SUMware
Premium
join:2002-05-21
edit:
July 24th, @05:46PM
| Exploit Code for Kaminsky DNS Bug Goes Wild
From The Register
24th July 2008 - quote:
Security researchers have developed two working exploits that poison vulnerable domain name system servers, allowing attackers to redirect unwitting end users to impostor sites. What's more, the attack code has been added to Metasploit, a penetration testing tool used to test the security of computers and networks. The program, which is maintained by HD Moore, makes it easy for white hats and black hats alike to exploit vulnerable servers.
Some people have complained that Kaminsky's bug has been shamelessly hyped. We disagree. Should there be widespread exploitation of the flaw, the result would be chaos. Attackers could taint the machines relied on by millions of people. When they typed bankofamerica.com into their browser, they'd have no way of knowing whether they were being directed to the real site or one designed to steal their money. Trust on the internet, as flawed as it may be now, would completely break down.
Much of the attack code was written by |)ruid, a researcher from the Computer Academic Underground. According to Moore, it could be used like this:1. Bad Guy probes the target DNS to see if it's vulnerable (a couple free services can do this)
2. Bad Guy picks a domain they want to hijack for users of that DNS Server
3. Bad Guy runs the bailiwicked_domain module and takes control of that domain in the cache of that server At this point, anyone who uses that vulnerable DNS server is going to see the wrong DNS server record for the poisoned domain
The exploits are available here and here.
Currently, the exploits work only on caching servers used by ISPs and other large organizations, but Moore said they could be modified to work against client-side resolvers, which are used on desktop machines.
To test if your ISP's nameservers are vulnerable to this type of attack visit:
»https://www.dns-oarc.net/oarc/services/dnsentropy
- and -
»www.doxpara.com/ (click the button that says "check my DNS") |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Re: Exploit code for Kaminsky DNS Bug Goes Wild
Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date:
»www.informationweek.com/newslett···09401195
In a nutshell, until your ISP has patched their DNS servers, you can no longer trust that your ISP will resolve DNS name (e.g. 'yourbank.com') correctly. Criminals can now hijack any domain name they want and draw your traffic to sites they control...thus you THINK you have surfed to your bank's website, but you are really talking to a server in Russia.
Until you know that your ISPs DNS servers have been patched, I would advise that everyone NOT utilize any web server of a sensitive nature (e.g. online banking, paypal, online retailer, etc..).
Please...as many people as possible...especially if your on a less mainstream ISP...please run Dan's tester:
»www.doxpara.com/
See: DNS Checker button in upper right
In addition to giving you valuable information, it will flag your ISPs DNS servers as vulnerable (if they are) in Dan's database...Dan is then providing a feed through Oarc and myNetWatchman (me) and I'm sending out notifications to all the ISPs with these vulnerable servers.
I just finished sending out 10,000 notices this afternoon covering more DNS servers than I care to comment on.
Unfortunately, I suspect this problem is going to exist for YEARS as many smaller ISPs will just not get the severity of this problem and leave their users exposed.
I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA
 ·Verizon FIOS
 ·EarthLink
| said by NetWatchMan  :Unfortunately, I suspect this problem is going to exist for YEARS as many smaller ISPs will just not get the severity of this problem and leave their users exposed. Am I correct in thinking that this will create a major vulnerability for road warriors and their laptops?
--
Courage is being scared to death but saddling up anyway.
|
|
SUMware
Premium
join:2002-05-21
edit:
July 24th, @05:55PM
| reply to NetWatchMan
said by NetWatchMan :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. |
|
B
Premium,MVM
join:2000-10-28
edit:
July 24th, @08:54PM
| reply to SUMware
Re: Exploit Code for Kaminsky DNS Bug Goes Wild
Uh, guys, if the whole point is that DNS can no longer be trusted, and you're recommending things to people, does it make sense to direct them to sites by their DNS name?
You've referred above to:
»www.theregister.co.uk/2008/07/24···es_wild/
and
»caughq.org/main.html
and
»www.caughq.org/exploits/CAU-EX-2008-0003.txt
and
»www.caughq.org/exploits/CAU-EX-2008-0002.txt
and
»www.doxpara.com
and
»www.opendns.com
At this writing, unless my current DNS resolvers are being attacked, these latter two resolve to »157.22.245.20 and »208.67.219.99, respectively.
Insanely, sadly, and hilariously however, the Kaminsky Doxpara site appears to be on a shared host and cannot be accessed by IP address!
Oops, you got the default vhost. Call LC support.
If anyone knows how to access the Doxpara.com site by its web host's IP address as a customer sub-page or whatnot, perhaps they should mention it...
Edit: Equally distressingly, »https://www.doxpara.com/ (SSL) does not resolve either; at least that would have been a trustworthy way to access the URL. I haven't followed this vulnerability at all, but I assume a cert (that you verify) is still an easy way to allay one's fears?
-- B
--
In a realm outside causality and function |
|
SUMware
Premium
join:2002-05-21
edit:
July 24th, @09:31PM
| reply to SUMware
World's biggest ISPs drag feet on critical DNS patch
From The Register
25th July 2008 - quote:
More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks.
According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test (see button to the right) on the website of researcher Dan Kaminsky, who discovered the bug. Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable.
Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS. They've been vulnerability free since at least July 8, when Kaminsky announced the bug.
Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Virgin Media, and Demon Internet were reported as potentially being vulnerable.
|
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
| reply to SUMware
Re: Exploit code for Kaminsky DNS Bug Goes Wild
said by SUMware :...consider using OpenDNS. Do you have the DNS IP address that I can put into my router ?
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
Rogue Wolf
Came To Bury Caesar, Not To Praise Him
join:2003-08-12
Saratoga Springs, NY
| said by SipSizzurp :Do you have the DNS IP address that I can put into my router ? There's two.
208.67.222.222
208.67.220.220
The site will have a guide on how to change your router's settings to do this, if necessary.
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI | Thanks ! I know several commercial customers that use Road Runner. These will be handy.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
Sparrow
The sparrow has landed.
Premium
join:2002-12-03
Varna
|  reply to SUMware
said by SUMware :said by NetWatchMan :Please...take the time to understand the implications of this issue...they are profound and represent the most serious and widespread security issue to impact the Internet to date: I would also encourage everyone how can to please take some time to educate others you know about this issue who might be less technically inclined. Thank you for the added emphasis. I've already emailed my contacts, explaining this situation. If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. SUMware and NetWatchMan , thank you very much for the link to OpenDNS and emphasizing the seriousness of this latest exploit.
I will also encourage anyone having not "great" reports at either of the sites listed below to do the same. I have sent numerous e-mails out explaining the configuration is easy enough for the not-so computer savvy and explained they should write down their current router settings in case OpenDNS does not work or they err in configuration.
said by SUMware :To test if your ISP's nameservers are vulnerable to this type of attack visit: »» https:// www.dns-oarc.net/oarc/services/dnsentropy- and - »www.doxpara.com/ (click the button that says "check my DNS") I reset my router to OpenDNS and I went from 3 "Poor"s to 3 "Great"s and currently "safe." My provider is Verizon.
Excellent info in this thread. |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| reply to SUMware
said by SUMware :If ISP servers test vulnerable, a currently viable mitigation is to consider using OpenDNS. Another current alternative, if one does not want to jump through the hoops to set up an account at OpenDNS to get "vanilla" DNS without the filtering and redirecting, is to use the Level3 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, and 4.2.2.6 servers. They also currently pass the www.doxpara.com and www.dns-oarc.net tests.
I currently point to my local Win 2k server first, with fall backs to Level3, then OpenDNS (yes I use OpenDNS, but it was a PITA to setup with a load balancing router).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| reply to FiOS Dan
said by FiOS Dan :Am I correct in thinking that this will create a major vulnerability for road warriors and their laptops? If the road warrior manually uses a patched company DNS server or a known safe public DNS server such as Level3 or OpenDNS, it should not be a problem.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
SUMware
Premium
join:2002-05-21
edit:
July 25th, @01:08AM
| reply to NetFixer
said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account.
OpenDNS states that creating an account is optional. |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
edit:
July 25th, @01:43AM
| said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. Unnecessary and/or optional for you perhaps, but I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection.
This filtering and redirection by my definition is actually poisoned DNS, which is what we are trying to avoid. The difference between the OpenDNS poisoning and poisoning by a malicious third party is intent, and of course the public declaration by OpenDNS that the DNS replies may indeed be modified unless you open an account and setup your own requirements to override their default settings.
Don't misunderstand my post here. OpenDNS is a great service, and many people can benefit from their filtering and redirection, but that same filtering and redirection can wreak havoc if you really need accurate, unfiltered, and unredirected DNS results.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Rogue Wolf
Came To Bury Caesar, Not To Praise Him
join:2003-08-12
Saratoga Springs, NY
edit:
July 25th, @01:24AM
| reply to SUMware
said by SUMware :said by NetFixer :if one does not want to jump through the hoops to set up an account at OpenDNS It is completely unnecessary to open an account at OpenDNS. I have never had one. Just use their IP addys and follow their instructions without opening an account. OpenDNS states that creating an account is optional. I think what NetFixer is getting at is that to get "clean" DNS service (no redirects, etc) you have to sign up for an account. Which is alright with me- I don't have any programs or procedures that require that.
EDIT: Darn you, stop being so fast! 
--
Four gods wait on a windowsill,
Where once eight gods did war and will.
And if the gods themselves may die,
What does that say for you and I? |
|
Libra
Premium
join:2003-08-06
USA
| reply to SUMware
Re: Exploit Code for Kaminsky DNS Bug Goes Wild
 | 
Warning re making a change |
I went to the VC Configuration page. Here's a screenshot of the PPPoE configuration.
I have 0.0.0.0. for the both of the DNS servers! Why do I have 0.0.0.0.? Can I put in the OpenDns numbers here? I don't want to lose my internet if this would be wrong. Also, if I can put the numbers in, would it require any other information since the IP Address and Gateway are also 0.0.0.0. - I have no idea what I would have to put there.
Also, when I clicked on the "help" area, I got a warning I'm also attaching.
I'd appreciate any help with this. Thank you.
Sincerely, Libra |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| reply to Rogue Wolf
Re: Exploit code for Kaminsky DNS Bug Goes Wild
said by Rogue Wolf :EDIT: Darn you, stop being so fast! If that comment is targeted to me, thank you. With my tired old body and stiff arthritic joints (including my fingers), I don't hear something like that very often. It is usually more like "hurry up, what is taking you so long". 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Traxless
Premium
join:2005-02-16
USA
 ·Cbeyond
·AT&T Southwest
| reply to SUMware
Re: Exploit Code for Kaminsky DNS Bug Goes Wild
Last night, my AT&T DNS (DFW, Texas) did not pass the test at »https://www.dns-oarc.net/oarc/services/dnsentropy. Early this morning, the same DNS addresses passed with a great rating. Something changed during the last 6 hours! |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
edit:
July 25th, @01:38AM
| reply to Libra
said by Libra :I need some help here. I have the Westell 2200 modem for Verizon... and saw that Crystal Sky put open dns into her router. I looked at the OpenDns page for the Westell modem, but it's different than mine. I went to the VC Configuration page. Here's a screenshot of the PPPoE configuration. I have 0.0.0.0. for the both of the DNS servers! Why do I have 0.0.0.0.? Can I put in the OpenDns numbers here? I don't want to lose my internet if this would be wrong. Also, if I can put the numbers in, would it require any other information since the IP Address and Gateway are also 0.0.0.0. - I have no idea what I would have to put there. Also, when I clicked on the "help" area, I got a warning I'm also attaching. I'd appreciate any help with this. Thank you. Sincerely, Libra Try putting the desired DNS server values in the place indicated for the DNS servers, and leave the IP Address and Gateway settings as 0.0.0.0. The 0.0.0.0 setting is used as a place keeper for the ISP/s DHCP/Authentication server to put in their assigned values. If you change the DNS values and it does not work, then simply log back into your DSL router and put the 0.0.0.0 values back. You can then go into the TCPIP properties page for the individual PCs and change the DNS Server values from automatic to the desired values. See my post here: »Re: Exploit code for Kaminsky DNS Bug Goes Wild to see how this is done.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
SUMware
Premium
join:2002-05-21
| reply to NetFixer
Re: Exploit code for Kaminsky DNS Bug Goes Wild
said by NetFixer :I require unfiltered unmodified DNS, and the only way to get that from OpenDNS is to create an account and register your IP addresses. If you do not open an account and register your IP addresses, OpenDNS has no way of knowing who you are to be able to apply your desired settings, and you will get their default filtering and redirection. Understand.
I do not have the same requirements as you. Having no account, and OpenDNS' defaults, works fine for me. |
|
