Contributing Writer, [GAS]
US-CERT, the organization absorbed into the United States Department of Homeland Security in 2004, is keeping the Internet secure by coordinating the efforts of industry leaders and keeping those efforts top-secret. Yesterday, the biggest companies on the Internet, including Cisco, Microsoft and Sun Microsystems, came to a decision on security and released patches for the DNS Internet Infrastructure designed to address a fundamental flaw in DNS. This all occurred after a months-long secret collaboration session that included federal government officials.
Their patches address a flaw in DNS that could have allowed an attacker to impersonate any server on the Internet by poisoning a DNS cache. What’s more, this was relatively easy to do. Luckily, the bad guys hadn’t stumbled across the vulnerability yet.
And perhaps more amazing than the world’s largest Internet companies collaborating with the government under a cone of silence is the level of integrity shown by security specialist Dan Kaminsky. While Kaminsky could have sold the vulnerability to the bad guys for top dollar, he turned the information over to the US-CERT team for free.
Dan Kaminsky’s Web site is here and he has a free DNS-testing tool to check your company’s DNS and Internet-provider vulnerability. A majority of DNS providers are still at risk, but should be working on applying patches. Brian Krebs, from the Washington Post, reports that Cox Communications is still vulnerable. Verizon Fios, which serves my home in Virginia, is safe.
Details of the vulnerability remain murky. One thing I can infer, however, is that part of this issue has to do with the fact that DNS is connectionless and unauthenticated. It operates over UDP, which is designed to be fast, and works just like IP telephony and streaming video technologies. When someone makes a request to look up the IP address of a Web site, like GeeksareSexy.Net, their local DNS server is supposed to translate this name back into an IP address that a Web browser can understand. It does so by shooting a UDP packet back to the requester. The problem may lie with the fact that these DNS servers usually reply with a predictable port, which an attacker can guess and subsequently substitute a response of his own.
On Kaminsky’s Web site, Doxpara.com, he suggests that one of the original designers of DNS was spot on when he had insisted that DNS responses should come from a randomized port. “All those years ago, Dan J. Bernstein was right: Source-port randomization should be standard on every name server in production use,” Kaminsky wrote.
Kaminsky also goes on to describe what a huge deal this patch is. It is not simple code replacement. Rather, it is more like upgrading XP to Service Pack 2 or 3.
“To translate the fix strategy into a more familiar domain, imagine large chunks of Windows RPC went from anonymous to authenticated user only, or even all the way to admin only,” Kaminsky wrote. “Or wait, just remember Windows XPSP2. This is a sledgehammer, by design. It cuts off attack surface, without necessarily saying why.”
So how safe is the Internet? While everyone was asleep, what kind of job did our government do to protect the Internet from failure? Kaminsky says things are just fine.
“After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day. This has not happened before. Everything is genuinely under control,” Kaminsky said.
I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.
It was a good day.
Happy patching everyone!