DNS flaw discoverer says more permanent fixes will be needed

The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.


The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.

At a press conference, Dan Kaminsky, a researcher at security firm IOActive, said that the patches recently issued by multiple vendors in response to his bug discovery are at best a stopgap measure aimed at preventing immediate attacks on the DNS infrastructure.

But Kaminsky plans to disclose details of the bug at the upcoming Black Hat security conference, and with more researchers likely to try and exploit it, there is going to be a need for a more permanent fix.

"There is going to be another round of patches coming online as we as a global community figure out how to address this," Kaminsky said. The current set of security updates that were released a few days ago were designed to make it harder for the bug to be exploited, while also ensuring that would-be attackers wouldn't be able to discover what the flaw is by reverse-engineering the patches.

The stopgap patch was appropriate in its time. "We needed to find a way to stop the bleeding while we figured out what to do here. This fix gets us out of the emergency zone," Kaminsky said, speaking with Computerworld after this morning's press conference. "I think there will be discussions after the bug is disclosed for more comprehensive mechanisms for addressing this class of flaw."

He added that he was however unable to discuss what exactly the next generation patches would do, until details of the bug were publicly disclosed.

He noted that the patches that have been released appear to be working, since no one has exploited the vulnerability yet despite the unprecedented attention focused on it. However, he said, "there are people who have gotten really, really close," who have been asked not to disclose their research publicly until he reveals the full details at Black Hat.

News of the DNS protocol flaw, which was discovered earlier this year by Kaminsky, was made public about 10 days ago in a rare synchronised security update from numerous organisation including Microsoft, Cisco Systems and the US Computer Emergency Readiness Team (US-CERT). The flaw has received widespread attention both because of its apparent seriousness and the fact that it affects virtually every single domain name server that resolves IP addresses on the Internet.

DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researches. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.

An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.

The patches issued by the various vendors employ a so-called "port randomisation" technique that is designed to make it much harder by many magnitudes for anyone to guess at DNS message IDs so as to be able to spoof the messages.

Kaminsky today downplayed some of the early scepticism expressed by some researchers about the seriousness of the issue. He stressed that contrary to what some might believe, the vulnerability he discovered is indeed new - and unprecedented in its seriousness.

"It's a new flaw, it changes the rules," Kaminsky warned today. "We have known for years that we have been in trouble with this transaction ID size. Why we are in trouble is going to become apparent very soon. This is absolutely something new and very scary," he said, while reiterating earlier pleas for IT managers to immediately patch their name servers.

He added that some of the scepticism stems from the fact that people are being asked to believe that the flaw is very serious without being given any proof of that till now. "I know that's very unusual. But if this thing isn't off the charts, I would have caused a huge amount of press for nothing," he added.

Echoing Kaminsky's caution was Cricket Liu, a DNS expert and vice president of architecture at Infoblox, a provider of domain name resolution, IP address assignment and other services. Speaking with Computerworld after today's press conference, Liu said the current round of patches buys some time, but more permanent fixes are needed down the road.

He noted that this is not the first time that DNS vulnerability issues have come to the fore. The first cache-poisoning attack in fact was demonstrated as far back as 1997 and took advantage of an implementation flaw in the widely used Berkeley Internet Name Domain (BIND) implementation of DNS. More recently, a similar cache-poisoning flaw was discovered in Open BSD's Pseudo-Random Number Generator (PRNG) function. Each time patches were issued for the problems and "we thought we were in better shape then," Liu said. "And then Dan (Kaminsky) came out with his bug," he said.

He reiterated Kaminksy's call for companies to immediately patch their DNS servers to avoid the risk of their Internet traffic and emails being hijacked and added that the kind of attacks that are possible as a result of the flaw are easier to mount that many might assume.

"Recommended For You"

Apple fixes critical Mac OS X flaw Apple finally deals with DNS bug