After a four-week orgy of speculation, recrimination and warnings, Dan Kaminsky's domain-name system vulnerability has finally gone public. And boy, are we glad the net's overlords paid attention. During an 80-minute presentation, Kaminsky for the first time gave a detailed analysis of a bug that threatened to bring chaos to the …
All your Internet
are belong to us.
Hopefully, whatever the DNS bug exploiters replace the current internet with will be just as amusing as this lot has been up to now.
Kaminsky's girlfriend is spot on with begging him not to break the internet. If only the <sterotypical mom's basment dwelling, ner-do-well, hacking bastards of doom> had such sage advice from *proximal* female companionship, perhaps then we could all sleep well at night.
"Come back to bed for a snuggle sweetie, it's late and I like the internet the way it is just fine." etc.
>if a less scrupulous person had stumbled on the bug first
You assume they didn't ???
Thank you, Dan Kaminski
I shoula emailed him a few days ago. I was close. I was thinking of the stunt DNS server John Levine set up at sp.am, and how it could be used to trigger lots of DNS lookups from a client...
Are those like Viagra?
...Taste the painbow... or at least that would be Paris's thought on it lmao
In before the fanboys
Come on, guys, I'm waiting for it--how will running Linux/OS X/*BSD utterly prevent this vulnerability?
NAT breaks the fix
Are there patches for the broken NATs yet?
Linux/unix etc (the superior operating systems in general) wont make any difference to this flaw as at the level of this flaw DNS works in the same way whether the DNS server is Win or *nix.
Unfortunately the client doing the DNS lookup doesnt help either as its a query to a DNS server, just because it was a Linux/unix client they are still susceptible to this flaw.
If you were aware of how DNS worked and the differences between a proper OS and Windows then you would never have made such a daft comment in the first place.
Saying that I can kinda see your point as my colleagues in the Unix community do like to throw out the "Wouldnt have happened on Linux" line all the time. Although why wouldnt they - its normally true :o)
@ Tom Maddox
However, since your average Mac OS X User has already shown signs of superior intelligence, by not buying over-priced, faulty kit from Microsoft, he is less likely to be drawn into the resulting phising site etc.
For example, user A :a Windows user, got to his bank web site, and it looks kindly odd, some mis-spelt words, the occaision missing graphic, and today it's asking him for all his security digits, not just 3 random ones. Wht the heck he thinks, this looks like the sort of thing I'm used to.
User B: On a Mac, goes to his bank site and thinks, hmmmm, something wrong here. Lets shut the browser and try again. Ahh that's better.
User A is an idiot - we know that already because he bought Windows.
Woohoo - the world didn't end!
To paraphrase one outsourcing company responsable for a "Fortune 500" company infrastructure...
"We don't need to worry about it, or patch it, because the provided DNS servers are only accessible from internal clients. Therefore they can't be affected."
Which scares the sh!t out of me, since it shows a complete lack of understanding of the problem. (Since some of the users at the company use something called the internet, there are ways to attack them via webpages... I'm not going to put the deails here since there are so many ways discussed already and most of us are with it enough to think of others)
So - if you have to deal with EviDently Stupid outsources, please chase them to get it fixed.
Anonymous for pretty obvious reasons, I would have thought ;)
"The fuss was justified from the perspective that this is an impactful finding that has the potential to bring down the internet," said Nitesh Dhanjani, a senior manager at Ernst & Young.
Impactful?! Can't they hire people who can speak properly at these corporations?
It's the death of the American Language as we know it......
It's not really a fix is it?
I was under the impression that this just makes poorly designed resolvers choose a random UDP port instead of using the same one, so you've got to guess the right port as well as the ID (Both 1 in 2^16). In which case it's not a fix, it just means that you've got to throw more queries at the server to get lucky with it. As for those Fortune 500 companies - how has The Register got access to their resolvers? Unless of course they are running recursive lookups unrestricted to the public via their authoritative servers.
Isn't Dan Kaminsky...
... the bluegrass singer and musician who plays with Alison Krauss and Union Station? The one who's voice was used for George Clooney in 'O Brother, Where Art Thou'?
Patches for broken NATs
For the security conscious, this will wind up having them put extra money into their vendors' pockets. Think about the number of old, long discontinued routers which still work, but have "broken" NAT implementations which will allow this exploit to work.
I find this unfortunate. My SMC Barricade 7008ABR is running a firmware which is almost four years old, but rock-solid. The feature which has kept this particular unit in place is the 56k dial-up back-up with a USR v.Everything, which keeps my systems communicating in the event that my broadband connection goes offline.
Paris, goes down so much you'll always be on 56k. Paris for President (wtf?!)
RE: NAT breaks the fix
Yes, it's called IPv6
Bring it all down i say!!!
Maybe then people will learn how to construct a sentence properly again. Perhaps do their own research.
Eh? Dan Kominsky 'finally' released details of the bug on his blog at http://www.doxpara.com/ on the 24th July after the speculators had pretty much guessed it (as I'm sure you reported in the El Reg at the time). So please stop going for the sensational (and inaccurate) headlines.
Is actually starting to show up in dictionaries. Coming from a senior manager too, there was a time they were educated.
Maybe English is their second language?
I guess that my home router probably exhibits this bug? Running a DNS relay as it does.
Not my area so if there is anyone out there knows DNS should I be manically searching Linksys' site for a patch?
Re: In before the fanboys
>Come on, guys, I'm waiting for it--how will running Linux/OS X/*BSD utterly prevent this vulnerability?
Okay, you told me :-( I feel like such an idiot now... all those operating systems had the same flaw as the commercial ones. I clearly should have just paid up for a proper non-open-source system with the same vulnerability, er...
Anyway, at least I'm not running OSX.
Also, I could very well be wrong on this one, but I imagine that OpenBSD was significantly more resilient to this sort of attack (if not necessarily immune) due to its far better use of randomness throughout the system
Some Plain Info Required
I see copious mentions of "NAT" and "baaad" in connection with this, but being a poor troglodyte I'm unclear what this means. Does it mean my couple-of-years-old Netgear MIMO jobbie is about to:
a) become a security liability?
b) stop working altogether with Teh New, F|XX0R3D DNS?
Bit of plain English for us concerned home-users would be much appreciated.
PS - Kaminsky's DNS Checker worked for me last week, but now it's returning an Address Not Found. Wha' g'wan?
Tom Maddox your an idiot
It should read:-
OSX user being such a smug bastard assumes the website must be fine because we all know that OSX is perfect, and 100% secure, so nothing can hurt him.
And dont forget the the windows user who did not pay for it.
He see's its iffy and being smarter then the user who payed for windows and not so smug or complacent as the mac user thinks this is iffy and closes his browser and tries again.
The DNS protocol is how your computer (through it's server, your ISP) finds websites.
When an address is requested, the Website address is matched to a special number (called an I.P address) which the computers use to communicate with one another. This is the sole purpose of the D.N.S protocol to my understanding.
The D.N.S protocol has a hole in it, where it can be confused.
If this is done properly, the DNS server may be mislead into allocating a web address to the I.P address of a malicious users system, where they can emulate the website or otherwise provide tainted services.
The Internet user will have little clue as to any changes as even a valid 'safe' address maybe hijacked by someone able to use this exploit.
Hope this helps, your personal routers and broadband modems are not at issue here. A lot of D.N.S servers are patched anyway, btu there is still a threat of false websites.
"how will running Linux/OS X/*BSD utterly prevent this vulnerability?"
Well, BIND was vulnerable but has now been patched. BIND is the nameserver most such systems use, so at the time of announcement of the patch all BIND servers were vulnerable.
However, running djbdns instead of BIND *would* have utterly prevented this vulnerability, since Kaminsky's attack doesn't work on djbdns (at least not with current computing power / bandwidth). So you may still have to fend off a few Bernstein fanboys. They will necessarily be UNIX fanboys of some flavour, but that's not the relevant fandom.
Really??....two mistakes from you in one post. Guess you are being more twat than pedant ;)
"It's the death of the American Language as we know it......"
1. There is NO American language. He was speaking English. Possibly American English which is a dialect of English. But there is still no American language
2. Main Entry: impactful
Part of Speech: adj
Definition: having a great impact or effect
Admittedly Impactful is from Websters Dictionary, an American dictionary, rather than the Oxford English Dictionary. But as the individual using the word "impactful" was an American its perfectly legitimate for him to use that particular word.
Frankly I'm astonished
that there are so many posts here from people who don't understand how DNS works in the first place! I'm loath to recommend you all go to Wikipedia and look it up, but that might be a good place to start, then have a look at http://www.dns.net/dnsrd/ for more of the juice
Ernst & Young on the kool aid
"has the potential to bring down the internet" ?
Err, no, just DNS and applications on top of it. The actual underlying network ('the internet') will be happily sending TCP/IP packets around as if nothing as happened.
It's not like that BGP problem a while back that actually could have killed back bone routing...
Running Linux wouldn't help at all. One reason, really. Who in their right mind is going to be running a DNS server on anything other than Linux in the first place? ;-)
@ those @Tom Maddox
Didn't you spot Tom's tongue-in-cheekiness there? lol!
@Greg (the Greg who is not me, who is also a Greg)
"Running Linux wouldn't help at all. One reason, really. Who in their right mind is going to be running a DNS server on anything other than Linux in the first place? ;-)"
Those of us who aren't allowed to use Linux, because it's "Open Source and therefore HACKERS!!1!!!1 can see the code!!!!"...so Solaris is the approved *nix.
Ours not to reason why, ours not to make reply...
To the AC that asked if it really would make any difference to be guessing the source port too, well yes, its now gone from 65536 possibilites to about 4 billion possibilities. There is no way you can send 4 billion dns replies in the short amount of time required to exploit the race condition (up to what, half a second?), this is tens of gigabytes of data...
However, if you just leave it to the OS to allocate a random source-port, then youre still shafted as most OSes allocate these in increasing numeric order from 1024 upwards. :-)
I wish I had time to give you a more intelligent explanation as to why you are a smug but completely misinformed imbecile with what seems to be a mild case of aspergers, but I haven’t. needless to say really but you really out did your self here though :D
Re: Patches for broken NATs
Yes and no. It depends what you have and what firmware you are running. I know at least one alternate firmware for the venerable WR54G router has been patched already. I'm not sure about others. (I admit that after reading the article, I decided to check to see if I should upgrade the firmware on my router and found that a new version featuring the patch was out.)
I am glad I don't have to wait to Linksys to roll a patch for my long discontinued hardware.
BTW, I run Tomato on my router.
It's not really a fix is it?
No the only real fix is DNSSEC period.
@ Gavin Berry
You missed the WIndows user who payed doesn't notice the website looks a bit iffy and attempts to enter their details. Internet explorer is so loaded with spyware and "Special Toolbars" that it crashes INADVERTENTLY SAVING THE DAY!
HOORAY INSTABILITY IS NOW A SECURITY FEATURE!
That is all
hung on, arent all those users who don't notice things like that - the ones we have being pushed to OSX because they can't just click on an application - while thinking it is going to be naked pictures of a tenis star/world war 3 starting/GWB being stupid (as if he would :p )
@ By TimM
Yes I did TimM.... its a shame noone else did! Muppets. Maybe they need some sunlight?...
Mutters, "Give me strength!" to himself.
Right.. (long intake breath).
Linux (et al), being an open source operating system, is ..well open.
This means the problem with the Linux server on which that DNS service is running (and you can bet your bottom euro it will be on one) will have the fix well scrutinised, be solid and updated frequently with improvements.
And this will probably be issued and in place hours or (even minutes) after vulnerability is detected.
You probably had some hacker in the corner of the room sitting crosslegged with a laptop on his legs coding up the patch as the guy was speaking.
He probably posted it to the BIND bugzilla site before the "...thanks for coming." speech.
Also, with *nix advanced and mature script facilities (lacking in Windows, and they know it) the massive brained *nix sysops will probably have their own temporary perl (or whatever) script fixes in place before the RedHat network (or whatever) even announce the download is ready.
I'm being general (or whetever) here, of course.
I (thankfully) don't have to wait for the behemoth profiteering giant to stall enough for it's "partners" to reap in a bit of cash in order keep up the MVP payments.
Did you spot the cynicism there?
It's a trust thing.
I don't trust business types to do the right thing if it conflicts with profit margins.
Now I'm off the make sure my house insurance payments are up to date for when the fire-storm starts.
...thanks for coming.
@ Tom Chiverton
TCP/IP is not the internet either. If you cannot use any service because all IP addresses are spoofed, then you´ll end up having to either guess the real IP addresees of the servers you try to access or just record every IP address you need to acces (and forguet about load balancing, content distribution, contingency servers and dinamic hosts). Given the amount of available IPs, not to mention those IPs that host several sites/services, the DNS server system is as crucial to the internet as TCP/IP.
IMHO braking the DNS system you ARE INDEED braking the Internet because it is not functional anymore.
trademark blue jeans and black shirt and sneakers
Awesome & wonderfully outlandish! Is he a superhero or something?
I'm today wearing my trademark blue jeans and t-shirt and sneakers. And I'll sue anyone trying to copy my style. So there!
@Rodrigo Rollan : Braking the Internet
It's BT who brake the internet isn't it?
As for "braking the DNS system" it's the incorrect results that bothers me, not the speed of it.
Don't worry mate, some of us knew you were being ironic...
The English dictionaries know that their purpose is to record and define English 'as it is spoke'. It's not their job to arbitrate what's acceptable English or not; although the braver ones will offer guidance on common usage.
So if people are starting to use stupid words like 'impactful' - or any of the other ludicrous constructions so beloved of management types - the dictionaries are going to start recording those terms.
The trouble is that a lot of people don't understand that function of dictionaries, and have the idea that they *are* there to prescribe how the language should be used. If it's in the dictionary, they argue, then it's good English. They're putting the cart before the horse, you might say. They assume that the presence of a word in the dictionary is what causes people to use it, rather than the other way round.
Meh. It's always happened: people who're trying to make themselves indispensable and important invent arcane language to try to mystify everyone else. It's just they have the Mighty Interweb now, so they can mystify the whole damn planet in a sparkle.
You must be crapping yourself with laughter by now!
fell for the troll.
Re: Patches for broken NATs
True enough. I've been using DD-WRT for about a month now after I finally got around to playing with it. I wish I had some older WRT54Gs to fiddle with the advanced features.
I had considered the possibility of an alternative firmware using the UARTs which appear to be present on several wireless routers. I've seen at least one which activates the serial port for use with some type of memory card (SD, I think.)
I've heard of Tomato and will give it a look-see once I have some more free time. Maybe that would do the trick. I do not believe, however, that I have seen a firmware which addresses some of the features of the Barricade 7008ABR: dial-up backup (56k or ISDN,) parallel print server, and NO wireless.
Paris, she's heard of Tomato, too, but won't use it because the FDA said it was infected by a bacteria, and that's ewww.
I see irony has also died a death.....
@Patches for broken NATs
I'm pretty sure that most people don't have to worry about their home NAT routers, because most NAT routers don't act as caching DNS servers, they just forward their DNS queries up the line to your ISPs DNS server, which should have been patched by now.
The NAT issue arose because some of these "infrastructure grade" DNS servers at major ISPs are themselves behind NAT devices, and it is these NAT devices at the ISP level that will have been flagged as "degrading" the increased degree of randomness in the port allocation.
I haven't checked whether DD-WRT and other "roll your own" firmware upgrades actual provide a caching DNS server, rather than simply relaying DNS requests to your ISPs server, but it would be somewhat ironic if it turned out that an upgraded Linksys was more vulnerable after the upgrade than when running the stock firmware!
"If only the <sterotypical mom's basment dwelling, ner-do-well, hacking bastards of doom> had such sage advice from *proximal* female companionship"
Proximal female companionship? Them? Since when?
They have so many looks! And they all look the same... how are we meant to know which look is which, especially when the look changes its meaning!
I know *THAT* look.... ok, ok, I'm going... door....
The "nice" people mewling and whining about "impactful"
Shift happens. Get over it. Since you insist that English is not permitted to evolve, grow or change in any way, I'm going to say that you're all very nice people. (LIU)
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Episode 4 BOFH: Oh DO tell us what you think. *CLICK*
- Spanish village called 'Kill the Jews' mulls rebranding exercise