DNS spoofing vulnerability

Chris Buxton cbuxton at menandmice.com
Tue Jul 22 10:41:21 PDT 2008

Hash: SHA1

Now that the details of the attack have been leaked (yesterday), I can  
say that stub resolvers are not the focus of this attack. The  
potential attack is a fully automated, drive-by attack using brute  
force methods to crack the transaction ID field (a 16-bit random  
number). In around 5 seconds (varies by bandwidth), any vulnerable  
resolving name server can have its cache poisoned. There is no real  
time window limit on the attack - if you have less bandwidth, the  
attack will take longer (maybe 30 seconds) but it will still succeed.

To trigger the attack, an unsuspecting user simply visits a hacked web  
page (for example, any Facebook page, or recently, the website of the  
University of California at Irvine). This loads a very small  
JavaScript into the user's browser, which then sets about conducting  
the attack. It needs the help of a special outside DNS server, but  
this is not at all difficult to set up. The targeted resolving name  
server - the resolver used by the web browser - will see roughly 10 MB  
of extraneous traffic.

The result is a pharming attack, in which the criminals stage a man-in- 
the-middle attack on an online banking site, or any other website they  
choose in order to steal usernames, passwords, etc. It can even be  
used against email delivery. From the pharming attack, the attackers  
can potential start emptying bank accounts, stealing identities, etc.

If you operate your own DNS caching resolver, and if it is based on  
BIND, CNS, Microsoft DNS, or the Cisco DNS resolver, it is your  
responsibility to make sure your server is secure.

However, if you use someone else's resolver, and they don't fix it,  
you are at risk. For example, my home ISP, Comcast, doesn't seem to  
think they have to do anything. My father's ISP, AT&T, is still  
vulnerable as well.

** Test **

Visit this web page:

Click on the Test My DNS button and wait for the test to complete - it  
may take a minute or two. If the results are anything less than "Good"  
on the source port randomization test, you need to fix something.

** Quick Fix **

Go to http://www.opendns.com/, click on the Get Started button, and  
follow instructions. Their resolvers use very good source port  

** Long Term Fix **

The only long term fix is DNSSEC. Source port randomization buys us a  
few years at best - the effective cypher length is doubled from 16  
bits to 32. Do you feel secure knowing your Internet experience is  
protected from a pharming attack by even a 32 bit cypher? I didn't  
think so.

DNSSEC increases the cypher length to an arbitrary length. The  
implementation now in use commonly uses 1024 bits or more.

Chris Buxton
Professional Services
Men & Mice

Version: GnuPG v1.4.8 (Darwin)


More information about the hlfs-dev mailing list