Slashdot Mirror
Attack Code Published For DNS Vulnerability
get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."
This has to be the worst time ever to be a web surfer.
Ummm... No. Today I can easily surf the 'net with just about every ad blocked, have Flash blocked when I want it to, but re-enable it for say, YouTube, all at the click of a mouse. I can use an OS and browser that is free and open source. I can surf 100% anonymously easily. I can download every video game I played as a child in less than an hour. And I can hear just about any song I ever would want to hear in less than a minute.
Sure, some things suck today, BT throttling, the ISP's "No-Usenet" crusades, but all in all, it is a better time than the very early 2000s or the late 90s.
Taxation is legalized theft, no more, no less.
Um... even if you run your own caching server, if your ISP runs a "transparent" web proxy it will do its own dns. You may in fact run DJB which is immune from this bug, but if your ISP runs an unpatched dns server you'll still be scrod despite running your own caching server.
Slick huh?
They need to take the dns lookup out of the web proxies.
Need Mercedes parts ?
Congratulations, you confused the mods. Bailiwick checking was added to all DNS resolvers in response to glue poisoning and made cache poisoning through spoofed glue records very difficult. The current problem is that the typical filter rules are insufficient for stopping a glue poisoning attack which appears to come from the authoritative server: Kaminsky found a way around the glue poisoning countermeasure. This means that a very dangerous kind of attack which was thought to be defeated is now possible again.
Yes, there was. Before there was bailiwick filtering, spoofing was even easier. Back in the days, DNS servers would even accept "responses" with bogus data out of the blue. We've come a long way and we don't stop here. A patch of bad weather is ahead, but the sky is not falling.
This attack vector has been around for /years/. Just look at the list of affected systems. Some friends and I had stumbled on this a few years ago (yes, and the fact that you can insert yourself as an authoritative nameserver for that domain,) but we figured it was so obvious that it didn't need to be announced. That coupled with the fact that phishing wasn't really as popular back then. But now that the cat is out of the bag, as it were, you definitely want to patch your machines if they have not been. This is mostly dangerous to people who use Nameservers of large ISPs (which admittedly is a large portion of the internet userbase.)
I guess this is just a wake up call that if you find such large flaws in network systems that could possibly affect millions, if not billions of users, that you should try to get the word out and get the products fixed beforehand.
They need to take the dns lookup out of the web proxies.
The problem with doing that would be that it would then be impossible (at least using current DNS software, as far as I know) to allow clients on an internal network to have limited internet access without allowing them to perform DNS tunneling (and thereby upgrade their internet access to "full").
Once someone (anyone?) releases a DNS package that allows firewall-style rules (e.g. "client on this range of IPs may only resolve subdomains of the following domains...", "clients may only look up X distinct subdomains each of Y domains every Z hours" then the picture would probably change.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman