Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

IPv6 CoE Blog

september1.jpg

Be Careful What You Wish For

By Cricket Liu, Chief DNS Architect at Infoblox

 

As part of my standard presentation about DNS security, I describe the threat of cache poisoning:  If a bad guy is able to inject bogus resource records into your name server’s cache, he can redirect you to a visually identical replica of the web site you think you’re going to.  You enter your credentials, your account information, your credit card information, into the bogus site, and the bad guy uses your personal information to drain your account or charge your card.  Or the bad guy redirects your email through his mail server, either modifying your messages slightly or simply recording them.  These are among the most insidious threats to Internet infrastructure because they're so difficult to detect.  The potential damage is massive and after the poisoned records time out of the name server’s cache, there’s no evidence of the attack—except for the credit card charges or outgoing wire transfers.

I then go on to describe what I consider the three major cache poisoning “attacks” over the past twenty years:  the Kashpureff attack, the Klein vulnerability, and the Kaminsky vulnerability. These attacks used flaws in the implementation of popular name servers and weaknesses in the design of DNS to induce a name server to accept bogus records.  Of course, I also describe how we addressed each of them. 

The problem is that, of these three, two weren’t really attacks.  Amit Klein’s discovery of the weakness of BIND’s pseudo-random number generator was addressed by grafting in a better one.  Dan Kaminsky’s eponymous vulnerability was addressed—at least for the time being—by introducing query port randomization.  The Internet community was incredibly fortunate that these two serious vulnerabilities were caught and reported by white hats.  Even Eugene Kashpureff, who actually carried out his namesake attack, did it as a protest, not for direct personal gain.  It could have been much worse.

But that leaves people like me without a spectacular object lesson to point to, one in which sweet, silver-haired grandmothers are relieved of their life’s savings.  But no more.

As the saying goes, “Be careful what you wish for; you might get it.”

A tweet from Dan York of the Internet Society tipped me off to a recent blog entry from CERT/CC describing likely cases of cache poisoning that repeatedly rerouted email addressed to “the biggest free webmail providers” over the past year.

CERT/CC isn’t sure of the mechanism used to poison the name servers’ caches, so they’re trying to enlist the help of the Internet community.  In fact, that’s why they’re finally publicizing the case.  But now we’re facing the probability that email sent to or from “the biggest free webmail providers” over the last year was intercepted, possibly modified without our knowledge, or just unceremoniously canned (which might be the least-bad option).

Now can we please get on to the business of deploying DNSSEC?

Comments
‎10-15-2014 03:05 AM
Sixty which, these 3, two weren’t definitely assaults. Amit Klein’s breakthrough discovery from the weakness involving BIND’s pseudo-random variety creator was addressed by simply grafting in a very far better a single. Dan Kaminsky’s eponymous weakness was addressed—at lowest for that occasion being—by introducing question port randomization. The net group was extremely lucky that these two significant vulnerabilities were caught and noted by simply bright hats. Even Eugene Kashpureff, whom really accomplished his / her namesake invasion, did it as being a protest, not really regarding primary particular achieve. This happens to be a lot worse. Mr Damon
Showing results for 
Search instead for 
Did you mean: