News reports of a fresh DNS vulnerability flashed across the globe 15 days back, this is supposed to affect many platforms. It was on Windows, Cisco IOS, Nominum, BIND 9 and BIND 8. Popularly known as DNS cache poisoning, it is an old attack technique, but with some new findings by Dan Kaminsky, the bug has become a very serious problem on the internet. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching name server.
The entire internet runs on DNS. If you give an address www.xyz.com it translates into a IP address cc.xx.yy.zz (for example 192.168.1.1) and finds the server. The website address, email server address, database server of companies, government, banks everything exist with names. The DNS is the most important component which is used to convert to the corresponding IP address where the traffic would be redirected.
A attacker can craft a malicious web page, when a victim visits the malicious webpage, A victim request for www.example.com is redirected to www1.example.com, which may be the attacker's webpage. Just imagine this happens to a bank's website. If the attack happens on an ISP, an attacker can redirect all traffic from servers of banks, government and large corporations to similar looking malicious servers there by gaining data. The present anti-phishing tools may not even be able to detect this kind of DNS poisoning attack.
In simple terms you could poison the cache and redirect the traffic into another server. It does not matter if you run all security products in the world including firewall, IDS if this vulnerability is there on the ISP.
The good news was the vulnerability was the same in all operating systems - the guys who found it worked in secret with vendors and released patches for all the problems.
The bad news is some ISPs installed the patches immediately and still there are a few which haven't applied the patches. We tested in India randomly a few ISPs using free tool available on www.doxpara.com . Unfrortunately, most of the ISPs have not patched up the vulnerability.
A sample report using the tool from one of the web server (connected on an ISP service in India) looks like this.
Our name server, at 202.xx.yy.12, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 34054
Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.
Requests seen for 6c4fe79b459e.toorrr.com:
202.xx.yy.112:34054 TXID=44271
202.xx.yy.112:34054 TXID=36671
202.xx.yy.112:34054 TXID=16071
202.xx.yy112:34054 TXID=30326
202.xx.yy.112:34054 TXID=57355
There are many ways in which ISPs or companies could resolve such problems, applying patches if this is not possible there are other methods like source port randomization, disabling recursive querying or implement DNS security extension to reduce the practicality of such attacks. A simple analysis of what the patch do on some OS shows that the patch don’t fix the vulnerability but reduces the practicality of such attack(reducing the attack surface and attack vector with Port Randomization).
More information of vulnerability and fixes are available at CERT website http://www.kb.cert.org/vuls/id/800113
ISPs who offer services like giving static IPs to servers of banks, government and large corporations have to fix this bug at their end on all their devices including router, firewall, and DNS server on any OS. X
J Prasanna is CEO of security outfit AVS Labs
|