Home' Technology Review : November December 2008 Contents FEATURE STORY 63
Dan Kaminsky, uncharacteristically, was not looking for
bugs earlier this year when he happened upon a flaw
at the core of the Internet. The security researcher
was using his knowledge of Internet infrastructure to
come up with a better way to stream videos to users. Kaminsky's
expertise is in the Internet's domain name system (DNS), the pro-
tocol responsible for matching websites' URLs with the numeric
addresses of the servers that host them. The same content can be
hosted by multiple servers with several addresses, and Kaminsky
thought he had a great trick for directing users to the servers best
able to handle their requests at any given moment.
Normally, DNS is reliable but not nimble. When a computer---
say, a server that helps direct tra c across Comcast's network---
requests the numerical address associated with a given URL, it
stores the answer for a period of time known as "time to live,"
which can be anywhere from seconds to days. This helps to reduce
the number of requests the server makes. Kaminsky's idea was to
bypass the time to live, allowing the server to get a fresh answer
every time it wanted to know a site's address. Consequently, traf-
fic on Comcast's network would be sent to the optimal address at
every moment, rather than to whatever address had already been
stored. Kaminsky was sure that the strategy could significantly
speed up content distribution.
It was only later, after talking casually about the idea with a
friend, that Kaminsky realized his "trick" could completely break
the security of the domain name system and, therefore, of the
Internet itself. The time to live, it turns out, was at the core of
DNS security; being able to bypass it allowed for a wide variety
at the Heart
of the Internet
DAN KAMINSKY DISCOVERED A FUNDAMEN
TAL SECURITY PROBLEM IN THE INTERNET
AND GOT PEOPLE TO CARE IN TIME TO FIX IT.
IT'S A DRAMATIC STORY WITH A HAPPY END
ING ... BUT WE WERE LUCKY THIS TIME.
By ERICA NAONE
Photograph by JOHN KEATLEY
of attacks. Kaminsky wrote a little code to make sure the situation
was as bad as he thought it was. "Once I saw it work, my stomach
dropped," he says. "I thought, 'What the heck am I going to do
about this? This a ects everything.' "
Kaminsky's technique could be used to direct Web surfers to any
Web page an attacker chose. The most obvious use is to send people
to phishing sites (websites designed to trick people into entering
banking passwords and other personal information, allowing an
attacker to steal their identities) or other fake versions of Web
pages. But the danger is even worse: protocols such as those used
to deliver e-mail or for secure communications over the Internet
ultimately rely on DNS. A creative attacker could use Kaminsky's
technique to intercept sensitive e-mail, or to create forged ver-
sions of the certificates that ensure secure transactions between
users and banking websites. "Every day I find another domino,"
Kaminsky says. "Another thing falls over if DNS is bad. ... I mean,
literally, you look around and see anything that's using a network---
anything that's using a network---and it's probably using DNS."
Kaminsky called Paul Vixie, president of the Internet Systems
Consortium, a nonprofit corporation that supports several aspects
of Internet infrastructure, including the software most commonly
used in the domain name system. "Usually, if somebody wants to
report a problem, you expect that it's going to take a fair amount of
time for them to explain it---maybe a whiteboard, maybe a Word
document or two," Vixie says. "In this case, it took 20 seconds for
him to explain the problem, and another 20 seconds for him to
answer my objections. After that, I said, 'Dan, I am speaking to you
over an unsecure cell phone. Please do not ever say to anyone what
you just said to me over an unsecure cell phone again.' "
Perhaps most frightening was that because the vulnerability
was not located in any particular hardware or software but in the
design of the DNS protocol itself, it wasn't clear how to fix it. In
secret, Kaminsky and Vixie gathered together some of the top
DNS experts in the world: people from the U.S. government and
Links Archive January February 2009 September October 2008 Navigation Previous Page Next Page