Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS cache poisoning vulnerability details confirmed SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS cache poisoning vulnerability details confirmed

A couple of the handlers tuned into the Blackhat "webinar" today.  The topic was Kaminsky's DNS vulnerability.  Here are some quick notes...

Dan Kaminsky confirmed the details about the vulnerability.  I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer.  Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly.

In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds.  This bug allows the attacker to overwrite entries that are already in the cache.

Nameservers that are authoritative only are not vulnerable.  But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned.  This attack bypasses the TTL protections on vulnerable resolvers.

DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also.  The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers.

Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port.

If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability.

Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!