dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2215

Steve
I know your IP address

join:2001-03-10
Tustin, CA

15 recommendations

Steve

An Illustrated Guide to the Kaminsky DNS Vuln

Hello all,

The security world has been abuzz with Dan's finding, and yesterday he gave his talk at Black Hat (no, I didn't go). It's really an extraordinary finding, though I can't help but note how "obvious" it is.

I've been working for weeks on a paper that describes this in great detail, and it's designed for the computer-savvy person who nevertheless may not really know how DNS works: lots of diagrams to make the point and guide an understanding.

Unixwiz.net Tech Tip: An Illustrated Guide to the Kaminsky DNS Vulnerability

My eyes are falling out of my head from all this time in front of Adobe Illustrator, and though it's had a few other eyes go over it, there may still be issues. Please report bugs/typos/errors to me via IM and I fix it forthwith.

I hope this is helpful.

Steve

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

said by Steve:

it's designed for the computer-savvy person who nevertheless may not really know how DNS works: lots of diagrams to make the point and guide an understanding.
You wrote all that....for me ?

As most of your work to date, it is good and informative. Thank you.

Cudni

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by Cudni:

As most of your work to date, it is good and informative. Thank you.

Please include me in your "thank you Steve"
Smokey Bear

Smokey Bear to Steve

Premium Member

to Steve
said by Steve:

I hope this is helpful.
IMO it IS helpful, that is the reason i blogged your paper: »smokeys.wordpress.com/20 ··· ability/

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut to Steve

Premium Member

to Steve
Thanks Steve...yes it's helpful.
Some great stuff!

therube
join:2004-11-11
Randallstown, MD

therube to Steve

Member

to Steve
Time lapse version, Pretty Pictures.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to Steve

Mod

to Steve
Thanks. Excellent description.

I'm wondering how much additional load would be placed on the root servers if a caching server, on receiving a delegation in a response, followed up with a TCP query repeating the same request.
Fredra
Undesirable Alien
join:2000-04-08
Nepean, ON

Fredra to Steve

Member

to Steve
Thanks Steve
Your efforts are appreciated.
Cheers

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

bcastner to Steve

MVM

to Steve
Steve,

Awesome.

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to Steve

MVM

to Steve
Wow! That's a lot of good work. I haven't fully gotten into it and am far from being computer savvy, but even I hope to gain something from it. Thanks, Steve. You've been an immense help here and elsewhere for years and continue to be so.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Steve

Premium Member

to Steve
I've learned a lot from you over the time I've been here. Thanks.

I also enjoy your clean and simple web design.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to nwrickert

to nwrickert
said by nwrickert:

I'm wondering how much additional load would be placed on the root servers if a caching server, on receiving a delegation in a response, followed up with a TCP query repeating the same request.
I'm sure you mean a TCP query to the referring server, not the root server: this is meant only to doublecheck that the referral came from where we thought it did, and the root servers won't know once descends down past .net or .com or whatever.

One of the things that surprised me when I was writing this paper is that DNS packets also contain options at the end - I had never seen this before, and it smells like there are perhaps avenues for including some kind of extended transaction ID for at least the root and GTLD servers.

Haven't looked into it enough to really know...

Steve

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

I'm sure you mean a TCP query to the referring server, not the root server:
Yes. Sorry if that wasn't clear.

Most domain authoritative servers handle a pretty small query load, so would not notice the effect. But the root servers and ".NET" and ".COM" servers would have to handle a lot of tcp repeat queries.

I browsed through Mark Andrews' 6 minute guide to DNSSEC, and my suspicion is that it won't happen any time soon. But using tcp verification of delegations could be implemented relatively easily, and could substantially reduce the risk.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 edit

Steve

said by nwrickert:

But using tcp verification of delegations could be implemented relatively easily, and could substantially reduce the risk.
Let us know when your BIND patches are ready, ok?

Or do you only work in one security cesspool, that being enough?

Steve
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

daveinpoway

Premium Member

Some additional info: »www.nytimes.com/2008/08/ ··· .html?hp

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

said by daveinpoway:

Some additional info: »www.nytimes.com/2008/08/ ··· .html?hp
That article poses the idea that DNSSEC will be a long term solution. But 1 DNS researcher denies that DNSSEC is a solution.

Info on DNSSEC:
»en.wikipedia.org/wiki/DNSSEC
»www.dnssec.net/

Criticisms of DNSSEC:
»cr.yp.to/djbdns/forgery.html
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 recommendation

ghost16825

Premium Member

said by FFH5:

Criticisms of DNSSEC:
»cr.yp.to/djbdns/forgery.html
The links on this page are a better summary:
»www.matasano.com/log/cas ··· -dnssec/

I'm yet to be convinced implementing DNSSEC is worth the hoops that one must jump through.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

EUS to Steve

Premium Member

to Steve
Great article, even I can understand it.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to Steve

MVM

to Steve
Nice job.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

I was interviewed about this DNS mess on the Mind Of Root podcast, and even though I don't care for the sound of my own voice, it turns out that I did a tolerably good aural presentation of this DNS issue. For some pictures work best, for others sounds.

»www.mindofroot.com/2008/ ··· ns-mess/

Steve

Millenniumle
join:2007-11-11
Fredonia, NY

Millenniumle to Steve

Member

to Steve
Wouldn't the multiple random subdomain query attack still leave a patched name server vulnerable, even with 134 million random combinations? It might require more than the 10 seconds it's reported to crack a sequential ID, but poisoning .com for a name server like OpenDNS seems a worthy adventure.

It's more math than I can do, but wouldn't it be only a matter of days or weeks before a hit is virtually assured, assuming Mr. bad guy is sending massive queries per second. I suppose it might send up a red flag coming from a single IP, but what if distributed? Perhaps a new mission for zombie networks.
Expand your moderator at work

Khaine
join:2003-03-03
Australia

Khaine to Millenniumle

Member

to Millenniumle

Re: An Illustrated Guide to the Kaminsky DNS Vuln

Thanks Steve

That article was most informative, and really easy to understand.