SteveI know your IP address
join:2001-03-10 Tustin, CA
15 recommendations |
An Illustrated Guide to the Kaminsky DNS VulnHello all, The security world has been abuzz with Dan's finding, and yesterday he gave his talk at Black Hat (no, I didn't go). It's really an extraordinary finding, though I can't help but note how "obvious" it is. I've been working for weeks on a paper that describes this in great detail, and it's designed for the computer-savvy person who nevertheless may not really know how DNS works: lots of diagrams to make the point and guide an understanding. Unixwiz.net Tech Tip: An Illustrated Guide to the Kaminsky DNS VulnerabilityMy eyes are falling out of my head from all this time in front of Adobe Illustrator, and though it's had a few other eyes go over it, there may still be issues. Please report bugs/typos/errors to me via IM and I fix it forthwith. I hope this is helpful. Steve |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
Cudni
MVM
2008-Aug-8 4:05 am
said by Steve: it's designed for the computer-savvy person who nevertheless may not really know how DNS works: lots of diagrams to make the point and guide an understanding. You wrote all that....for me ? As most of your work to date, it is good and informative. Thank you. Cudni |
|
Smokey Bearveritas odium parit Premium Member join:2008-03-15 Annie's Pub |
said by Cudni:As most of your work to date, it is good and informative. Thank you. Please include me in your "thank you Steve" |
|
Smokey Bear |
to Steve
said by Steve:I hope this is helpful. IMO it IS helpful, that is the reason i blogged your paper: » smokeys.wordpress.com/20 ··· ability/ |
|
jabarnutLight Years Away Premium Member join:2005-01-22 Galaxy M31 |
to Steve
Thanks Steve...yes it's helpful. Some great stuff! |
|
therube join:2004-11-11 Randallstown, MD |
to Steve
Time lapse version, Pretty Pictures. |
|
|
to Steve
Thanks. Excellent description.
I'm wondering how much additional load would be placed on the root servers if a caching server, on receiving a delegation in a response, followed up with a TCP query repeating the same request. |
|
FredraUndesirable Alien join:2000-04-08 Nepean, ON |
to Steve
Thanks Steve Your efforts are appreciated. Cheers |
|
bcastner MVM join:2002-09-25 Chevy Chase, MD |
to Steve
Steve,
Awesome. |
|
|
to Steve
Wow! That's a lot of good work. I haven't fully gotten into it and am far from being computer savvy, but even I hope to gain something from it. Thanks, Steve. You've been an immense help here and elsewhere for years and continue to be so. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX |
to Steve
I've learned a lot from you over the time I've been here. Thanks.
I also enjoy your clean and simple web design. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to nwrickert
said by nwrickert: I'm wondering how much additional load would be placed on the root servers if a caching server, on receiving a delegation in a response, followed up with a TCP query repeating the same request. I'm sure you mean a TCP query to the referring server, not the root server: this is meant only to doublecheck that the referral came from where we thought it did, and the root servers won't know once descends down past .net or .com or whatever. One of the things that surprised me when I was writing this paper is that DNS packets also contain options at the end - I had never seen this before, and it smells like there are perhaps avenues for including some kind of extended transaction ID for at least the root and GTLD servers. Haven't looked into it enough to really know... Steve |
|
|
I'm sure you mean a TCP query to the referring server, not the root server: Yes. Sorry if that wasn't clear. Most domain authoritative servers handle a pretty small query load, so would not notice the effect. But the root servers and ".NET" and ".COM" servers would have to handle a lot of tcp repeat queries. I browsed through Mark Andrews' 6 minute guide to DNSSEC, and my suspicion is that it won't happen any time soon. But using tcp verification of delegations could be implemented relatively easily, and could substantially reduce the risk. |
|
|
SteveI know your IP address
join:2001-03-10 Tustin, CA 1 edit |
said by nwrickert: But using tcp verification of delegations could be implemented relatively easily, and could substantially reduce the risk. Let us know when your BIND patches are ready, ok? Or do you only work in one security cesspool, that being enough? Steve |
|
|
|
|
FFH5 Premium Member join:2002-03-03 Tavistock NJ |
FFH5
Premium Member
2008-Aug-9 7:30 am
That article poses the idea that DNSSEC will be a long term solution. But 1 DNS researcher denies that DNSSEC is a solution. Info on DNSSEC: » en.wikipedia.org/wiki/DNSSEC» www.dnssec.net/Criticisms of DNSSEC: » cr.yp.to/djbdns/forgery.html |
|
ghost16825Use security metrics Premium Member join:2003-08-26
1 recommendation |
The links on this page are a better summary: » www.matasano.com/log/cas ··· -dnssec/I'm yet to be convinced implementing DNSSEC is worth the hoops that one must jump through. |
|
EUSKill cancer Premium Member join:2002-09-10 canada |
EUS to Steve
Premium Member
2008-Aug-9 1:37 pm
to Steve
Great article, even I can understand it. |
|
TheWiseGuyDog And Butterfly MVM join:2002-07-04 East Stroudsburg, PA |
to Steve
Nice job. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2008-Aug-25 12:53 am
I was interviewed about this DNS mess on the Mind Of Root podcast, and even though I don't care for the sound of my own voice, it turns out that I did a tolerably good aural presentation of this DNS issue. For some pictures work best, for others sounds. » www.mindofroot.com/2008/ ··· ns-mess/Steve |
|
|
to Steve
Wouldn't the multiple random subdomain query attack still leave a patched name server vulnerable, even with 134 million random combinations? It might require more than the 10 seconds it's reported to crack a sequential ID, but poisoning .com for a name server like OpenDNS seems a worthy adventure.
It's more math than I can do, but wouldn't it be only a matter of days or weeks before a hit is virtually assured, assuming Mr. bad guy is sending massive queries per second. I suppose it might send up a red flag coming from a single IP, but what if distributed? Perhaps a new mission for zombie networks. |
|
your moderator at work
hidden :
|
Khaine join:2003-03-03 Australia |
to Millenniumle
Re: An Illustrated Guide to the Kaminsky DNS VulnThanks Steve
That article was most informative, and really easy to understand. |
|