Educational CyberPlayGround - DNS hacked again with poisoning attack.

Monday, December 03, 2007

« The social graph morphs into the Semanti... | Main | The Segmented Society »

DNS hacked again with poisoning attack

http://computerworld.co.nz/news.nsf/scrt/C5117F8EF8F89577CC2573A200809036

By Roger A Grimes
San Francisco
3 December, 2007

Amit Klein, of Israeli security company Trusteer, recently released
details on DNS server cache poisoning attacks that affect both BIND
(Berkeley Internet Name Domain) and Windows DNS servers. It goes to show
that every time you think a problem with a well-known protocol or
service has been solved, it may not be.

DNS has been with us since 1983 nearly as long as the internet. And
although DNS RFCs have come and gone, DNS is still very similar to its
original specifications. Certainly it has grown in feature set and
complication, but it still has the same underlying security problems it
did when it was invented by Paul Mockapetris. The biggest problem is the
lack of default authentication. Several security mechanisms have been
created for DNS with varying degrees of success (and failure) to solve
the authentication problem, but it is still relatively easy to fake a
DNS packet to either a DNS server or an unwitting client.

Klein's last find involved two discoveries, both of which allow
important parts of a DNS server packet to be forged with trivial effort.
The first implementation error involves the DNS UDP source port.
Although it should be randomised to prevent forging, it turns out that
the source port never changes the whole time the DNS server is up and
running. The second, and more important, problem is the trivial
predictability of the transaction ID value. Both errors allow DNS server
packet information to be predicted and forged.

The most secure version of DNS is considered djbdns, named after its author, Dr Dan J Bernstein, one of the most prominent voices for security over functionality in computer software. Although djbdns (also known as tinydns for one of its daemons) is not nearly as functional as Windows DNS or BIND, it is run by some of the world's largest companies. Dr Bernstein claims that more than 1.8 million .com addresses use djbdns. And though Dr. Bernstein has been offering a US$500 (NZ$657) reward to anyone who can find an error in its 7,000 instructions, there has yet to be a successful claim. Unfortunately, djbdns is built only for Unix and could not be used efficiently to support an Active Directory domain.

Internet | NetHappenings Mailing List

Monday, December 03, 2007 5:18:20 PM (Eastern Standard Time, UTC-05:00) Disclaimer | Comments [0] | Related posts:
How to wipe data off an iPhone
Read Write Web
School web anniversary and evolution
Larry Lessig Wins
Hacking and Free Speech
Memo on P2P Provisions in the Higher Education Act

SIGN UP and GET POSTS DELIVERED TO YOUR EMAIL

Enter your email address:

You will get email if the Educational CyberPlayGround has produced new content on that day. No new content, no email for you. White list emailenfuego.net for return confirmation email.

ON THIS PAGE....

DNS hacked again with poisoning attack.


EDUCATION: An interdisciplinary blog about Internet and Technology News, NetHappenings, K12 Newsletters, and Network Newsletters. Provides resources for the Arts, Music, Linguistics, Literacy, National Childrens Folksong Repository, K12 School Directory for K-12 teachers, teacher educators, homeschooling parents, policy wonks, journalists, and business.