Dan Kaminsky Disqualified from Most Overhyped Bug Pwnie
I can be pretty skeptical and cynical at times (part of what drives my interest in security) and I am especially skeptical of massively hyped vulnerabilities. If anything, I tend to underhype what I do and let others hype it for me if they think that it warrants more attention.
With all of the hype around Dan Kaminsky’s DNS vulnerability, I naturally doubted that all of the hype was warranted. I was flattered, however, when Rich Mogull called and invited me onto a conference call with Dan Kaminsky and the other Doubting Thomas (Ptacek, that is). Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined. Yes, I am being light on the specifics here because I was sworn to secrecy and if I were to break it, Dan would cause my nameservers to rickroll me until the end of time.
In summary, when the full details of Dan’s attack come out, you will most likely be impressed. I definitely was.
July 10, 2008 at 12:30 pm
Let’s make the world believe that http://www.google.com is 127.0.0.1 :
Step 1:
- Create a malicious DNS zone (malicious.com)
- Spread links to http://www.malicious.com all over the internet (spam, etc…)
Step 2:
- Victim clicks on the the link to http://www.malicious.com
- Victim’s DNS resolver (ns.victim.com) talks to ns.malicious.com
- ns.malicious.com answers by saying that “www.malicious.com” really is an alias for “www.google.com”
=> At this point, I, as an attacker, knows that ns.victim.com is going to ask ns.google.com what is the IP of “www.google.com”
=> ns.victim.com is using either a fixed or a non-random UDP source port for its queries
=> So I can flood ns.victim.com (posing as ns.google.com) with tons of fake DNS answers claiming that http://www.google.com is 127.0.0.1. All I have to figure out at this point is the XID that will be used, and given that it’s a 16 bits integer, it’s not the most complex thing of the world.
=> ns.malicious.com now believes that http://www.google.com is 127.0.0.1
July 11, 2008 at 1:51 am
[...] It went well. [...]
July 11, 2008 at 1:38 pm
As someone who was not part of the discussion in the DNS community, but still has to maintain (i.e. write code) for a DNS server, I’d still like to know what I’m coding against.
I understand (and respect) what Dan has done, but it was hard to find the details of the patch among all of the discussion.
I hope I’ve interpreted it correctly.
… and I hope I got it right.
July 12, 2008 at 2:57 am
DNS, DNS, DNS……
Germaine, sort le deux-coups, le riz, les boites de cassoulet, les bouteilles d’eau et les sacs de sable, l’Internet mondial est en train de sombrer. À pic. Façon Titanic. Et oui chers lecteurs, DNS vient de prendre un coup de douze. Un autre…….
July 14, 2008 at 12:16 pm
Tell me about the name server you’re coding against, and contact me privately.
July 14, 2008 at 3:20 pm
thanks I know randomness is hard (-;
regards
John Jones
http://www.johnjones.me.uk
July 14, 2008 at 5:17 pm
Dan,
I’ve posted two comments at DoxPara.com, those comments are marked “waiting moderation” — and the E-Mail address is valid.
I promise to take the minimum amount of time.
Thanks — Lynn
July 14, 2008 at 6:18 pm
Dan: thanks for your help.
July 15, 2008 at 5:29 pm
[...] Dan Kaminsky disqualified from the most overhyped bug Pwnie Dino Dai Zovi [...]
July 17, 2008 at 10:17 pm
[...] even worse. All of the skeptics of his discovery who have been let in on the secret have come around to his side, and all the DNS vendors issued a design-change patch. Among other things, this patch [...]
July 22, 2008 at 8:09 am
[...] Thomas Ptacek (right), principal of Matasano Security, was the first to call BS on the secrecy. Kaminsky immediately arranged a private conference call to spill the beans. Dino Dai Zovi, another researcher with hacker cred, was included. After the call, both Ptacek and Dai Zovi confirmed this was something super-serious that required immediate attention. [...]
July 22, 2008 at 9:31 pm
[...] ‘Dan Kaminsky Disqualified from Most Overhyped Bug Pwnie’ and ‘This is absolutely one of the most exceptional research projects I’ve seen. Dan’s [...]