Fatal DNS Attack Discovered

Dan Kaminsky found a fatal flaw in the fundamental way DNS works. Dan has saved the actual details of the attack for Blackhat 2008, but has been actively working with vendors to bring out a patch before that. This led to people speculating and debating about the exact nature of the bug in blogs and security forums. Finally, the community seems to have zeroed down on the actual bug. In short this is how the bug works:
1. The whole hack relies on somehow being able to guess the right transaction ID in the DNS reply packets and inject a malicious entry into the DNS database of a DNS server
2. A hacker will start making requests for 1.google.com, 2.google.com .... x.google.com
3. The DNS server will in turn query the name server say ns.google.com for each of these subdomains
4. The hacker now sends spoofed reples from ns.google.com to the DNS server with a set transaction ID
5. The transaction ID field is only 16 bits long thus has only 65,000 possibilities
6. By generating a large number of requests for (1..2..x).google.com etc and sending spoofed replies on behalf of ns.google.com, the probability of guessing the right transaction ID increases
7. This happens sooner then expected because of the Birthday paradox
8. The interesting part is when this happens the DNS server not just caches the IP address of m.google.com (for which the transaction ID matched) but also any other hostname for which the ns.google.com is authoritative - even for ns.google.com itself
9. Thus the hacker can piggyback the IP for ns.google.com to point to his own choise by simply having sent the right packet for m.google.com
10. Once this is done, all DNS requests from the server for anything.google.com will go to the new IP address set and thus any attack over this can be easily built.

I will be posting a detailed presentation by tomorrow but for now here is a little video of Dan describing the urgency and the importance of patching, even without disclosing what the attack actually is ;-) Enjoy!

Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the founder of an online startup (currently in stealth mode). Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net