shame of mine that for a great deal of my career, creating and sending packets was, to me, Deep Magic. Then it became part of my job, and I learned that it is surprisingly trivial. So put aside the idea that forging IP packets is the hard part of poisoning DNS. If Iâ(TM)m Mallory and Iâ(TM)m attacking Bob, how can he distinguish my packets from Aliceâ(TM)s? Because I canâ(TM)t see the QID in his request, and the QID in my response wonâ(TM)t match. The QID is the only thing protecting the DNS from Mallory (me).
QID attacks began in the olden days, when BIND simply incremented the QID with every query response. If you can remember 1995, hereâ(TM)s a workable DNS attack. Think fast: 9372 + 1. Did you get 9372, or even miss and get 9373? You win, Alice loses. Mallory sends a constant stream of DNS responses for WWW.VICTIM.COM. All are quietly discarded â"- until Mallory gets Bob to query for WWW.VICTIM.COM. If Malloryâ(TM)s response gets to your computer before the legitimate response arrives from your ISPâ(TM)s name server, you will be redirected where Mallory tells you youâ(TM)re going.
Obvious fix: you want the QID be randomly generated. Now Alice and Mallory are in a race. Alice sees Bobâ(TM)s request and knows the QID. Mallory has to guess it. The first one to land a packet with the correct QID wins. Randomized QIDs give Alice a big advantage in this race.
But thereâ(TM)s a bunch more problems here:
*
If you convince Bob to ask Alice the same question 1000 times all at once, and Bob uses a different QID for each packet, you made the race 1000 times easier for Mallory to win.
*
If Bob uses a crappy random number generator, Mallory can get Bob to ask for names she controls, like WWW.EVIL.COM, and watch how the QIDs bounce around; eventually, sheâ(TM)ll break the RNG and be able to predict its outputs.
*
16 bits just isnâ(TM)t big enough to provide real security at the traffi
Also anoying: people who don't use the signature facility and instead sign their messages manually so that others have no choice but to read them.
That's not a signature, it's a referral to evidence supporting my argument.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
So, I have a feeling like most people, I've heard of DNS, I know mostly what it does, but have no idea via what mechanism it does it. Could someone explain how bad this is? Normally, I treat claims like "DNS is broken" as being sensationalist. So far, slashdot seems to resolve. :) Should I be worried as a client that my queries are being answered by non-authoritative and possibly malicious servers? Can I drop another set of IPs into my /etc/resolv.conf and not have to worry?
Help me slashdot! You're my only hope.
I may be boned.
That said, not an awful lot of people even have RPF deployed. Certainly nowhere near 100%. And it only takes one (or a handful of machines) that can forge UDP source addresses for this to be an issue.
Since those who don't have it deployed might not know what it is, some linkage to get them started.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
So did anyone write a tool to quickly test a DNS server for this vulnerability?
I mean, by actually performing the attack, with sending random queries and flooding it with forged replies until it gives us a poisoned result?
I'd like to, ehhh, test my servers whether I've got them properly patched. Yup, test my servers, that's all.
If I understand the attack correctly, this time (against best practices) it would actually be beneficial to have the caching recursive resolver and an authoritative nameserver for your company's zones on the same machine, right?
Because this way at least the attacker couldn't fake the answers for company's zones to company's internal clients, because those answers wouldn't be cached, only served directly from zone files. The chance of successful attack is on those zones gets back to being defined by the QID and source port randomization of the client's stub - which is quite low. Am I correct?
You might find my notes useful.
http://www.topology.org/linux/bind_bigbug.html
Completely rewriting your code base is generally considered bad.
It is certainly bad if a rewrite is considered necessarily. That either means the code was so poorly written/maintained that it has become an unsalvageable mess, or that programmer understanding is so bad that a rewrite is needed just to grok things. Either way, it is basically a worst-case situation for the code base. But if that situation really has come to pass, then the fact that it's bad doesn't change the fact that it *is*. Kind of like major surgery; nobody really *wants* to have to have it, but if that's what's needed to fix a problem, better to do it.
I can't really speak to whether the BIND 8 rewrite was warranted or not. I saw some of the BIND 8 code back in the day, and it certainly seemed confusing, but I didn't take the time to understand it, so that might have been me. (I have the same reaction looking at the djbdns code.) The fact that BIND 9 has such a better track record when it comes to exploitable code bugs is suggestive, but not conclusive.
I can say that many of the exploitable bugs in BIND 8 appear to be fairly unremarkable code bugs (buffer overflows and the like). Best practices like chroot and least-privilege will help mitigate such -- keeping them from compromising the rest of the system -- but they won't eliminate them. If you're running a production nameserver, even a simple crash is a big problem. So I can't agree that the counter-measures you suggest would have been effective for BIND 8.
As for the rest of what you've posted... it's prolly best if we just agree to disagree. I doubt either of us is much interested in debating those issues with each other.
Thanks for taking the time to reply.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
http://64.233.169.104/search?q=cache:vLwnQT2-RMIJ:www.matasano.com/log/1103/reliable-dns-forgery-in-2008-kaminskys-discovery/+matasano+%22reliable+DNS+forgery+in+2008%22&hl=pt-BR&ct=clnk&cd=1&gl=uk
please read the source code of bind9 and the patch! u will understand it what the hell is going on! lol... FYI, attack tools already widely available :) it jz matter of time when they going to hijack u... :P
Not really. That's been around for a long time, and was pretty much solved once people stopped using RS.INTERNIC.NET for WHOIS. Unfortunately, the non-assimilated WHOIS we have to put up with for most of the gTLDs today sucks.
As a member of LGBT, I always put my eyes on any issure about LGBT. This one is not an exception. I also talke aobut it with my biseuxal friends at http://Bimingle.com to know more details about it. Hopefully, more information can be published in time.