Friday, August 29, 2008

Internet: Threat Level Red

Yesterday a Bessemer company rescued 42% of the internet...

As you probably read about in news coverage of the recent Black Hat conference, Dan Kaminsky brilliantly discovered a catstrophic vulnerability in the internet's Domain Name System (DNS). The vulnerability permits a hacker to "poison the cache" of DNS servers with incorrect IP addresses -- a phisher's dream come true. Even better for hackers, the vulnerability allows them to intercept email traffic so that they can collect our passwords simply by asking the bank's login screen to email forgotten passwords. They can fool Certificate Authorities into issuing them valid SSL certificates so they can spoof your bank with compelling authority. And lots of other nasties, too.

The Domain Name System is a distributed network of directories residing in programs like BIND and Nominum that respond to queries from network clients (browsers, email, VOIP...). By far the most common query is "What is the IP address of the domain name AAA.BBB ?" Thanks to DNS you can remember names ( instead of an address ( If your DNS server doesn't have the answer, it asks another DNS server, and then remembers the answer in its cache for some specified period of time before that record expires.

The "Kaminsky Attack" starts with a request for a DNS lookup and follows up with a message to your ISP's DNS server posing to be from an authoritative server. The fake message poisons the server's cache with an incorrect IP address, such as that of the hacker's fake Citibank web site. While cache posioning had been theorized before, it had always been an impractical attack, since the hacker never knew exactly when the DNS server would need to refresh an expired record. Kaminsky observed, however, that if a client asks a DNS server for the address of (a non-existent sub-domain of citibank that the DNS server doesn't have in its cache), the server will ask its authoritative server for the address, and get tricked into using that fake IP address for all variants of To spoof the authoritative server, the hacker's fake DNS message has to have the right transmission ID, but there are only 65,536 possibilities. Each time the hacker tries, she can probably send 200 different guesses before the real server can respond for real, so if you attack once every four seconds as Kaminsky tried doing, it takes an average of ten minutes to steal a domain.

Prior to announcing at Black Hat, Kaminsky worked responsibly, diligently and quietly with several vendors to prepare for the announcement. I'm familiar with the effort because one of my portfolio companies, Nominum, is among the teams who prepared for the announcement. Nominum's chief scientist Paul Mockapetris had in fact invented the Domain Name System, and the NY Times has recently reported that his company's industrial strength DNS software now serves 120 million broadband internet subscribers through nearly 100 ISPs. In his presentation to Black Hat, Kaminsky graciously called out Nominum for moving quickly to protect 42% of all broadband internet subscribers from exposure to the Kaminsky Attack.
The other 58% of the internet is not so fortunate. The vast majority of those DNS servers run the antiquated freeware called BIND. The International Software Consortium moved fast to patch BIND, but the patch is not very effective, mostly undeployed, and reportedly unstable. (On July 28 BIND's lead architect Paul Vixie issued an email bulletin warning of performance issues with the patch.)

The BIND security patch randomizes the port used to ask other servers for help, so the attacker has to guess the port as well as the transmission ID. But hackers do have, you know, computers that can make lots of fast guesses. So the patch simply extends the attack from minutes to hours - still pretty easy for the bad guys. Sure enough, John Markoff reported in the NY Times last week ("Leaks in Patch for Web Security Hole") that Russian physicist Evgeniy Polyakov broke the patched security in 10 hours. (You can run Polyakov's exploit yourself.)

In addition, most DNS servers live behind routers, firewalls and load balancers that run Network Address Translation, which converts the randomized into an orderly sequence. You don't have to be a Russian physicist to break that scheme.

Unfortunately, there's about an even chance that you're reading this from an ISP running BIND. Patched or not, you're exposed to pharming, and many carriers and enterprises lack the awareness or motivation to act. Indeed, I heard one CIO of a major brand name financial institution declare immunity from Kaminsky attacks because he has "three layers of firewalls," as if his firewalls block the DNS ports.

The good news is that yesterday Nominum announced a new release of their DNS server that layers on several new defenses on top of port randomization. For example, Nominum's server treats the flood of wrong guesses as an attack, so instead of waiting for a the right transmission ID and accepting the spoofer's poisonous payload, Nominum logs the IP address of the sender.

Here's how Dan Kaminsky reportedly responded to Nominum's announcement:

"Layered defenses in the DNS system are an effective way to address serious attack scenarios that aren't covered by UDP Source Port Randomization alone. As new DNS vulnerabilities are discovered, a layered approach such as Nominum's will help in ensuring ongoing Internet security."

Blogged with the Flock Browser

No comments:

Post a Comment