Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Backstory of the Kaminsky Bug

Posted by kdawson on from the no-good-deed-goes-unpunished dept.

Ant recommends a Wired piece on the background story of the Kaminsky DNS bug and its (temporary) resolution, decreasing the odds of a successful breach from 1 in 2^16 to 1 in 2^32. We've discussed this uber-hole a number of times. Wired follows the story arc from before Kaminsky's discovery of the bug to his public presentation of it in Las Vegas.

3 of 122 comments (clear)

  1. Re:Do I not understand? by cencithomas · · Score: 3, Informative

    Basically right. The attacker forces a cache miss by using a bogus subdomain.example.com that is guaranteed not to exist in the ISP's DNS cache, and then tries to get his own response in before the real response comes in. If he succeeds, the the ISP will cache his spoofed packets as real, and his packets will include new NS1.example.com server IP info, causing the ISP to automatically go to his servers for any future request for example.com. He puts a TTL field with a super-long expiration date and voila! The cache doesn't expire and the ISP won't be asking for new DNS updates for that domain.

    --
    ...'tis easier to blame than to improve.
  2. Re:Do I not understand? by ArsenneLupin · · Score: 4, Informative

    So, uh... why not just turn off caching of everything besides the *ACTUAL* request?

    Actually, as far as I understood, the attack is making the information "appear" to be relevant. For instance, DNS may contain aliases (CNAMEs) that do not directly resolve in an IP address, but rather into another name.

    So, www.yourcompany.com may point to houdini.yourcompany.com, which itself resolves into 137.142.13.14.

    When a client queries for www.yourcompany.com, the DNS server not only answers that query, but "helpfully" supplies the second leg, in order to save one round-trip.

    Same thing with NS queries.

    So, all the perp has to do is have nothere.domain.com pretend to be a CNAME for www.domain.com, and "helpfully" supply a mapping from www.domain.com to an IP under your control. Because the "unsolicited" mapping appears to be relevant, the client DNS server will cache it.

  3. Powerpoint by mr100percent · · Score: 4, Informative

    Here's Kaminsky's powerpoint given at the Black Hat conference. (106 slides but thorough) This Wired article and the powerpoint is enough to make me panic. He literally broke the internet; unlock any website and spoof any logs. Now I see why there was so much panic in the article.