Paul Mockapetris, inventor of the Internet's Domain Name System architecture, has some advice for those in any doubt about the seriousness of a weakness in the DNS protocol that was disclosed yesterday: Patch your DNS servers right now.
The vulnerability and the attack it enables are among the most dangerous to have been discovered in the DNS protocol so far, Mockapetris said in an interview with Computerworld Wednesday morning.
"It's absolutely critical for IT managers to upgrade their software. They want to make very sure that the caching servers on their perimeters are up to snuff," Mockapetris said. In addition, they need to also ensure that client devices such as DSL modems that might have DNS software embedded in them are properly patched. "The time to fix is now. The clock is ticking," before exploits against the flaw become widely available, he said.
The so-called DNS cache-poisoning flaw was discovered by Dan Kaminsky, a researcher at security firm IOActive Inc. earlier this year. The vulnerability gives malicious attackers a way to very quickly redirect Web traffic and e-mails to systems under their control. Virtually every domain name server that resolves IP addresses on the Internet is vulnerable to the flaw, as are client devices with embedded DNS software.
According to Kaminsky's description of the problem, the weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. The vulnerability essentially allows an attacker to poison a DNS server cache by injecting forged data into it.
The flaw exists at the DNS protocol level and affects numerous products from multiple vendors. The U.S. Computer Emergency Readiness Team (US-CERT), which was among the first to be informed about the problem when Kaminsky discovered it, yesterday issued an advisory describing the issue and listing over 80 vendors whose products are affected by the vulnerability. Several of those firms, including Microsoft Corp., Cisco Systems Inc., Sun Microsystems Inc., Red Hat Inc. and Nominum Inc., simultaneously released patches Wednesday.
According to Mockapetris, the kind of DNS cache-poisoning exploit discovered by Kaminsky is not particularly new in concept; it essentially works by trying to correctly guess DNS packet identifiers. What makes Kaminsky's exploit lethal is that it is far more effective at doing this than anything else before. "He has figured out a way to make the attacks much more dangerous. Someone using this technique can poison a caching server in about 10 to 20 minutes," depending on the kind of bandwidth that is available, Mockapetris said.
Mockapetris added that the software patches issued by the vendors yesterday are aimed at blunting the efficacy of Kaminsky's exploit by making it much harder to guess at the packet identifiers. Even so, he cautioned, with Kaminsky scheduled to make details of his exploit publicly available at the upcoming Black Hat security convention, expect to see concerted efforts by many to use the technique to break into DNS name servers, said Mockapetris. Internet service providers are likely to be among the juicier targets, since a compromise of one of their DNS servers will likely have a far broader impact than an attack targeted at a corporate server.