Kaminsky on the net-shaking DNS bug
Well you know, there were people who said, Dan, I wish I could patch but I don't know the bug and I can't get the resources I need to patch it. Well you know the bug now.LinkYou know, Verizon Business has a blog entry where they say that the greatest short-term risk from patching DNS was from the patch itself, from changing such a core and essential element to their systems. I know this. I was a network engineer before I was a security engineer. So that's why we took such extraordinary lengths to try to get people as much time as possible (to patch their systems). There's just a lot of complexity in doing something on this scale. This is something I think a lot of people don’t realize. It was difficult to get the patches even written, let alone get them all released on a single day.
But let me tell you, the complete lack of whining from the (DNS software) vendors . . . if I could have gotten as little whining from the security (professionals) . . . no I'm not going to say that. It's so tempting! I'm simply going to say this in positive terms. I wish everybody could be as cooperative and understanding and as helpful as Microsoft and ISC (the Internet Systems Consortium) and Cisco and everyone else was who worked so hard to get customers what they needed to protect our networks.
the latest
latest episodes
For now, this is valid but not a real threat to the internet. The random 16 bit QID isn't much to crack per say, but the bandwidth the attacker would have to use to send enough packets makes this attack very hard to pull off. In addition, there are all kinds of controls in place with most DNS servers to identify floods of spoofed packets like this, especially for major web sites. Furthermore, the DNSSec patch increases the QID to 32 bits.
There are definitely issues with how DNS works, or more specifically, how insecure TCP/IP is in general.
This could be a problem in the future, but for now the internet is pointlessly hyping the issue because it's a convenient scare story to people who don't understand the scope of the vulnerability.
"but the bandwidth the attacker would have to use to send enough packets makes this attack very hard to pull off."
Unless they're one of the lucky ones to already have an extensive botnet.
"it's a convenient scare story to people who don't understand the scope of the vulnerability."
I think the people who were holding emergency summits at Microsoft and secretly patching the DNS servers understood the scope of the vulnerability. If what you are saying is true, they would not have done all that.
Alex @2
From the pulled Matasano story:
"Mallory can conduct this attack in less than 10 seconds on a fast Internet link."
So I don't know how fast is "fast", but if the prize is control of DNS resolution at a major ISP, then (let's say) 15 minutes saturating a DSL link isn't much of a price to pay
Why? What evidence do you have that these people are not simply stupid? I can assure you that many stupid people work at Microsoft, mostly in management, and those are the very people who are likely to say things like "emergency summit". No engineer talks like that.
Simple reality: it's yet another DNS security flaw, we get one of these every two or three years, it's nothing new. Move on.
So he discovered an exploit and kept the details secret until it had been fixed?
Score one for security through obscurity. ;-)
A late comment to Alex's post #2 above. I'm not sure what you mean by the DNSsec patch. But if the servers are using DNSSEC and looking up a signed zone, this attack wouldn't work. (well, at least without an attacker stealing the key for the zone they want to spoof anyway).