DNS cache poisoning vulnerability details confirmed
Last Updated: 2008-07-25 06:47:28 UTC
by Kyle Haugsness (Version: 2)
A couple of the handlers tuned into the Blackhat "webinar" today. The topic was Kaminsky's DNS vulnerability. Here are some quick notes...
Dan Kaminsky confirmed the details about the vulnerability. I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer. Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly.
In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds. This bug allows the attacker to overwrite entries that are already in the cache.
Nameservers that are authoritative only are not vulnerable. But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned. This attack bypasses the TTL protections on vulnerable resolvers.
DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also. The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers.
Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port.
If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability.
There is a tool from our friends at Onzra that appears able to detect cache poisoning attacks: http://www.onzra.com/
"CacheAudit is an open source aplication for monitoring the cache of a Recursive DNS server. It allows providers to detect and respond quickly to Cache Poisoning events."
It's still beta so take it with a grain of salt but it's definitely worth a look.