DNS cache poisoning vulnerability details confirmed

DNS cache poisoning vulnerability details confirmed
A couple of the handlers tuned into the Blackhat "webinar" today. The topic was Kaminsky's DNS vulnerability. Here are some quick notes... Dan Kaminsky confirmed the details about the vulnerability. I think he was wanting to save the details until Blackhat, but since it got leaked and exploits have shown up in the last 24 hours, there doesn't seem to be much use in delaying any longer. Dan seemed to confirm that the leaked blog entry and the latest Metasploit module have identified the vulnerability correctly. In Kaminsky's tests, he was able to poison a nameserver cache in about 5-10 seconds. This bug allows the attacker to overwrite entries that are already in the cache. Nameservers that are authoritative only are not vulnerable. But setting a high TTL for your hosts which you are authoritative won't help vulnerable resolvers from being poisoned. This attack bypasses the TTL protections on vulnerable resolvers. DNS client libraries (workstations and servers that resolve to upstream nameservers) need to be patched also. The attacks still work against single unpatched hosts - but the priority should be your resolving nameservers. Home firewall NAT devices are also proving to be vulnerable as many don't seem to randomize the source port. If I heard correctly, Joao Damas from ISC (Internet Systems Consortium, maintainers of BIND) reports that he has seen attacks already in the wild for this vulnerability.	Kyle 112 Posts Jul 24th 2008
Thread locked Subscribe	Jul 24th 2008 1 decade ago