DNS flaw discoverer says more permanent fixes will be needed

IT managers should expect more security fixes over the coming months.

The security researcher who recently discovered a heretofore unknown flaw in the Internet's core Domain Name System (DNS) protocol warned IT managers on Thursday to expect more security fixes aimed at mitigating the issue over the coming months.

At a press conference this morning, Dan Kaminsky, a researcher at security firm IOActive Inc., said that the patches recently issued by multiple vendors in response to his bug discovery are at best a stopgap measure aimed at preventing immediate attacks on the DNS infrastructure.

But Kaminsky plans to disclose details of the bug at the upcoming Black Hat security conference, and with more researchers likely to try and exploit it, there is going to be a need for a more permanent fix.

"There is going to be another round of patches coming online as we as a global community figure out how to address this," Kaminsky said. The current set of security updates that were released a few days ago were designed to make it harder for the bug to be exploited, while also ensuring that would-be attackers wouldn't be able to discover what the flaw is by reverse-engineering the patches.

The stopgap patch was appropriate in its time. "We needed to find a way to stop the bleeding while we figured out what to do here. This fix gets us out of the emergency zone," Kaminsky said, speaking with Computerworld after this morning's press conference. "I think there will be discussions after the bug is disclosed for more comprehensive mechanisms for addressing this class of flaw." He added that he was however unable to discuss what exactly the next generation patches would do, until details of the bug were publicly disclosed.

He noted that the patches that have been released appear to be working, since no one has exploited the vulnerability yet despite the unprecedented attention focused on it. However, he said, "there are people who have gotten really, really close," who have been asked not to disclose their research publicly until he reveals the full details at Black Hat.

One vuln to rule them all

News of the DNS protocol flaw, which was discovered earlier this year by Kaminsky, was made public about 10 days ago in a rare synchronized security update from numerous organization including Microsoft, Cisco Systems, and the US Computer Emergency Readiness Team (US-CERT). The flaw has received widespread attention both because of its apparent seriousness and the fact that it affects virtually every single domain name server that resolves IP addresses on the Internet.

DNS servers are responsible for routing all Internet traffic to their correct destinations. The so-called cache poisoning vulnerability that Kaminsky discovered could allow attackers to redirect Web traffic and e-mails to systems under their control, according security researches. The flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

According to Kaminsky, a weakness exists in a transaction identification process that the DNS protocol uses to determine whether responses to DNS queries are legitimate or not. DNS messages include what are supposed to be random identification numbers, but the problem, according to Kaminsky, is that only about 65,000 different values are currently being used as identifiers. And in reality, the process of assigning the identifiers to packets isn't especially random and can be guessed, he said.

An advisory issued by the US-CERT said the flaw could make domain name servers vulnerable to attacks in which forged data is introduced into the systems. Such attacks aren't new in concept, the advisory said, noting that several security researchers in the past have described cache-poisoning vulnerabilities similar to the one discovered by Kaminsky. Such vulnerabilities basically give attackers a way to predictably spoof DNS traffic along with "extremely effective exploitation techniques," the US-CERT advisory said.

The patches issued by the various vendors employ a so-called "port randomization" technique that is designed to make it much harder by many magnitudes for anyone to guess at DNS message IDs so as to be able to spoof the messages.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?