News
DNS Flaw Details Posted by Accident
Researchers have accidentally published details of a critical DNS flaw discovered by Dan Kaminsky.
By Robert McMillan, IDG News Service
Matasano's post inadvertently confirmed that Flake had described the flaw correctly, Ptacek admitted.
Late Monday, Ptacek apologized to Kaminsky on his company blog. "We regret that it ran," he wrote. "We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread."
Kaminsky's attack takes advantage of several known DNS bugs, combining them in a novel way, said Cricket Liu vice president of architecture with DNS appliance vendor Infoblox, after viewing the Matasano post.
The bug has to do with the way DNS clients and servers obtain information from other DNS servers on the Internet. When the DNS software does not know the numerical IP (Internet Protocol) address of a computer, it asks another DNS server for this information. With cache poisoning, the attacker tricks the DNS software into believing that legitimate domains, such as idg.com, map to malicious IP addresses.
In Kaminsky's attack a cache poisoning attempt also includes what is known as "Additional Resource Record" data. By adding this data, the attack becomes much more powerful, security experts say. "The combination of them is pretty bad," Liu said.
An attacker could launch such an attack against an Internet service provider's domain name servers and then redirect them to malicious servers. By poisoning the domain name record for www.citibank.com, for example, the attackers could redirect the ISP's users to a malicious phishing server every time they tried to visit the banking site with their Web browser.
Kaminsky declined to confirm that Flake had discovered his issue, but in a posting to his Web site Monday he wrote "13-0," apparently a comment that the 13 days administrators have had to patch his flaw before its public disclosure is better than nothing.
"Patch. Today. Now. Yes, stay late," he wrote.
Other stories by Robert McMillan
DNS flaw
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
