DNS Critical Flaw Explained?

Author	All Replies
SUMware Premium join:2002-05-21	DNS Critical Flaw Explained? From The Register 21st July 2008 - said by TR : Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it. That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials. The recipe calls for the attacker to flood a DNS server with multiple requests for domain names, for instance www.ulam00001.com, www.ulam00002.com and so on. Since the name server hasn't seen these requests before, it queries a root server for the name server that handles lookups for domains ending in .com. The attacker then uses the information to send fraudulent lookup information to the DNS server and make it appear as if it came from the authoritative .com name server. With enough requests, eventually one of the spoofed requests will match and the IP address for a requested domain will be falsified. In an email to El Reg, Kaminsky declined to confirm whether Flake's speculation is correct. We're hoping it is, because if it isn't, it means the net's DNS is vulnerable to a second flaw that, like Kaminsky's, could result in major security breaches for an untold number of users. Kaminsky has said he won't provide a detailed discussion of the DNS flaw until he speaks early next month at the Black Hat conference in Las Vegas. Critics say the move has more to do with artificially generating buzz than following responsible disclosure guidelines. Kaminsky and his supporters disagree, saying it takes time for those maintaining DNS servers to deploy patches and detailed discussions in the meantime could allow attackers to exploit the flaw.
SUMware Premium join:2002-05-21	to forum · permalink · · 2008-07-22 15:23:53 ·
Cabal Premium join:2007-01-21 Boston, MA	Additional links quote: Here is why it works: Malory wants to poison the server ns.polya.com Malory sends NS requests for ulam00001.com, ulam00002.com ... to ns.polya.com. Malory then sends a forged answer, saying that the NS for www.ulam00002.com is ns.google.com AND puts a glue record saying that ns.google.com is 66.6.6.6 Because the glue records corresponds with the answer record, (same domain) the targetted nameserver will cache or replace it's curent record of ns.google.com to be 66.6.6.6 Trivial with a known source port. -- Interested in open source engine management for your Subaru?
Cabal Premium join:2007-01-21 Boston, MA	to forum · permalink · · 2008-07-22 16:09:08 ·


Friday, 27-Nov 06:15:59	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF