DNS remains vulnerable one year after Kaminsky bug

Cache poisoning attacks rise amid scramble to patch DNS servers, deploy security add-on

A year has passed since security researcher Dan Kaminsky disclosed a serious flaw in the DNS that makes it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or end user knowing.

Kaminsky's disclosure was a wake-up call to network vendors and ISPs about the inherent weaknesses in DNS, the foundational Internet standard that matches IP addresses with domain names.

The hype around Kaminsky's discovery also gave a much-needed boost to DNS Security Extensions (DNSSEC), an add-on security mechanism that had been languishing due to a lack of demand by network managers.

Kaminsky "helped raise awareness of the DNS vulnerability but also of Internet security in general and how dependent we are on protocols that don't have security built in," says Scott Rose, a computer scientist with the National Institutes of Standards and Technology and an expert in DNS security.

"There was discussion always in the protocol community about the vulnerability of DNS and the need for DNSSEC deployment, but the issue did get a big boost from the outside" thanks to Kaminsky, Rose said. "He raised the issue of what can happen when you attack the DNS. It's not just about redirecting browsers but subverting e-mail. All the other attacks that Kaminsky outlined brought the issue to the forefront."

Experts say more has been done to bolster the security of the DNS in the past 12 months than in the previous decade, thanks to Kaminsky's discovery. Yet, the DNS remains as vulnerable as ever to cache poisoning attacks.

The Kaminsky bug "was a big deal for the Internet community at large," says Joe Gersch, Chief Operating Officer at Secure64, which sells DNS server software and automated tools for migrating to DNSSEC. Gersch was at the Black Hat conference last summer when Kaminsky detailed the DNS cache poisoning threat in front of a standing-room-only crowd.

"It took 20 minutes for Kaminsky to explain how it works, and then he went through case after case of how it could be exploited for another hour and a half," Gersch says. "He showed how once you own the DNS, you own everything. And he showed how insidious the flaw is so that you don't even know you've been compromised. Jaws were dropping."

Gersch says Kaminsky did more than raise awareness of the inherent lack of security in DNS. "It was a pretty big call to action, first for the patch and then for ... DNSSEC deployment," Gersch says.

Since then, most -- but not all -- network engineers have patched their DNS servers against the Kaminsky bug. Patching is what Kaminsky recommends as a short-term fix to this vulnerability.

The long-term fix for Kaminsky-style attacks is DNSSEC, which prevents cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

The problem is that DNSSEC works best when it is fully deployed across the Internet: from the root zone at the top of the DNS heirarchy, to individual top-level domains such as .com and .net, down to individual domain names. Until that happens, Web sites remain vulnerable to Kaminsky-style attacks.

The Kaminsky flaw is "the prime driver for DNSSEC," says Rodney Joffe, senior vice president and senior technologist with NeuStar, which sells managed DNS services and an interim fix to cache poisoning attacks called Cache Defender. The problem, Joffe says, is that "we're still a year or more away from DNSSEC deployment."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carolyn Duffy Marsan

Network World
Topics: dns flaw, Kaminsky
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?