Weekly Edition
Return to the Security page
| |||||||||||||
Details of the DNS flaw revealedDan Kaminsky spoke to a packed house at Black Hat on 6 August to outline the fundamental flaw he found in the Domain Name System (DNS). Contrary to his hopes, though, the flaw was discovered and publicized before his presentation. The vulnerability is interesting in its own right, but the implications of what can be done with it are staggering. In addition, the "fix" has well understood shortcomings that can still potentially be exploited to poison DNS caches. We reported on the vulnerability in early July, including Kaminsky's request that security folks not publicly speculate about the flaw. As one might guess, that request was largely ignored. When security researcher Halvar Flake published his speculation, another researcher, who was known to have the details of the flaw, publicly confirmed it, but just as quickly removed the confirmation. While it sounds a bit like a security community soap opera, it was fairly clearly caused by the attempt to contain the vulnerability information. An important part of DNS is the ability to delegate to another nameserver. When looking up example.net, first one of the root nameservers is consulted; it does not know the answer so it delegates to one of the nameservers that handles .net addresses. The delegation response includes the names of the servers being delegated to, but also helpfully includes the IP address of those servers as well. It is this helpful addition, which is meant to reduce DNS traffic, that can be exploited. The key to DNS cache poisoning is that the first good answer wins. If an attacker can send a packet with all of the proper information, but with his own IP address substituted for the correct one, and that packet reaches the querying server first, the attacker wins. In order for that to happen, the attacker needs to arrange or know that the victim will be making a particular query as well as be able to create a response that will be considered "good". Each DNS query has a 16-bit transaction ID; early implementations just had an incrementing counter, but since that time random transaction IDs have been used. In order for a DNS response to be accepted, it must have the same transaction ID as the request. Just over a year ago, we wrote about a cache poisoning vulnerability in BIND that was caused by a predictable random number generator. When an attacker can narrow down the possible values for transaction IDs, it reduces the number of responses they must generate commensurately. Absent any method to predict transaction IDs, an attacker must send 32K responses on average before the correct response arrives—which is difficult, at best, to do. If the attacker can cause the victim to make multiple requests, though, they can increase their chances. Because DNS servers cache the results of their queries, repeated requests for the same host information will not generate additional lookups. Kaminsky observed that if you make the victim request information about multiple, probably non-existent names in a domain, it will have to make a request to the nameserver responsible for that domain multiple times. If the victim queries for foo1.example.net, foo2.example.net, etc., it will use a different, random transaction ID for each request. The attacker can flood the victim with packets purporting to delegate the request to another server, ns.example.net say, but include an IP address under its control as the IP for that server. The net result is that if one of the attacker's responses gets accepted, because it finally guessed the right transaction ID, the victim's nameserver cache has been poisoned. The attacker can control all lookups in the entire example.net domain because it has substituted its own server as the nameserver for that domain. Because of the birthday paradox, the attacker does not need to generate anywhere near 32K responses to have a high probability of having one with a correct transaction ID. In his testing, Kaminsky found that he could poison a cache like this in less than 10 seconds. This technique works all the way up the hierarchy of DNS servers, potentially allowing top-level-domain or root nameservers to be poisoned. It is clearly a very serious flaw that can be exploited in a huge number of ways. Kaminsky's Black Hat slides [Powerpoint format, but viewable in OpenOffice], detail many different implications and are well worth a read. Also, for an excellent description of how DNS works as well as more details on the flaw Kaminsky found, see Steve Friedl's illustrated guide. The "fix" that was rolled out in a coordinated fashion by many different vendors is to randomize the source UDP port for each query. This is a technique that was implemented years ago in Daniel Bernstein's djbdns and has been recommended by various cache poisoning researchers (notably Amit Klein) for some time. By doing this, an attacker must also guess the proper UDP port to send the response to, which can provide up to an additional 16 bits of randomness to the query. In the best case, where all possible UDP source ports are used, that increases the number of possible responses from 64K to over 4 billion. That seems like it would take the attack out of the realm of possibility, but that clearly isn't the case. Kaminsky and the vendors all knew that adding source port randomization only made it harder—not impossible. Linux kernel hacker Evgeniy Polyakov has done some experiments with the patched version of BIND on a gigabit ethernet LAN, finding that he could poison a cache in under ten hours. As he points out: "So, if you have a GigE lan, any trojaned machine can poison your DNS during one night." Other solutions are actively being sought, but it is a difficult problem because backward compatibility with countless DNS installations needs to be maintained. As always when a DNS problem is publicized, DNSSEC is touted as the solution. There are numerous technical and political problems that have stood in the way of DNSSEC adoption; those seem unlikely to just disappear. This DNS flaw is serious, but there are plenty of serious internet security issues as Kaminsky points out in his blog:
Even if we go from 32 bits of entropy to 128 bits — even if we deploy
DNSSec — we're still going to deliver email insecurely. We're still
going to have an almost entirely unauthenticated web. We're still going to
ignore SSL certificate errors, and we're still going to have application
after application that can't autoupdate securely.
That, at the end of the day, is a far larger problem than this particular DNS issue. While there may be bigger problems in our internet infrastructure, there are few things that are as pervasive as DNS. Kaminsky points out a number of non-obvious places where it is used—and could be abused—such as mailer lookups of HELO strings to try and decide whether to accept email or web servers doing reverse lookups for logfile messages. It is a little surprising that something so integral had such an obvious, in retrospect, flaw in its design that went undetected for around 25 years. It makes one wonder what else is lurking out there. (Log in to post comments)
Details of the DNS flaw revealed Posted Aug 13, 2008 17:45 UTC (Wed) by kh (subscriber, #19413) [Link] The other problem with DNSSEC is that it does not get you anything today - a first correct answer sent as a plain DNS response will still cause the DNS server to ignore subsequent responses. It seems like there should be some way to block responses from a client after a given number of incorrect UDP port injection attempts - at least then an attacker would have to distribute his attack across many different attacking computers instead of sending millions of unsolicited responses from a single computer.
Details of the DNS flaw revealed Posted Aug 13, 2008 18:29 UTC (Wed) by njs (guest, #40338) [Link] That doesn't help, because there's no way to securely work out the sender of a UDP packet. The attacker just has to forge the source address on their UDP packets -- and if they forge it to be the *real* DNS server, then they might even trick you into blacklisting the real server.
Details of the DNS flaw revealed Posted Aug 13, 2008 19:02 UTC (Wed) by drag (subscriber, #31333) [Link] The only thing that I could see working is to 'establish a tree of trust' going from 'trunk' root dns servers to 'branches' to the 'leaves'. Each DNS server would have to register with the ones it communicates with and uses something like TLS or PGP signing to communicate with one another so that the identify of the sender is confirmed by the signature data contained in a packet (once you get a signature then you wouldn't have to sign each packet, just as long as the data can be compiled and have it's final checksum confirmed then that's fine). Then when a person requests a DNS address the message will have to transverse up the tree to the nearest DNS system (or 'common link') in the chain of trust and then back down (this would probably require a separate routing protocol, or tying into existing protocols, for finding these paths). The DNS server would have to establish it's identity with it's neighbors when it's first brought up, and that's were the next window of vulnerability will be. That's a lot of overhead, though.
Details of the DNS flaw revealed Posted Aug 13, 2008 19:34 UTC (Wed) by rfunk (subscriber, #4054) [Link] That sounds a lot like my understanding of what DNSSEC is, or wants to be. But it doesn't work if you don't have that whole chain of trust going all the way to the root.
Details of the DNS flaw revealed Posted Aug 13, 2008 21:29 UTC (Wed) by hmh (subscriber, #3838) [Link] Read up on DNSSEC and look-aside validation. ISC and friends have worked around the politic crap about signing the root. It is some other pesky details that are causing issues for DNSSEC deployment. And server/network performance IS one of them.
Details of the DNS flaw revealed Posted Aug 15, 2008 12:00 UTC (Fri) by tialaramex (subscriber, #21167) [Link] The manual steps in DNSSEC deployment mean that even if by some miracle tomorrow the root servers offered a signed zone and began accepting requests to sign KSKs from the TLDs, it would be years before the majority of public domains were secured, so the increase in resources required would be gradual, rather than overnight. The root server operators seem to have made it plain that for /them/ at least the performance is not a problem. Several ccTLDs have deployed as islands, so they obviously don't think performance is a problem. There is the enumeration problem, but again that doesn't affect the root because its contents are public. Some ccTLDs have said that they don't believe this is a problem for them either, because local regulations mean the list of domains and registrants is public anyway. And even for some of the domains where enumeration isn't acceptable, there are solutions to deploy today if the will existed, and better solutions on the horizon.
Details of the DNS flaw revealed Posted Aug 13, 2008 21:14 UTC (Wed) by tialaramex (subscriber, #21167) [Link] DNSSEC does get you something today because an answer is not "correct" if it is unsigned, or the signature is invalid, and you were expecting a signed response. If your resolver can determine a chain of trust from an anchor (ideally the root servers, but today it might be the Swedish ccTLD registry) down the DNS hierarchy to the requested address, then it can (and if configured to do so) will authenticate the response. At the anchor you use a locally configured key to verify the signed information about the next level, and if that information contains a public key, you can use that to verify the next lot of signed information, and so on until you've reached the point in the hierarchy you were interested in, or you don't get a key and fall back to unauthenticated DNS. If you install the Swedish TLD's DNSSEC public key and configure your resolver and/or recursive server to use it, then you will have working DNSSEC today, for however many 2LDs there are in their registry which have decided to use DNSSEC, and for any of their 3LDs and so on as appropriate. Once you have set this up, any queries for these addresses will either give you the authentic answer, or fail in some way (e.g. because the owner forgot to update their key and doesn't have a system which handles it automatically), spoofing becomes impossible.
Details of the DNS flaw revealed Posted Aug 13, 2008 21:21 UTC (Wed) by kh (subscriber, #19413) [Link] No, even if you do all of those things, (at least with ISC BIND), you are still vulnerable to an unsigned spoofed response that gets there before the signed response (which would then be ignored.)
Details of the DNS flaw revealed Posted Aug 14, 2008 12:15 UTC (Thu) by lysse (guest, #3190) [Link] > No, even if you do all of those things, (at least with ISC BIND) Well...
Details of the DNS flaw revealed Posted Aug 14, 2008 22:00 UTC (Thu) by tialaramex (subscriber, #21167) [Link] I don't understand your scenario. Can you flesh it out a bit? It seems to me that I would expect SERVFAIL in this type of scenario (spoofing is successful, the answer should be signed, but the spoofed answer isn't signed). What happens exactly, there's ISC BIND running somewhere, as a recursive server for the client resolver ? What if anything in your scenario is actually configured as DNSSEC secured and has a good trust anchor? What is it requesting? What does it receive? Or maybe you have a link to a bug report which explains all this? There are extensive test zones available, so you don't need to rely on hypotheticals, every combination people could think of exists (in these test zones, and no doubt soon on the public Internet due to ordinary incompetence). If your scenario requires a CNAME which is unsigned but which points to a signed A record from the same zone, there's a test for that. How about a correctly signed CNAME, plus an A record signed with an expired key and a TXT record which is correctly signed but by a key which is not yet valid (DNSSEC pre-issues keys)? We can do that. Nothing needs to be spoofed, because the test zones contain everything a spoofer might want to send (and plenty of things no-one ever has any reason to send but which might conceivably exist anyway)
Details of the DNS flaw revealed Posted Aug 13, 2008 18:16 UTC (Wed) by smoogen (subscriber, #97) [Link] Could someone explain why djbdns is not vulnerable to this attack (or I have been told the entire scenario). What does djbdns do so that "The key to DNS cache poisoning is that the first good answer wins."
Details of the DNS flaw revealed Posted Aug 13, 2008 18:25 UTC (Wed) by jake (editor, #205) [Link] djbdns has always had source port randomization which is the technique used to alleviate the current problem. Few other DNS implementations used source port randomization, but those that did were also not vulnerable to this attack. Or perhaps not *as* vulnerable is a better way to put it. After the big patch last month, all of the major DNS implementations have roughly the same level of vulnerability to this attack. jake
Details of the DNS flaw revealed Posted Aug 13, 2008 18:31 UTC (Wed) by njs (guest, #40338) [Link] djbdns doesn't do anything magic, and the first good answer still wins; it's just that the patch everyone else had to apply -- to enable source port randomization, which makes it harder for an attacker to provide a "good answer" -- was already built-in to djbdns. Now that everyone's had to patch, djbdns is just as resistant (or not, see the end of the article) as everyone else.
Some stupid ideas Posted Aug 13, 2008 18:53 UTC (Wed) by rvfh (subscriber, #31018) [Link] An improvement would be to not accept the first answer, and wait a bit to make sure only one matching answer is received. If more than one, try again! Also, if the bad guy is sending loads of wrong answers, this seems easy-ish to guess that we are under attack. Although I don't know what to do with that information...
Some stupid ideas Posted Aug 13, 2008 19:13 UTC (Wed) by drag (subscriber, #31333) [Link] > Although I don't know what to do with that information... Block him with firewall rules, would be my guess, or build it into the DNS server to deny them. Similar to setting up rules to block people that attempt to brute force a ssh password or whatnot. Of course that would lead to interested DOS possiblities. Like having some goofy webpage or emailing somebody with a html email that have images that link to thousands of non-existent servers with fake dns names.
Some stupid ideas Posted Aug 13, 2008 20:46 UTC (Wed) by darwish07 (subscriber, #49520) [Link] The packets does not have to be with the same IP source address and UDP port. This is UDP, The attacker source IP address can be changed when every new packet is sent without affecting the end result.
Some stupid ideas Posted Aug 14, 2008 6:02 UTC (Thu) by rvfh (subscriber, #31018) [Link] Yeah, the last thing we want is to turn a defensive measure into a DoS vulnerability :-)
DNS hacking: Blacklisting source IP address Posted Aug 15, 2008 20:42 UTC (Fri) by giraffedata (subscriber, #1954) [Link] This is UDP, The attacker source IP address can be changed when every new packet is sent without affecting the end result. The source IP address is not UDP; it's basic IP. The attacker can't simply choose the source IP address because whoever routes his IP packet into the Internet will not accept it if its source IP address is someone else's (and the attacker isn't trusted as a router for that someone). You have to pull off a pretty high level hack of the Internet before you can spoof a source IP address.
DNS hacking: Blacklisting source IP address Posted Aug 16, 2008 8:21 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link] actually, there are large chunks of the Internet that do not check the source IP when routing the packets. and once you get a hop or so from the source (real or forged) this is nessasary becouse the routers could be dealing with packets from just about anywhere. in theory every company/personal router and every ISP border router (both to the customers and to other ISPs) has such filters. in practice relativly few of them do. this is even true of the major international peering points. every year or so you hear of a country that got knocked off the Internet due to mistakes that someone makes with BGP routing configuration. these useually get detected and fixed within a short time and so don't make the news, but every once in a while the outage lasts long enough to get attention. I've been at the recieving end of enough forged attacks to know that it's definantly possible. although I'll admit that with botnets getting as large as they are, forged packets are not used as much as they used to be.
DNS hacking: Blacklisting source IP address Posted Aug 23, 2008 12:06 UTC (Sat) by darwish07 (subscriber, #49520) [Link]
Yes, I agree. but what I meant is that UDP puts less restrictions on the sender IP address.
IP forging can happen more easily with UDP since no handshake or any kind of replies are needed. Only the forged packet is enough.
Some stupid ideas Posted Aug 13, 2008 23:46 UTC (Wed) by njs (guest, #40338) [Link] You don't even have to wait -- you know something funny is going on from the very first bogus packet you receive (since the attacker has to send thousands of bogus packets before one of them will chance to be valid). That still doesn't tell you what to do, though. Besides page the sysadmin, I mean, which isn't going to be very effective on a consumer router. I guess one of the pieces of information you can extract from the bogus packet is what cache entry the attacker is trying to poison, and then treat that entry more carefully -- e.g., you could put a flag on that entry, and when you receive an apparently valid value, if the flag is set then you clear the flag but *don't* cache the value you received; this would mean that an attacker had to spoof you on two transactions in a row without sending any bogus packets in between in order to successfully poison your cache. You can tune how many bogus packets are required to set the flag and how many valid responses are required to clear the flag to trade-off between safety and joe-job potential, but really if someone is flooding you with thousands of UDP packets then running even dozens of extra queries is not going to be your performance bottleneck.
Some stupid ideas Posted Aug 14, 2008 10:08 UTC (Thu) by NAR (subscriber, #1313) [Link] I think this is a good idea. RFC 1035 states that "TTL is a 32 bit signed integer that specifies the time interval that the resource record may be cached", so this actually would not break the DNS specification.
Some stupid ideas Posted Aug 14, 2008 10:51 UTC (Thu) by rvfh (subscriber, #31018) [Link] In this case, one could ask for each value (or only the ones under attack) twice: - ask value, return to requester with short TTL (a few seconds) - wait a bit - ask value again, if matches use given TTL (or limit it to a few hours) Anyway, it seems the solution is in the repetition, to decrease the probability of success of the attack.
Details of the DNS flaw revealed Posted Aug 21, 2008 8:13 UTC (Thu) by forthy (guest, #1525) [Link] We need to accept that the whole TCP/IP frame was designed for a cooperative environment, not a hostile one. Forging IP source addresses is already something a secure network should not allow, and in fact it should be not difficult to implement IP filters in routers that drop all forged IP sources (i.e. those that can't come from that segment). The lack of authentication everywhere is another problem. All the security stuff like signed mails, DNSSEC, etc. is worthless if unsigned data is still accepted as good. IMHO, the internet protocols need to be redesigned from scratch. But then, there will be serious transition problems - IPv6 already causes those, even though much of the protocols are unchanged, and thus also their problems are not fixed. For the transition period, we'll need protocol translators. However, these translators are causing security problems, as well, because the problems in the old protocols aren't fixable. The good thing is that you can phase out the old protocols over time, and put pressure on sensitive services to migrate first (the last IPv4 devices in such a network will probably be the printers on the LAN, because they don't cause much security problems).
Details of the DNS flaw revealed Posted Aug 21, 2008 23:23 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] the concept of what IP addresses "can't come from that segment" falls apart when you get into the core of the Internet where dynamic routing (via BGP) is used. the dynamic routing is designed so that it can send anyone's traffic anywhere if that's the best way for it to get there.
Details of the DNS flaw revealed Posted Aug 22, 2008 9:07 UTC (Fri) by paulj (subscriber, #341) [Link] That's a deficiency in BGP though, or at least a mark of it being designed in days when the internet was a smaller place. It's something which people are trying to address in various ways.
The birthday paradox doesn't apply Posted Aug 21, 2008 14:43 UTC (Thu) by mejd (subscriber, #42290) [Link] What is true is that each sub-domain can be attacked independently, and each must fail for the overall attack to fail. On an unpatched server an n-pronged attack will fail with probability (65535/65536)**n --- n still has to be very large. The birthday paradox refers to collisions of transaction ids amongst whole groups of requests and answers where any answer could apply to any request.
|
|||||||||||||