Enterprise Briefing

 

 

 

DNS uses computers called ‘nameservers’ to translate web domain names (URL) into IP addresses. An attacker exploiting the design flaw can force a nameserver to look up a URL. If the nameserver doesn’t have the IP address for the URL, it will need to ask another nameserver for the information. At that point, the attacker can bombard the original nameserver with false answers, pointing to the wrong IP address for the URL. The nameserver then remembers that information, and the next time someone asks the nameserver to translate that URL to an IP address, they will be given the wrong destination.

 

Kaminsky expects many more attacks to develop, and says that this will give the ‘man in the middle attack’ a new lease of life. This is where criminals insert themselves invisibly between two legitimate parties and intercept communications. “You might have situations where an entire company uses a particular nameserver,” he says. “Or an entire ISP. Maybe an entire country. All of these other pieces of software are dependent on that thing providing correct information. Why are they depending on it? It shouldn't be this important, but it is.”

 

This flaw is damaging enough for people using web browsers (imagine surfing to Google.com, for example, only to find a page that infects your computer with malware). But it affects everything else that relies on DNS, including VoIP calls and even vendors’ software update services.

 

Presenting at the Black Hat conference in early August, Kaminsky seemed genuinely angry when he pointed out that we’re mostly still sending emails in the clear almost 40 years after email was invented. The MX records used for email rely on DNS, too. Sending email with sensitive information to a trusted third party might result in someone else intercepting it, reading it, and passing it on, all without your knowledge or that of the recipient.

 

Criminals are already searching for flawed servers, says Danny McPherson, chief security officer at Arbor Networks. “ISPs that monitor traffic towards DNS servers are now seeing ten times the number of alerts than they did prior to the bug. That has been occurring since the day the vulnerability was disclosed.”

 

Flaws in design rather than code are particularly troublesome, and the existing fix is far from perfect. Shortly after publicly announcing the bug, Kaminsky and his team of collaborators released a patch for the thousands of DNS servers running on the web. At the time of writing, many servers were still unpatched, and even those that are patched are not entirely protected. The patch makes the attack more difficult, but Russian researchers have already shown that is possible to mount an attack on a patched nameserver using hacked computers within its local network.

 

Even those companies that are traditionally vigilant should be extra-diligent when consulting with ISPs and monitoring internal nameserver activity. We haven’t heard the last of this bug.