Posted by Deliverator on August 2nd, 2008
Dan Kaminsky is a well known and respected security researcher. In recent months, he has alluded to a widespread vulnerability in DNS servers and clients, but has publicly kept fairly tight lipped as to the exact nature of the vulnerability in order to give ISPs, OS and device manufacturers a chance to release updates to fix address the issue. Many major ISPs and OS vendors have done a coordinated fix, in order to minimize the window for potential exploitation. Unfortunately, not everyone seems to have gotten the memo and this will have very unfortunate consequences for users of such devices/services. Dan will spill the beans officially at the upcoming Blackhat computer conference, but enough details have leaked out from Dan and sources close to him that the nature of the vulnerability alluded to by Dan is now believed to be known and is being actively exploited “in the wild.” I highly recommend visiting Dan’s site, DoxPara Research and click on “Check My DNS” to see if your ISP’s DNS is vulnerable. If your ISP’s DNS is vulnerable, I suggest contacting them to inquire as to what their lazy admins are up to and then switch your computers to use OpenDNS or other more responsible DNS server until your ISP gets its house in order.
The vulnerability appears to allow an attacker to poison the cache of affected DNS servers, allowing them to inject bogus nameservers into your ISP’s cache for a given domain and set a very high time to live on the cached information such that it only expires after a very long period. This in effect allows attackers to redirect queries for any arbitrary website.
For instance, they could redirect traffic for google.com to a look alike page which installs viruses or other malware on your computer. Or, they could direct traffic for yourbank.com to a lookalike page and steal your online banking information. They could redirect traffic for common antivirus packages such that your copy of Norton never updates itself or Windows Update fails to run. The possibilities are almost endless. Unlike phishing attacks which rely on a credulous user to click on a link in an email, this attack corrupts your service provider in such a way that all users of an ISP, even those with a modicum of common sense, will be affected simultaneously. More advanced users who are in the habit of checking SSL certificates and the like are less likely to get bit, but the potential for creative larceny on this one is soo high that I’m certain that all the potential ramifications of this attack have yet to be worked out.
Even assuming that ISPs get their act together quickly, you tend to find DNS servers shoehorned into all manner of commodity hardware and these are less likely to be patch promptly, either from lack of action on the part of device manufacturer or lack of awareness by the device owner/administrator. I fully expect to see more localized versions of this attack for years to come. Batten down the hatches folks, this storm is going to be a bad one.