Description: Dan Kaminsky found a fatal flaw in the fundamental way DNS works. Dan has saved the actual details of the attack for Blackhat 2008, but has been actively working with vendors to bring out a patch before that. This led to people speculating and debating about the exact nature of the bug in blogs and security forums. Finally, the community seems to have zeroed down on the actual bug. In short this is how the bug works:
1. The whole hack relies on somehow being able to guess the right transaction ID in the DNS reply packets and inject a malicious entry into the DNS database of a DNS server
2. A hacker will start making requests for 1.google.com, 2.google.com .... x.google.com
3. The DNS server will in turn query the name server say ns.google.com for each of these subdomains
4. The hacker now sends spoofed reples from ns.google.com to the DNS server with a set transaction ID
5. The transaction ID field is only 16 bits long thus has only 65,000 possibilities
6. By generating a large number of requests for (1..2..x).google.com etc and sending spoofed replies on behalf of ns.google.com, the probability of guessing the right transaction ID increases
7. This happens sooner then expected because of the Birthday paradox
8. The interesting part is when this happens the DNS server not just caches the IP address of m.google.com (for which the transaction ID matched) but also any other hostname for which the ns.google.com is authoritative - even for ns.google.com itself
9. Thus the hacker can piggyback the IP for ns.google.com to point to his own choise by simply having sent the right packet for m.google.com
10. Once this is done, all DNS requests from the server for anything.google.com will go to the new IP address set and thus any attack over this can be easily built.
I will be posting a detailed presentation by tomorrow but for now here is a little video of Dan describing the urgency and the importance of patching, even without disclosing what the attack actually is ;-) Enjoy!
Tags: fun ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.