First, a post went up on Matasano and promptly disappeared, and now Kaminsky has posted on Doxpara:

Patch.  Today.  Now. Yes, stay late.  Yes, forward to OpenDNS if you have to.  (They’re ready for your traffic.)  Thank you to the many of you who already have.

From what I can tell, it’s out of the bag.  I haven’t done any testing to make sure, but what I’ve read makes sense.  If you’re not entirely sure about your DNS, set yourself up on OpenDNS now.

Edit: Ah to heck with it, looks like everyone knows where to find it now anyways.  Here ya go, on Halvar Flake’s blog.

Edit Edit: Actually that’s not quite right, I think, but Matasano was, and I think you can figure it out from there.

Edit Edit Edit: Well, seeing as you can find out from comments on a Slashdot post, and other blogs, here’s the juicy part of the Matasano post:

Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.

Patch patch patch (then play with it in your test environment).

  8 Responses to “DNS cat is likely out of the bag”

  1. [...] don’t know the details yet, but according to McGrew Security, someone at Matasano let out the details of the DNS vulnerability earlier today. And Dan Kaminsky [...]

  2. It got published by error. But it’s already cached in Google reader and God knows how many other bots & readers that tune to their RSS feed.

    Matasano has published a public apology:
    http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/

  3. Very interesting!

    My only question: how do we know that OpenDNS is safe?

    Seems like if you can exploit OpenDNS, you have hit a huge number of computers.

  4. Hi William!

    OpenDNS implements source port randomization, which adds another (roughly) 16 bits of entropy to what an attacker would have to guess to get this working, basically making the attack infeasible.

    This is also what the patches that are available for various DNS servers do.

  5. Gotcha! Thanks!!

  6. [...] traffic jaringan internet secara massal, detail mengenai flaw ini sendiri dapat di refer di McGrew Security selain itu juga anda bisa refer ke personal blog Dan Kaminsky ataupun ke Common Vulnerability and [...]

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 McGrew Security Suffusion theme by Sayontan Sinha