IOActive's Kaminsky Warns: DNS Danger Still Exists

IOActive security researcher Dan Kaminsky offered his much-anticipated speech on the DNS vulnerability at the Black Hat conference on Wednesday. His message: Patching your systems is urgent because the risk of cache poisoning is great.

Kaminsky discovered the bug in early July. The attack code was released several weeks later by developers of the Metasploit hacking toolkit, headed by the infamous HD Moore.

By exploiting this vulnerability, an attacker can redirect an ISP's users to a malicious phishing server every time they try to visit a legitimate Web site. The patches released through various vendors should protect from the threat. Security vendors continue to rush to market with DNS vulnerability patches, checks, protection and other tools. But everyone is not yet protected.

Kaminsky's Convincing Speech

The threat emerges from two different issues with the DNS protocol. DNS primarily uses UDP packets to send questions and receive answers.

The client will accept any packet as an answer to its question on three conditions: the packet is coming from the DNS server, the source and destination ports match the destination and source ports of the question packet and, most importantly, the transaction ID and question match its question. Combining the answer-packet spoof with the additional information makes exploitation easier.

Applying the DNS patches is the best solution, according to Wolfgang Kandek, CTO of patching vendor Qualys. The patches, he said, will buy the Internet enough time to restart the dialog for a stable, long-term solution, where DNSSEC (Domain Name System Security Extensions) comes into play.

"Using OpenDNS or other DNS services is a good immediate workaround, as it lowers one's exposure instantly, but does not fix it completely," Kandek said. "Dan's presentation convinced all of its attendants of the reality of the problem and showed the ease and breadth of exploitation possibilities. Personally, I think it is...