Domain name and shame tactics

The Domain Name System (DNS) is the Internet’s phone book, allowing people to remember, for example, rather than an IP address. Indeed, the creation of this vast look-up table contributed hugely towards the widespread adoption of the Internet outside its original circle of academic users and enthusiasts.

But that well-ordered world was thrown into confusion last month when a vulnerability that opened up the possibility of outsiders gaining control over parts of the DNS phone book came to light at the notorious Black Hat security conference in Las Vegas.

Dan Kaminsky, director of penetration testing for security services company IOActive who had discovered the vulnerability some weeks earlier, had delayed revealing the specifics until the conference in order to encourage the owners of DNS servers to patch their systems. But when he did, it was standing room only at the conference – even Kaminsky’s grandmother was in the audience.

The vulnerability took advantage of ‘cache poisoning’, whereby a legitimate address in the DNS cache server at an ISP (or a large company) is replaced with a counterfeit address capable of redirecting millions of unsuspecting surfers to rogue sites. Cache servers essentially serve as traffic control, preventing the Internet’s authoritative DNS servers from being overrun with repeat requests.

Poisoning addresses in the DNS cache server of a large ISP is a potential gold mine for phishers (especially those targeting online banking), and also for mischief-makers targeting popular sites such as Google and Microsoft. Businesses have had traffic aimed at their websites redirected to a different set of pages – often pages filled with advertising or part of a phishing scam. As a result, they have suffered damage to their reputations through no fault of their own.

DNS servers also store lists of email servers, and poisoning these addresses allows attackers to intercept mail or even replace legitimate attachments with malicious files.

Dr Paul Mockapetris, who in conjunction with Jon Postel invented the DNS system at the University of Southern California in 1983, says that once he’d heard a few leaked details he had narrowed the vulnerability down to several potential exploits.

The concept of cache poisoning arose as long ago as 1988 during a class he held on DNS. “People figured out a way to send stuff to DNS servers, but [back then] they were mostly professors at universities,” he says. The clever exploit that Kaminsky had discovered, he explains, “was a way to attack a server continually”.

“With the old way, you had to guess a 16-bit value – one chance in 64,000 – and then you had to wait, because there was only a small window in which the server would listen. But Dan figured out how to pick values that [the servers] knew not to exist, keep it listening, take a bunch of shots at it and poison the data.”

By the time Kaminsky appeared at the Black Hat conference, a sizeable proportion of Internet users had their DNS cache servers patched. ‘UDP source port randomisation’ was a quick fix that took that one in 64,000 chance up to one in four billion.

Mockapetris is critical of Kaminsky for his “theatrics”, but concedes that “he needed to attract attention”.

“I would have done things differently [and] been more circumspect. Dan had a bunch of not-so-good choices he had to pick from.”

Network naming and addressing technology provider Nominum, of which Mockapetris is chief scientist and chairman, worked with its carrier and Internet service provider customers to protect about half the Internet’s users from the vulnerability Kaminsky outlined.

But while they were able to apply them quickly, Mockapetris remains doubtful that the source port randomisation (SPR) protections are enough to prevent a determined attacker.

“Just relying on a brute force [defence] is not enough. A gigabit network is common in many enterprises, and two servers mounting an attack on one could probably crack [the protections] in under 10 hours,” he explains. “It is also easier to poison a name server in countries like Korea, where they have speeds around 100Mbps.”

Indeed, a day after the Black Hat event a group of security researchers claimed to have defeated the SPR protections using a brute force attack, albeit over a rare (and expensive) 10 gigabit connection.

Suspecting that ‘good enough’ protection might not go down well with many enterprises, and perhaps noticing a market opportunity, Nominum released a new version of its Vantio DNS server platform that negates the chance of a brute force attack. As with anything deep in the guts of the Internet, the specifics are highly technical, “but if I know I’m under attack I can increase my level of suspicion,” Mockapetris says, by way of explanation.

For most Internet users, the problem has been resolved at an ISP level. But that doesn’t stop Mockapetris from lamenting how different things are from when he came up “with just the first floor” of the DNS architecture.

“In 25 years I’ve never spent that much time thinking how to attack the system. In the old days you would give anyone access – now you have to worry about things like denial of service attacks. The population of the net has changed,” he says.

“I think it will take a while for people who like to attack systems to get bored with this one,” he adds sadly.

Find more stories in the Security & Continuity Briefing Room

Related Topics