The Kaminsky Hack: DNS Exploits in the Wild

DNS is the cornerstone of the Internet: It turns into an IP address that the routers can use to connect a browser to a web site. For this reason, it’s the subject of many attacks. If you convince someone that your server, rather than the real one, is the site they wanted, you can get up to all kinds of mischief. You can make them think you’re their bank, solicit their private information, monitor what they do, or even feed them Trojans.

Of course, DNS has protections. Each DNS request has a query ID associated with it that uniquely identifies the request. Anyone can send a response to a DNS request, but if you don’t have the right query ID, your response is ignored. Essentially, it’s a race. To hijack someone, you need to send the wrong IP address, with right query ID, before the correct address gets there. Until now, this model has protected online surfers reasonably well because the chance of a guessed QID arriving before the legitimate one shows up are improbably small.

But there may be a way around this, and Dan Kaminsky says he’s figured it out — but he’s not telling how just yet.

Releasing a hack is Big Drama. Some folks — like Kaminsky — prefer to contact the authorities and vendors, giving them time to patch their servers before publication. Kaminsky announced that he wouldn’t reveal the details of the exploit until Black Hat, but on July 9 he said anyone who figured it out could get on stage with him. Shortly afterward, he announced that the major players had patched their systems.

There are others who believe that vulnerabilities should be outed as soon as possible: Assuming the bad guys already know is a prudent course of action. Kaminsky’s announcement seems to have prompted speculation, leading to the disclosure of what some believe is the hack he was planning to announce, which Halvar Flake figured out. A description of the exploit first showed up on pasteboards — sites that publish snippets of programming. Initially, it was being deleted by system administrators. But you can’t put the genie back in the bottle, so now it’s out in the open.

Some skeptics question the impact of the vulnerability, and some say it’s an old hack that’s been around for years. But we view many more strangers’ pages these days, particularly on social sites that are increasingly plagued with friend spam, so online behavior may have changed enough for this old dog to learn new tricks.

Kaminsky hasn’t confirmed that Flake identified the same vulnerability. But perhaps as a result of the speculation, Kaminsky’s latest blog entry says simply, “Patch. Today. Now.”

Whatever the case, it’s a good day to have a smart network administrator patching your servers.