DNS flaw discoverer says more permanent fixes will be needed

IT managers should expect more security fixes over the coming months.

The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.

At a press conference this morning, Dan Kaminsky, a researcher at security firm IOActive Inc., said that the patches recently issued by multiple vendors in response to his bug discovery are at best a stopgap measure aimed at preventing immediate attacks on the DNS infrastructure.

But Kaminsky plans to disclose details of the bug at the upcoming Black Hat security conference, and with more researchers likely to try and exploit it, there is going to be a need for a more permanent fix.

"There is going to be another round of patches coming online as we as a global community figure out how to address this," Kaminsky said. The current set of security updates that were released a few days ago were designed to make it harder for the bug to be exploited, while also ensuring that would-be attackers wouldn't be able to discover what the flaw is by reverse-engineering the patches.

The stopgap patch was appropriate in its time. "We needed to find a way to stop the bleeding while we figured out what to do here. This fix gets us out of the emergency zone," Kaminsky said, speaking with Computerworld after this morning's press conference. "I think there will be discussions after the bug is disclosed for more comprehensive mechanisms for addressing this class of flaw." He added that he was however unable to discuss what exactly the next generation patches would do, until details of the bug were publicly disclosed.

He noted that the patches that have been released appear to be working, since no one has exploited the vulnerability yet despite the unprecedented attention focused on it. However, he said, "there are people who have gotten really, really close," who have been asked not to disclose their research publicly until he reveals the full details at Black Hat.

One vuln to rule them all

News of the DNS protocol flaw, which was discovered earlier this year by Kaminsky, was made public about 10 days ago in a rare synchronized security update from numerous organization including Microsoft, Cisco Systems, and the US Computer Emergency Readiness Team (US-CERT). The flaw has received widespread attention both because of its apparent seriousness and the fact that it affects virtually every single domain name server that resolves IP addresses on the Internet.

DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researches. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.

An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.

The patches issued by the various vendors employ a so-called "port randomization" technique that is designed to make it much harder by many magnitudes for anyone to guess at DNS message IDs so as to be able to spoof the messages.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?