Patch for DNS flaw…
So it seems there is a flaw in the DNS protocol that is being patched by everyone on the internet at the moment. Microsoft released a patch for their server and client implementations of the DNS protocol as well as numerous others. I guess attacks using this vulnerability are starting to surface on the internet now. Basically the attacker can redirect requests using DNS to look up the host address by poisoning the cache on clients and servers.
From the BBC:
http://news.bbc.co.uk/2/hi/technology/7525206.stm
Attack code that exploits flaws in the net’s addressing system are starting to circulate online, say security experts.
The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.
In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.
Net security groups say there is anecdotal evidence that small scale attacks are already happening.
It’s recommended that everyone gets the latest patches not only for their servers, but their desktops too. That means all home users etc. If you are vulnerable to this exploit you could potentially be redirected to fake sites for financial institutions etc and have usernames and passwords stolen by attackers.
Here’s the US Cert notification:
http://www.kb.cert.org/vuls/id/800113
The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning. The following are examples of these deficiencies and defects:
- Insufficient transaction ID space
The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Amit Klein researched several affected implementations in 2007. These vulnerabilities are described in the following vulnerability notes:
- Multiple outstanding requests
Some implementations of DNS services contain a vulnerability in which multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR. This condition leads to the feasibility of a ‘birthday attack,’ which significantly raises an attacker’s chance of success. This problem was previously described in VU#457875. A number of vendors and implementations have already added mitigations to address this issue.- Fixed source port for generating queries
Some current implementations allocate an arbitrary port at startup (sometimes selected at random) and reuse this source port for all outgoing queries. In some implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp.
Leave a Reply