DefCON's DNS, OpenDNS and DotCON's Nisemono

A larger than life, but little known and little understood Internet security flaw gets coverage (again!). We keep wondering about OpenDNS and mention the Nisemono contest, since DefCON and DotCON sound soooo similar :) It is hard to believe that certain vulnerabilities so pervasive and so fundamental have persisted for such a long time unpatched. Yet this is the reality Dan Kaminsky (A), a security researcher, has been trying to change.

What is DNS?

DNS is the 411 of the Internet, or the system that allows websites to be called names we can remember, such as, translating them into numerical IP addresses that computers use, such as It turns out that there are numerous ways which can be used by a malicious attacker to hijack such addresses and divert requests to bogus websites, allowing them to steal passwords and sensitive data. Because of its technical nature and the fact that it's deep within the guts of the software that powers the Internet, they are not easy to see, patch and protect against.

The long way to front page news

Kaminsky has started talking about these flaws as early as 2004 (1, 2). Since then, he showed ways to combine and "synergize" multiple flaws (as many as 35) into virulent attacks that could take only seconds. He presented (B) them on Wednesday to the Black Hat conference in Las Vegas. There is an MP3 of the July 24 Black Hat talk (4, 5) available (3). This has left hackers and script kiddies trying to figure out what he was talking about (6, 7). That should not have been too hard, since, although he asked his audience to keep quiet, at least two researchers published information about how the attack worked (HD Moore, 13). Shortly thereafter, there were reports of the flaw being exploited in the wild (8, 9); even AT&T and the author of Metasploit were affected (12).

Here's Dan's succinct explanation of the vulnerability, also available in PPT (B) or MP3 (3):

• DNS servers had a core bug, that allows arbitrary cache poisoning

– The bug works even when the host is behind a firewall

– There are enough variants of the bug that we needed a stopgap before working on something more complete

• Industry rallied pretty ridiculously to do something about this, with hundreds of milllions protected

• DNS clients are at risk, in certain circumstances

• We are entering (or, perhaps, holding back a little longer) a third age of security research, where all networked apps are “fair game”

– Autoupdate in particular is a mess, broken by design (except for Microsoft)

• SSL is not the panacea it would seem to be

– In fact, SSL certs are themselves dependent on DNS

• DNS bugs ended up creating something of a “skeleton key” across almost all major websites, despite independent implementations

• Internal networks are not at all safe, both from the effects of Java, and from the fact that internal routing could be influenced by external activity

– The whole concept of the fully internal network may be broken – there are just so many business relationships – and, between IPsec not triggering and SSL not being cert-validated, these relationships may not be secure

– We’re not even populating CDN’s securely!

In short,

Before the attack:  A bad guy has a one in sixty five thousand chance of stealing your Internet connection, but he can only try once every couple of hours.

After the attack:  A bad guy has a one in sixty five thousand chance of stealing your Internet connection, and he can try a couple thousand times a second.

After the patch: A bad guy has a one in a couple hundred million, or even a couple billion chance of stealing your Internet connection.  He can still try to do so a couple thousand times a second, but it’s going to make a lot of noise.

Other DNS news

Before discussing Kaminsky's hoopla, we'll first look at several recent news related to DNS. In no particular order:

New & Vanity TLDs

ICANN (the corporation that oversees Internet technicalities on behalf of the US Gov) has decided to allow the creation of vanity TLDs for those willing to pay $ 6-digits. This follows after the creation of .aero, .biz, .coop, .info, .museum, .name and .pro in 2000 and the further addition of .cat, .jobs, .post, .tel and .travel in 2005. Many feel that most of the new domains were unnecessary. For instance, .pro costs about $400 to setup with slightly smaller ungoing cost, and is supposed to be used only by accredited professionals. Yet some registrars found and exploited a loophole, allowing people to register domain names on behalf of an accredited professional, rendering to .pro checks toothless. Furthermore, ccTLDs are added frequently, such as .me for Macedonia, .eu for Europe and .asia for Asia. Reactions in the press have been divided (14, 15, 16). The major downside is that some new 4-letter gTLDs are not recognized as valid by certain sanity-checkers; ICANN has tried to mediate this by releasing a toolkit (17).

Comcast and even ICANN losing control of their domains

Comcast is a cable Internet Service Provider (ISP) with 14 million subscribers. They repeatedly lost control of their domain name (18, 19, 22). But how can one possibly fault Comcast when the very organization tasked with administering the Internet cannot protect its domain name (23, 24)?!? Even AT&T and the creator of Metasploit (a hacker and security researcher's tool) were not spared (12).

Microsoft, Apple and Opera

Microsoft implemented DNS in its Windows family in a way that made attacks much easier. A security reasearcher warned them and even though they eventually fixed their problem, they chose to downplay the potential threat (25, 26, 27). Apple also came under fire for flaws in its browser, Safari, even though it recently properly patched its servers. Nonetheless, Opera remains by far the most secure browser with a solid track record and excellence in innovation, followed closely by Firefox.

Many ISPs introduce security risks in pursuit of profits

Again, it was Dan who warned that the widespread practice of many ISPs to redirect mistyped domains to their own search page serving ads may be a significant security risk, not to mention a trademark infringement, since it involves hijacking a subdomain (28-33). It may be worthwhile to note that since Dan has brought this to the forefront in April 2008, very few ISPs have made amends. For instance Rogers, a Canadian conglomerate of monopolistic inspiration, has continued this practice unabated.


An ISP-independent service, OpenDNS is not affected by the vulnerability; likewise, PowerDNS and MaraDNS (10, 11). We have been using this service for more than a year, but we did not satisfy ourselves that OpenDNS is 100% safe, as certain SSL certificates seem to replaced when they shouldn't, giving the appearance of a man-in-the-middle attack (i.e., SSL certificates for domains that were not blocked).

If you are more of a visual person, the video list below might answer most of your questions:

With all this hoopla about something few people intimately understand, it is time perhaps to enter a parody video contest. This would be Nisemono (20, 21). The deadline is October 1, 2008. Good luck!



[tags]defcon, dotcon, opendns, blackhat, black hat, dns, kaminsky, security, flaw, vulnerability, attack, disclosure[/tags]


Popular posts from this blog