Access Keys:
Skip to content (Access Key - 0)
ICONS Beta

What do you think of the wiki?
Please contact us with feedback or bug reports.



The following information was sent by Ryan Connolly of Team Cymru regarding a major vulnerability that affects recursive DNS servers and can dramatically increase the potential danger of a cache poisoning attack. Operators are advised to act immediately to apply the relevant patches in order to mitigate this vulnerability.

Although DNS cache poisoning is not a new attack, Dan Kaminsky recently found a much faster way to implement such attacks, essentially drastically reducing the number of "guesses" an adversary must make when trying to poison a DNS server's cache. In the past, an attacker had to guess the DNS transaction ID number in order to implement a DNS cache poising attack, which meant picking the ID out of a possible combination of approximately 215 numbers in a correct implementation. By using a, "birthday attack," which has also been around for some time, this may be feasible. Recently, however, Kaminsky basically found a way to reduce the number of "guesses" to a very small number, making the vulnerability a serious issue.

The patches that were released by major network device vendors again increase the number of "guesses" an attacker would have to run through to effectively conduct a DNS cache poisoning attack by randomizing the source port used to make DNS requests. Now not only does an attacker have to correctly guess the transaction ID number associated with the DNS request, but the attacker also must guess the source port. In total, this returns the number of "guesses" necessary by an attacker back to roughly 216.

This is a potentially very serious issue because of the scope and because the end effect if an attacker is successful is that the attacker could redirect all traffic destined for a certain internet sever to a server controlled by the attacker, transparently to an end user.

For a comprehensive analysis and for more methods of reducing exposure to this vulnerability, please see the following: http://www.kb.cert.org/vuls/id/800113

Source port randomization is a practical solution that makes executing DNS cache poisoning attacks more difficult given the new vulnerability but does not completely solve the underlying problem, which is with the DNS specification. The wide scope of this vulnerability highlights the need to address the underlying issue by applying DNSSEC, which provides a robust method of preventing various methods of DNS cache poisoning.

For more information on DNS cache poisoning, please see the below URL: http://en.wikipedia.org/wiki/DNS_cache_poisoning


Security News

Blog Posts

  • Blog post: Cisco DNS Patch created by
    Editor
    Jul 18, 2008
    Security



    • Security Bookmarks

    Internet experts are siding overwhelmingly with ICANN, arguing that the crucial responsibility of making sure users can trust the technical equivalent of the internet's phone book belongs in the hands of the net's main oversight body.

    Posted 1308 days ago | View Bookmark Page
    0 Comments

    A proposal [PDF, 276K] to sign the root zone file with Domain Name System Security Extensions, or DNSSEC, technology was released by ICANN today.

    Posted 1310 days ago | View Bookmark Page
    0 Comments

    Starting Thursday morning, the U.S. government is seeking comment on who should create and vouch for the internet's most crucial document – the root zone file – that serves as the cornerstone of the system that lets users get to websites and emails find their way to inboxes.

    Posted 1314 days ago | View Bookmark Page
    0 Comments

    THE quick and ferocious nature of cyber attacks on government must be recognised in the next generation of security, a previously unreleased report from the Attorney-General's Department urges.

    Posted 1324 days ago | View Bookmark Page
    0 Comments

    Philippine websites remain at risk of being redirected even if their Internet service providers (ISPs) have patched their DNS servers.

    Posted 1345 days ago | View Bookmark Page
    0 Comments
    View More 
      Add Bookmark
    Click to add...     		 



    Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki