Home' Technology Review : November December 2008 Contents FEATURE STORY 65
WWW. TECHNOLOGYREVIEW. COM
when he's prompted for an e-mail address, he supplies one that
points to a domain he controls. He begins to log on to the social
network but claims to have forgotten his password. When the sys-
tem tries to send a new password, it does a DNS lookup that leads
to the attacker's domain. But the attacker's server claims that the
requested address is invalid.
At this point, the attacker could refer the requester to the google.
com name servers and race to supply a forged response. But then
he would get only one shot at cracking the transaction ID. So
instead, he refers the requester to the nonexistent domains 1.
google.com, then 2.google.com, then 3.google.com, and so on,
sending a flood of phony responses for each. Each time, the
requesting server will consult Google's name servers rather than
its cache, since it won't have stored addresses for any of the phony
URLs. The attack completely bypasses the limits set by the time
to live. One of the attacker's forgeries is bound to get through. Then
it's a simple matter to direct anything the requesting server intends
for Google to the attacker's own servers, since the attacker appears
to have authority for URLs ending in google.com. Kaminsky says
he was able to pull o test attacks in as little as 10 seconds.
IN THE DARK
On July 8, Kaminsky held the promised press conference,
announcing the release of the patch and asking other research-
ers not to speculate on the flaw. The hardware and software ven-
dors had settled on a patch that forces an attacker to guess a longer
transaction ID. Kaminsky says that before the patch, the attacker
had to make tens of thousands of attempts to successfully poison
a cache. After the patch, it would have to make billions.
News of the flaw appeared in the New York Times, on the BBC's
website, and in nearly every technical publication. Systems
administrators scrambled to get the patch worked into their sys-
tems before they could be attacked. But because Kaminsky failed
to provide details of the flaw, some members of the security com-
munity were skeptical. Thomas Ptacek, a researcher at Matasano
Security, posted on Twitter: "Saying it here first: doubting there's
really any meat to this DNS security announcement."
Dino Dai Zovi, a security researcher best known for finding
ways to deliver malware to a fully patched Macbook Pro, says, "I
was definitely skeptical of the nature of the vulnerability, espe-
cially because of the amount of hype and attention versus the low
amount of details. Whenever I see something like that, I instantly
put on my skeptic hat, because it looks a lot like someone with a
vested interest rather than someone trying to get something fixed."
Dai Zovi and others noted that the timing was perfect to promote
Kaminsky's Black Hat appearance, and they bristled at the request
to refrain from speculation.
The lack of information was particularly controversial because
system administrators are often responsible for evaluating patches
A CACHE POISONING ATTACK
Cache poisoning causes a requesting server to store
false information about the numerical address
associated with a website. A basic version of the
attack---without some of the more sophisticated
techniques Kaminsky employs---is outlined below.
1. To begin, the attacker lures the victim s server into contacting a
domain the attacker controls. The attacker could, say, claim to have
forgotten a password, prompting the victim to respond by e-mail.
2. The victim performs a DNS lookup to find out where to send the
e-mail. But the attacker s name server refers the victim to another
server, such as that of example.com. Since the attacker knows that
the victim will now start a DNS lookup for that server, he or she has
an opportunity to attempt to poison its cache.
3. The attacker tries to supply a false response before the legitimate
server can supply the real one. If the attacker guesses the right ID
number, the victim accepts the false reply, which poisons the cache.
NAM E SERVER
"I lost my
"How should I
is over here!!!"
is over here"
Links Archive January February 2009 September October 2008 Navigation Previous Page Next Page