DNS spoofing vulnerability
cbuxton at menandmice.com
Tue Jul 22 10:41:21 PDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Now that the details of the attack have been leaked (yesterday), I can
say that stub resolvers are not the focus of this attack. The
potential attack is a fully automated, drive-by attack using brute
force methods to crack the transaction ID field (a 16-bit random
number). In around 5 seconds (varies by bandwidth), any vulnerable
resolving name server can have its cache poisoned. There is no real
time window limit on the attack - if you have less bandwidth, the
attack will take longer (maybe 30 seconds) but it will still succeed.
To trigger the attack, an unsuspecting user simply visits a hacked web
page (for example, any Facebook page, or recently, the website of the
University of California at Irvine). This loads a very small
the attack. It needs the help of a special outside DNS server, but
this is not at all difficult to set up. The targeted resolving name
server - the resolver used by the web browser - will see roughly 10 MB
of extraneous traffic.
The result is a pharming attack, in which the criminals stage a man-in-
the-middle attack on an online banking site, or any other website they
choose in order to steal usernames, passwords, etc. It can even be
used against email delivery. From the pharming attack, the attackers
can potential start emptying bank accounts, stealing identities, etc.
If you operate your own DNS caching resolver, and if it is based on
BIND, CNS, Microsoft DNS, or the Cisco DNS resolver, it is your
responsibility to make sure your server is secure.
However, if you use someone else's resolver, and they don't fix it,
you are at risk. For example, my home ISP, Comcast, doesn't seem to
think they have to do anything. My father's ISP, AT&T, is still
vulnerable as well.
** Test **
Visit this web page:
Click on the Test My DNS button and wait for the test to complete - it
may take a minute or two. If the results are anything less than "Good"
on the source port randomization test, you need to fix something.
** Quick Fix **
Go to http://www.opendns.com/, click on the Get Started button, and
follow instructions. Their resolvers use very good source port
** Long Term Fix **
The only long term fix is DNSSEC. Source port randomization buys us a
few years at best - the effective cypher length is doubled from 16
bits to 32. Do you feel secure knowing your Internet experience is
protected from a pharming attack by even a 32 bit cypher? I didn't
DNSSEC increases the cypher length to an arbitrary length. The
implementation now in use commonly uses 1024 bits or more.
Men & Mice
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
-----END PGP SIGNATURE-----
More information about the hlfs-dev