Home' Technology Review : November December 2008 Contents FEATURE STORY
TECHNOLOGY REVIEW NOVEMBER /DECEMBER
high-level engineers from the major manufacturers of DNS soft-
ware and hardware---companies that include Cisco and Micro-
soft. They arranged a meeting in March at Microsoft's campus in
Redmond, WA. The arrangements were so secretive and rushed,
Kaminsky says, that "there were people on jets to Microsoft who
didn't even know what the bug was."
Once in Redmond, the group tried to determine the extent of
the flaw and sort out a possible fix. They settled on a stopgap mea-
sure that fixed most problems, would be relatively easy to deploy,
and would mask the exact nature of the flaw. Because attackers
commonly identify security holes by reverse-engineering patches
intended to fix them, the group decided that all its members had
to release the patch simultaneously (the release date would turn
out to be July 8). Kaminsky also asked security researchers not to
publicly speculate on the details of the flaw for 30 days after the
release of the patch, in an attempt to give companies enough time
to secure their servers.
On August 6, at the Black Hat conference, the annual gathering
of the world's Internet security experts, Kaminsky would publicly
reveal what the flaw was and how it could be exploited.
ASKING FOR TROUBLE
Kaminsky has not really discovered a new attack. Instead, he has
found an ingenious way to breathe life into a very old one. Indeed,
the basic flaw targeted by his attack predates the Internet itself.
The foundation of DNS was laid in 1983 by Paul Mockapetris,
then at the University of Southern California, in the days of
ARPAnet, the U.S. Defense Department research project that linked
computers at a small number of universities and research institu-
tions and ultimately led to the Internet. The system is designed
to work like a telephone company's 411 service: given a name, it
looks up the numbers that will lead to the bearer of that name. DNS
became necessary as ARPAnet grew beyond an individual's ability
to keep track of the numerical addresses in the network.
Mockapetris, who is now chairman and chief scientist of Nomi-
num, a provider of infrastructure software based in Redwood, CA,
designed DNS as a hierarchy. When someone types the URL for a
Web page into a browser or clicks on a hyperlink, a request goes to
a name server maintained by the user's Internet service provider
(ISP). The ISP's server stores the numerical addresses of URLs it
handles frequently---at least, until their time to live expires. But if it
can't find an address, it queries one of the 13 DNS root servers, which
directs the request to a name server responsible for one of the top-
level domains, such as .com or .edu. That server forwards the request
to a server specific to a single domain name, such as google.com or
mit.edu. The forwarding continues through servers with ever more
specific responsibilities---mail.google.com, or libraries.mit.edu---
until the request reaches a server that can either give the numerical
address requested or respond that no such address exists.
As the Internet matured, it became clear that DNS was not
secure enough. The process of passing a request from one server
to the next gives attackers many opportunities to intervene with
false responses, and the system had no safeguards to ensure that
the name server answering a request was trustworthy. As early as
1989, Mockapetris says, there were instances of "cache poisoning,"
in which a name server was tricked into storing false information
about the numerical address associated with a website.
In the 1990s, the poisoner's job was relatively easy. The lower-
level name servers are generally maintained by private entities:
Amazon, for instance, controls the addresses supplied by the
amazon.com name server. If a low-level name server can't find
a requested address, it will either refer the requester to another
name server or tell the requester the page doesn't exist. But in the
'90s, the low-level server could also furnish the requester with the
top-level server's address. To poison a cache, an attacker simply
had to falsify that information. If an attacker tricked, say, an ISP's
name server into storing the wrong address for the .com server, it
could hijack most of the tra c traveling over the ISP's network.
Mockapetris says several features were subsequently added to
DNS to protect the system. Requesting servers stopped accepting
higher-level numerical addresses from lower-level name serv-
ers. But attackers found a way around that restriction. As before,
they would refer a requester back to, say, the .com server. But
now the requester had to look up the .com server's address on its
own. It would request the address, and the attacker would race to
respond with a forged reply before the real reply arrived. Ad hoc
security measures were added to protect against this strategy, too.
Now, each request to a DNS server carries a randomly generated
transaction ID, one of 65,000 possible numbers, which the reply
must contain as well. An attacker racing to beat a legitimate reply
would also have to guess the correct transaction ID. Unfortu-
nately, a computer can generate so many false replies so quickly
that if it has enough chances, it's bound to find the correct ID.
So the time to live, originally meant to keep name servers from
being overburdened by too many requests, became yet another
stopgap security feature. Because the requesting server will store
an answer for some period of time, the attacker gets only a few
chances to attempt a forgery. Most of the time, when the server
needs a .com address, it consults its cache rather than checking
with the .com server.
Kaminsky found a way to bypass these ad hoc security features---
most important, the time to live. That made the system just as vul-
nerable as it was when cache poisoning was first discovered. Using
Kaminsky's technique, an attacker gets a nearly infinite number
of chances to supply a forgery.
Say an attacker wants to hijack all the e-mail that a social-
networking site like Facebook or MySpace sends to Gmail
accounts. He signs up for an account with the social network, and
Links Archive January February 2009 September October 2008 Navigation Previous Page Next Page