Las Vegas (NV) – The Internet relies on trust, but what if all that trust comes tumbling down? That’s exactly the problem noted security researcher Dan Kaminsky described today in his Black Hat talk about DNS cache poisoning. Several months ago, Kaminsky discovered a vulnerability in the DNS protoctol that allowed bogus name information to be sent to other servers and desktop computers – in essence hackers could redirect web surfers, chat clients and even email servers to machines of their choosing. Specific details about the vulnerability and the ways to exploit it have been kept secret until today …
Kaminsky is the director of penetration testing for IOActive and specializes in playing around with DNS. He says he found the vulnerability by accident while he was poking around for other “toys”. To fully understand the bug, let’s go into a brief introduction into how DNS or domain name service works. Network gurus can probably skip the next few paragraphs.
Almost every Internet service you use, from email to web browsing uses DNS convert the easily remembered names like www.google.com, www.youtube.com and others into IP address like 123.456.789.123. This conversion is needed because people can remember names easier. Also companies can change names while keeping all their services pointed to the same numerical IP address.
Behind the scenes, DNS servers make this magic happen by holding a database of DNS records which are lists of names with corresponding IP addresses – think of it as a big list of example.com = 123.456.789.123, example2.com = XXX.XXX.XXX.XXX, etc. Client computers ask for an IP address by sending a DNS request to the server and the server will reply back with the answer. Of course servers can only hold so much information, and will hand off the request to a more authoritative server, if it doesn’t know the answer. The requests can be further bounced up the chain until they reach the ultimate or root domain name servers for the Internet. If these guys don’t know the answer, then the name to IP address mapping doesn’t exist.
Now imagine yourself as a 411 operator who has to find telephone numbers when asked about a certain place - let’s say Outback Steak House in Torrance, California (our favorite place in the world). On the first call, you’d probably type it into your computer and wait for the answer, but let’s say the place is really popular and you get tons of calls every day for the place. Eventually, a smart operator would write the number on a Sticky-Note and post it on the monitor for quick retrieval. Then when a person calls, you simply read the number on the note, rather than taking the time to type it into the computer. Well this is exactly what DNS servers do in form of cache.
Kaminksy’s DNS bug, as some people are calling it, exploits this cache by sending malicious requests and once a sufficient number of requests have been sent, the hacker can start rewriting the entries. It’s important to distinguish that the actual records of the DNS server is not corrupted by this bug, rather it’s the entries in the cache itself.
Kaminsky sat down with us afterwards to give us all the gory details that would make the average man’s head explode, but hey that’s why you come to TG Daily isn’t it. His attack forces your local domain name server (which is probably your Internet router) to basically perform all the work. The bad guy forces the DNS server to purposely miss the cache by asking for the IP address of crazy domain names like 1.foo.com, 2.foo.com, 3.foo.com. Your local domain name server won’t know the details so it then asks other servers to obtain the answer.
As requests and replies flow out and back to your local server, the attacker then unleashes a torrent of specially crafted packets to the victim domain name server. These packets try to guess the transaction ID of the DNS reply which is a number that ranges from 1 to 65536. The attacker also has to forward the packet to the correct port which in most cases is the default DNS port 53.
The attack is basically a race of a the hacker stream of DNS replies versus the real reply coming from the real DNS server. Once the victim DNS server receives a reply with a valid transaction ID, the attacker can substitute any IP address for the domain name. “The hacker’s packet blows away the response from the real server,” Kaminsky told TG Daily.
Kaminsky was kind enough to draw out the attack for us. The client computer is on the left and the first node to the right is your local domain name server.
Ok, so I’m sure some of you see two big problems with this. First, how the heck do you guess the correct transaction ID out of more than 65000 numbers and how do you get the local domain name server to issue the query that starts the whole ball rolling? Kaminsky says most DNS servers simply increment their transaction ids which makes guessing them fairly trivial. Also some implementations of DNS are run on a buggy random number generator that produces predictable patterns of numbers. As far as getting the domain name server to issue the query, Kaminsky told use there are at least eight ways that he knows of and probably tons more that he doesn’t. “Sometimes you can just ask and the server will issue a query, but it’s amazingly easy to get a DNS server to look something up,” he said.
So what does a hacker gain from attacking DNS servers? According to Kaminsky, owning the .COM dns space would get you pretty much anything you wanted. Everything from intercepting emails to taking over spam filters could be accomplished. He even outlined grabbing passwords to webmail and other services by exploiting the “Forgot Your Password” feature used by many vendors. But perhaps the biggest risk was to SSL security because certificate vendors could be duped into giving certs to bogus companies.
SSL certificate authorities issue the certificates by identifying the applicant through email. The vendor looks up the domain’s address in WHOIS and then sends an email to the mail address contained in the record. But if you were able to poison the DNS to redirect Microsoft’s DNS entry, then you could conceivably gain a Microsoft or another large company’s certificate.
Kaminsky found the bug approximately five months ago and initially worked solely with vendors to patch the bug because he feared any leak would invite malicious hackers into taking over the Internet. “I spent the last few months terrified that companies would have their emails stolen because of a bug I found,” he told us.
Kaminsky was lambasted by some security researchers because hackers, by their very nature, are quite the peer oriented group. Those critics were eventually silenced after Kaminsky had a conference call with the doubters.
In a press conference after the talk, Kaminsky told reporters that vendors have been “fantastic” in responding and patching the bug. Microsoft even hosted a summit on March 31st where Kaminsky and fellow researchers flew to Redmond Washington in a marathon session to hammer out a fix – something that took thousands of man hours and “thousands of pizzas”.
That patch, dubbed the “sledgehammer fix” by Kaminsky, randomized the transaction IDs and upped the range to more than a 100,000,000 possibilities. Hopefully a competent IT administrator would notice hundreds of millions of malicious packets hitting their DNS servers, Kaminsky said.
On July 8th, most of the major vendors like Microsoft, Sun, Cisco and Red Hat had patched their servers and Kaminksy has stayed in constant contact with major web companies like MySpace, Craigslist and eBay, all in the hopes of educating IT administrators of the problem. “I’ve been on the phone a lot, a whole lot,” he said, adding that he doesn’t want to look at his mobile phone bill for the last month.
But Kaminsky warns that the danger isn’t completely over and that the next bug may not come with as much warning and the hacker finding it may not be as considerate. “They probably won’t be as friendly as me,” he said.