1 / 12

The Summer 2008 DNS Vulnerability

The Summer 2008 DNS Vulnerability. Miles Strombach MS&T ACM SIGSEC September 3, 2008. Dan Kaminsky. Security researcher DoxPara.com – Vulnerability tester Paketto Keiretsu. History. CERT Advisory VU#800113 July 8th Go patch go patch go patch OMG go patch

socrates
Download Presentation

The Summer 2008 DNS Vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Summer 2008 DNS Vulnerability Miles Strombach MS&T ACM SIGSEC September 3, 2008

  2. Dan Kaminsky • Security researcher • DoxPara.com – Vulnerability tester • Paketto Keiretsu

  3. History • CERT Advisory VU#800113 • July 8th • Go patch go patch go patch OMG go patch • Details of vulnerability were not released • Patch did not lend itself to reverse engineerin’ • Details leaked • July 21st • Halver Flake made guesses • Matasano released full details then pulled

  4. Explanation • Domain Name System • UDP:53 (typical) • Authentication • Port • 16-bit query ID (65535 values) • Query included in response • Bailiwick checking

  5. Standard Poisoning • Get query ID and port • Make request for name under your control • Sniff traffic • Make request for name you want • Send faked responses immediately • If you fail, wait for cache TTL to run out

  6. Dan’s Trick • Request random name in a domain • www.123123123.bank.com • Will force query • Send the server forged responses • Responses don’t offer answer • Give authority as your server, via glue • Try, try again

  7. The Patch • Many vendors worked with Dan to patch • Patch changes source port to be random • Still possible to guess • Microsoft implementation takes 2^11 times more packets

  8. Impact • Exploration into this type of attack • Some NAT setups break the patch • Lots of people still have not patched • 9 related articles on slashdot in 4 weeks • HD Moore • First to release exploit code • Breaking Point hijacked • One character patch

  9. Future • Can be combined with other attacks • DEBSSL + SNMPv3 + DNS + BGP • Solutions • Case sensitive queries • Attack mode • Server detects attack • Debounces • TCP • DNSSEC

  10. Questions

  11. Sources • http://it.slashdot.org/article.pl?sid=08/07/30/1242229http://www.doxpara.com/http://www.kb.cert.org/vuls/id/800113http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/http://www.schneier.com/blog/archives/2008/07/the_dns_vulnera.htmlhttp://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.htmlhttp://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

More Related