back to article Kaminsky (finally) reveals gaping hole in internet

After a four-week orgy of speculation, recrimination and warnings, Dan Kaminsky's domain-name system vulnerability has finally gone public. And boy, are we glad the net's overlords paid attention. During an 80-minute presentation, Kaminsky for the first time gave a detailed analysis of a bug that threatened to bring chaos to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Dead Vulture

    All your Internet

    are belong to us.

    Hopefully, whatever the DNS bug exploiters replace the current internet with will be just as amusing as this lot has been up to now.

    Kaminsky's girlfriend is spot on with begging him not to break the internet. If only the <sterotypical mom's basment dwelling, ner-do-well, hacking bastards of doom> had such sage advice from *proximal* female companionship, perhaps then we could all sleep well at night.

    "Come back to bed for a snuggle sweetie, it's late and I like the internet the way it is just fine." etc.

  2. Alex

    Scruples ?

    >if a less scrupulous person had stumbled on the bug first

    You assume they didn't ???

  3. Matthew Elvey
    Happy

    Thank you, Dan Kaminski

    I shoula emailed him a few days ago. I was close. I was thinking of the stunt DNS server John Levine set up at sp.am, and how it could be used to trigger lots of DNS lookups from a client...

  4. Charles Manning

    Scruples

    Are those like Viagra?

  5. Hardcastle
    Paris Hilton

    Screwples...

    ...Taste the painbow... or at least that would be Paris's thought on it lmao

  6. Tom Maddox Silver badge
    Gates Halo

    In before the fanboys

    Come on, guys, I'm waiting for it--how will running Linux/OS X/*BSD utterly prevent this vulnerability?

  7. Anonymous Coward
    Boffin

    NAT breaks the fix

    Are there patches for the broken NATs yet?

  8. Chris Toft
    Stop

    @Tom Maddox

    Linux/unix etc (the superior operating systems in general) wont make any difference to this flaw as at the level of this flaw DNS works in the same way whether the DNS server is Win or *nix.

    Unfortunately the client doing the DNS lookup doesnt help either as its a query to a DNS server, just because it was a Linux/unix client they are still susceptible to this flaw.

    If you were aware of how DNS worked and the differences between a proper OS and Windows then you would never have made such a daft comment in the first place.

    Saying that I can kinda see your point as my colleagues in the Unix community do like to throw out the "Wouldnt have happened on Linux" line all the time. Although why wouldnt they - its normally true :o)

  9. Kenny Millar
    Flame

    @ Tom Maddox

    Hi Tom.

    It won't.

    However, since your average Mac OS X User has already shown signs of superior intelligence, by not buying over-priced, faulty kit from Microsoft, he is less likely to be drawn into the resulting phising site etc.

    For example, user A :a Windows user, got to his bank web site, and it looks kindly odd, some mis-spelt words, the occaision missing graphic, and today it's asking him for all his security digits, not just 3 random ones. Wht the heck he thinks, this looks like the sort of thing I'm used to.

    User B: On a Mac, goes to his bank site and thinks, hmmmm, something wrong here. Lets shut the browser and try again. Ahh that's better.

    User A is an idiot - we know that already because he bought Windows.

  10. Anonymous Coward
    Anonymous Coward

    Woohoo - the world didn't end!

    To paraphrase one outsourcing company responsable for a "Fortune 500" company infrastructure...

    "We don't need to worry about it, or patch it, because the provided DNS servers are only accessible from internal clients. Therefore they can't be affected."

    Which scares the sh!t out of me, since it shows a complete lack of understanding of the problem. (Since some of the users at the company use something called the internet, there are ways to attack them via webpages... I'm not going to put the deails here since there are so many ways discussed already and most of us are with it enough to think of others)

    So - if you have to deal with EviDently Stupid outsources, please chase them to get it fixed.

    Anonymous for pretty obvious reasons, I would have thought ;)

  11. Pedantic Twat
    Coat

    more pedantry

    "The fuss was justified from the perspective that this is an impactful finding that has the potential to bring down the internet," said Nitesh Dhanjani, a senior manager at Ernst & Young.

    Impactful?! Can't they hire people who can speak properly at these corporations?

    It's the death of the American Language as we know it......

  12. Anonymous Coward
    Anonymous Coward

    It's not really a fix is it?

    I was under the impression that this just makes poorly designed resolvers choose a random UDP port instead of using the same one, so you've got to guess the right port as well as the ID (Both 1 in 2^16). In which case it's not a fix, it just means that you've got to throw more queries at the server to get lucky with it. As for those Fortune 500 companies - how has The Register got access to their resolvers? Unless of course they are running recursive lookups unrestricted to the public via their authoritative servers.

  13. Neil Hoskins
    Joke

    Isn't Dan Kaminsky...

    ... the bluegrass singer and musician who plays with Alison Krauss and Union Station? The one who's voice was used for George Clooney in 'O Brother, Where Art Thou'?

  14. Alan W. Rateliff, II
    Paris Hilton

    Patches for broken NATs

    For the security conscious, this will wind up having them put extra money into their vendors' pockets. Think about the number of old, long discontinued routers which still work, but have "broken" NAT implementations which will allow this exploit to work.

    I find this unfortunate. My SMC Barricade 7008ABR is running a firmware which is almost four years old, but rock-solid. The feature which has kept this particular unit in place is the 56k dial-up back-up with a USR v.Everything, which keeps my systems communicating in the event that my broadband connection goes offline.

    Paris, goes down so much you'll always be on 56k. Paris for President (wtf?!)

  15. Anonymous Coward
    Joke

    RE: NAT breaks the fix

    Yes, it's called IPv6

  16. jim
    Joke

    Bring it all down i say!!!

    Maybe then people will learn how to construct a sentence properly again. Perhaps do their own research.

  17. Tim Brown
    Dead Vulture

    Finally?

    Eh? Dan Kominsky 'finally' released details of the bug on his blog at http://www.doxpara.com/ on the 24th July after the speculators had pretty much guessed it (as I'm sure you reported in the El Reg at the time). So please stop going for the sensational (and inaccurate) headlines.

  18. Anonymous Coward
    Anonymous Coward

    Impactful.

    Is actually starting to show up in dictionaries. Coming from a senior manager too, there was a time they were educated.

    Maybe English is their second language?

    I guess that my home router probably exhibits this bug? Running a DNS relay as it does.

    Not my area so if there is anyone out there knows DNS should I be manically searching Linksys' site for a patch?

  19. Ru
    Gates Halo

    Re: In before the fanboys

    >Come on, guys, I'm waiting for it--how will running Linux/OS X/*BSD utterly prevent this vulnerability?

    Okay, you told me :-( I feel like such an idiot now... all those operating systems had the same flaw as the commercial ones. I clearly should have just paid up for a proper non-open-source system with the same vulnerability, er...

    Anyway, at least I'm not running OSX.

    Also, I could very well be wrong on this one, but I imagine that OpenBSD was significantly more resilient to this sort of attack (if not necessarily immune) due to its far better use of randomness throughout the system

  20. Havin_it
    Alert

    Some Plain Info Required

    I see copious mentions of "NAT" and "baaad" in connection with this, but being a poor troglodyte I'm unclear what this means. Does it mean my couple-of-years-old Netgear MIMO jobbie is about to:

    a) become a security liability?

    b) stop working altogether with Teh New, F|XX0R3D DNS?

    Bit of plain English for us concerned home-users would be much appreciated.

    PS - Kaminsky's DNS Checker worked for me last week, but now it's returning an Address Not Found. Wha' g'wan?

  21. Gavin Berry
    Flame

    Tom Maddox your an idiot

    It should read:-

    OSX user being such a smug bastard assumes the website must be fine because we all know that OSX is perfect, and 100% secure, so nothing can hurt him.

    And dont forget the the windows user who did not pay for it.

    He see's its iffy and being smarter then the user who payed for windows and not so smug or complacent as the mac user thinks this is iffy and closes his browser and tries again.

  22. El Regular
    Linux

    Put simply.

    The DNS protocol is how your computer (through it's server, your ISP) finds websites.

    When an address is requested, the Website address is matched to a special number (called an I.P address) which the computers use to communicate with one another. This is the sole purpose of the D.N.S protocol to my understanding.

    The D.N.S protocol has a hole in it, where it can be confused.

    If this is done properly, the DNS server may be mislead into allocating a web address to the I.P address of a malicious users system, where they can emulate the website or otherwise provide tainted services.

    The Internet user will have little clue as to any changes as even a valid 'safe' address maybe hijacked by someone able to use this exploit.

    Hope this helps, your personal routers and broadband modems are not at issue here. A lot of D.N.S servers are patched anyway, btu there is still a threat of false websites.

  23. Anonymous Coward
    Anonymous Coward

    @Tom

    "how will running Linux/OS X/*BSD utterly prevent this vulnerability?"

    Well, BIND was vulnerable but has now been patched. BIND is the nameserver most such systems use, so at the time of announcement of the patch all BIND servers were vulnerable.

    However, running djbdns instead of BIND *would* have utterly prevented this vulnerability, since Kaminsky's attack doesn't work on djbdns (at least not with current computing power / bandwidth). So you may still have to fend off a few Bernstein fanboys. They will necessarily be UNIX fanboys of some flavour, but that's not the relevant fandom.

  24. Echowitch
    Alert

    @pedantic twat

    Really??....two mistakes from you in one post. Guess you are being more twat than pedant ;)

    "It's the death of the American Language as we know it......"

    1. There is NO American language. He was speaking English. Possibly American English which is a dialect of English. But there is still no American language

    2. Main Entry: impactful

    Part of Speech: adj

    Definition: having a great impact or effect

    Admittedly Impactful is from Websters Dictionary, an American dictionary, rather than the Oxford English Dictionary. But as the individual using the word "impactful" was an American its perfectly legitimate for him to use that particular word.

  25. Anonymous Coward
    Anonymous Coward

    Frankly I'm astonished

    that there are so many posts here from people who don't understand how DNS works in the first place! I'm loath to recommend you all go to Wikipedia and look it up, but that might be a good place to start, then have a look at http://www.dns.net/dnsrd/ for more of the juice

  26. Tom Chiverton
    Boffin

    Ernst & Young on the kool aid

    "has the potential to bring down the internet" ?

    Err, no, just DNS and applications on top of it. The actual underlying network ('the internet') will be happily sending TCP/IP packets around as if nothing as happened.

    It's not like that BGP problem a while back that actually could have killed back bone routing...

  27. Greg

    @Tom Maddox

    Running Linux wouldn't help at all. One reason, really. Who in their right mind is going to be running a DNS server on anything other than Linux in the first place? ;-)

  28. TimM

    @ those @Tom Maddox

    Didn't you spot Tom's tongue-in-cheekiness there? lol!

  29. Greg
    Dead Vulture

    @Greg (the Greg who is not me, who is also a Greg)

    "Running Linux wouldn't help at all. One reason, really. Who in their right mind is going to be running a DNS server on anything other than Linux in the first place? ;-)"

    Those of us who aren't allowed to use Linux, because it's "Open Source and therefore HACKERS!!1!!!1 can see the code!!!!"...so Solaris is the approved *nix.

    Yep.

    Ours not to reason why, ours not to make reply...

  30. Brain

    @ AC

    To the AC that asked if it really would make any difference to be guessing the source port too, well yes, its now gone from 65536 possibilites to about 4 billion possibilities. There is no way you can send 4 billion dns replies in the short amount of time required to exploit the race condition (up to what, half a second?), this is tens of gigabytes of data...

    However, if you just leave it to the OS to allocate a random source-port, then youre still shafted as most OSes allocate these in increasing numeric order from 1024 upwards. :-)

  31. Duncan
    Happy

    @Tom Maddox

    I wish I had time to give you a more intelligent explanation as to why you are a smug but completely misinformed imbecile with what seems to be a mild case of aspergers, but I haven’t. needless to say really but you really out did your self here though :D

  32. John Werner
    Happy

    Re: Patches for broken NATs

    Yes and no. It depends what you have and what firmware you are running. I know at least one alternate firmware for the venerable WR54G router has been patched already. I'm not sure about others. (I admit that after reading the article, I decided to check to see if I should upgrade the firmware on my router and found that a new version featuring the patch was out.)

    I am glad I don't have to wait to Linksys to roll a patch for my long discontinued hardware.

    BTW, I run Tomato on my router.

    - John

  33. Brett

    It's not really a fix is it?

    No the only real fix is DNSSEC period.

    Brett

  34. Openminded Cynic
    Joke

    @ Gavin Berry

    You missed the WIndows user who payed doesn't notice the website looks a bit iffy and attempts to enter their details. Internet explorer is so loaded with spyware and "Special Toolbars" that it crashes INADVERTENTLY SAVING THE DAY!

    HOORAY INSTABILITY IS NOW A SECURITY FEATURE!

    That is all

  35. Anonymous Coward
    Flame

    @Kenny Millar

    hung on, arent all those users who don't notice things like that - the ones we have being pushed to OSX because they can't just click on an application - while thinking it is going to be naked pictures of a tenis star/world war 3 starting/GWB being stupid (as if he would :p )

  36. The Rock

    @ By TimM

    Yes I did TimM.... its a shame noone else did! Muppets. Maybe they need some sunlight?...

  37. Graham
    Linux

    @Tom Maddox

    Mutters, "Give me strength!" to himself.

    Ahem.

    Right.. (long intake breath).

    Linux (et al), being an open source operating system, is ..well open.

    This means the problem with the Linux server on which that DNS service is running (and you can bet your bottom euro it will be on one) will have the fix well scrutinised, be solid and updated frequently with improvements.

    And this will probably be issued and in place hours or (even minutes) after vulnerability is detected.

    You probably had some hacker in the corner of the room sitting crosslegged with a laptop on his legs coding up the patch as the guy was speaking.

    He probably posted it to the BIND bugzilla site before the "...thanks for coming." speech.

    Also, with *nix advanced and mature script facilities (lacking in Windows, and they know it) the massive brained *nix sysops will probably have their own temporary perl (or whatever) script fixes in place before the RedHat network (or whatever) even announce the download is ready.

    I'm being general (or whetever) here, of course.

    I (thankfully) don't have to wait for the behemoth profiteering giant to stall enough for it's "partners" to reap in a bit of cash in order keep up the MVP payments.

    Did you spot the cynicism there?

    It's a trust thing.

    I don't trust business types to do the right thing if it conflicts with profit margins.

    (Inhale again)

    Now I'm off the make sure my house insurance payments are up to date for when the fire-storm starts.

    ...thanks for coming.

  38. Rodrigo Rollan
    Stop

    @ Tom Chiverton

    TCP/IP is not the internet either. If you cannot use any service because all IP addresses are spoofed, then you´ll end up having to either guess the real IP addresees of the servers you try to access or just record every IP address you need to acces (and forguet about load balancing, content distribution, contingency servers and dinamic hosts). Given the amount of available IPs, not to mention those IPs that host several sites/services, the DNS server system is as crucial to the internet as TCP/IP.

    IMHO braking the DNS system you ARE INDEED braking the Internet because it is not functional anymore.

  39. Thomas Schulze

    trademark blue jeans and black shirt and sneakers

    Awesome & wonderfully outlandish! Is he a superhero or something?

    I'm today wearing my trademark blue jeans and t-shirt and sneakers. And I'll sue anyone trying to copy my style. So there!

  40. Anonymous Coward
    Anonymous Coward

    @Rodrigo Rollan : Braking the Internet

    It's BT who brake the internet isn't it?

    As for "braking the DNS system" it's the incorrect results that bothers me, not the speed of it.

  41. Piers
    Happy

    @Tom Maddox

    Don't worry mate, some of us knew you were being ironic...

  42. NT
    Unhappy

    @ JonB

    The English dictionaries know that their purpose is to record and define English 'as it is spoke'. It's not their job to arbitrate what's acceptable English or not; although the braver ones will offer guidance on common usage.

    So if people are starting to use stupid words like 'impactful' - or any of the other ludicrous constructions so beloved of management types - the dictionaries are going to start recording those terms.

    The trouble is that a lot of people don't understand that function of dictionaries, and have the idea that they *are* there to prescribe how the language should be used. If it's in the dictionary, they argue, then it's good English. They're putting the cart before the horse, you might say. They assume that the presence of a word in the dictionary is what causes people to use it, rather than the other way round.

    Meh. It's always happened: people who're trying to make themselves indispensable and important invent arcane language to try to mystify everyone else. It's just they have the Mighty Interweb now, so they can mystify the whole damn planet in a sparkle.

  43. Anonymous Coward
    Anonymous Coward

    @Tom Maddox

    You must be crapping yourself with laughter by now!

  44. Gavin Berry
    Thumb Up

    Damm

    fell for the troll.

    Damm

    Damm

    Damm

  45. Alan W. Rateliff, II
    Paris Hilton

    Re: Patches for broken NATs

    True enough. I've been using DD-WRT for about a month now after I finally got around to playing with it. I wish I had some older WRT54Gs to fiddle with the advanced features.

    I had considered the possibility of an alternative firmware using the UARTs which appear to be present on several wireless routers. I've seen at least one which activates the serial port for use with some type of memory card (SD, I think.)

    I've heard of Tomato and will give it a look-see once I have some more free time. Maybe that would do the trick. I do not believe, however, that I have seen a firmware which addresses some of the features of the Barricade 7008ABR: dial-up backup (56k or ISDN,) parallel print server, and NO wireless.

    Paris, she's heard of Tomato, too, but won't use it because the FDA said it was infected by a bacteria, and that's ewww.

  46. Pedantic Twat
    Stop

    @Echowitch

    I see irony has also died a death.....

  47. Al Jones

    @Patches for broken NATs

    I'm pretty sure that most people don't have to worry about their home NAT routers, because most NAT routers don't act as caching DNS servers, they just forward their DNS queries up the line to your ISPs DNS server, which should have been patched by now.

    The NAT issue arose because some of these "infrastructure grade" DNS servers at major ISPs are themselves behind NAT devices, and it is these NAT devices at the ISP level that will have been flagged as "degrading" the increased degree of randomness in the port allocation.

    I haven't checked whether DD-WRT and other "roll your own" firmware upgrades actual provide a caching DNS server, rather than simply relaying DNS requests to your ISPs server, but it would be somewhat ironic if it turned out that an upgraded Linksys was more vulnerable after the upgrade than when running the stock firmware!

  48. J
    Coat

    Eh?

    "If only the <sterotypical mom's basment dwelling, ner-do-well, hacking bastards of doom> had such sage advice from *proximal* female companionship"

    Proximal female companionship? Them? Since when?

  49. Brian
    Coat

    "please-don't-break-the-internet-again look."

    They have so many looks! And they all look the same... how are we meant to know which look is which, especially when the look changes its meaning!

    I know *THAT* look.... ok, ok, I'm going... door....

  50. Stuart

    The "nice" people mewling and whining about "impactful"

    Shift happens. Get over it. Since you insist that English is not permitted to evolve, grow or change in any way, I'm going to say that you're all very nice people. (LIU)

  51. Henry Wertz Gold badge

    @Kenny Millar

    Ironically given your smugness over this, OS X has it worse -- it's like the only system at all I've heard of that has STILL not patched the DNS client -- the patch they had to "fix" this only patches the BIND server. Linux/BSD/etc... all had vulnearble clients and servers, and patched them within the same day. Even Microsoft patched pretty fast.

  52. david Silver badge

    openBSD

    Using an OpenBSD DNS and Firewall here. Don't know how they work, but I see that a fixed port number is in use. Haven't noticed that we've received any upgrade disks since this exploit became public. Not my job.

    Our Windows server is fully patched. Should we switch to using that for internal DNS?

  53. Echowitch
    Joke

    @Pedantic Twat

    "I see irony has also died a death....."

    Nah, its alive and well and living at Baker Street Station apparently =)

    http://en.wikipedia.org/wiki/Irony

  54. Martin
    Jobs Horns

    @Tom Maddox

    I salute you for the best bit of goading I've seen in a while.

    Thankyou Sir, you made my day!!

  55. Anonymous Coward
    Coat

    @ Tom Maddox

    <joke>Linux would have saved us as you don't need the internet. Don't you know you can play Tetris in Vim?! :) :) :) </joke>

    Also, El reg, he fully released this on his blog weeks ago. You guys suck, I'll go find my own news weeks before you.

  56. Anonymous Coward
    Unhappy

    Losing the will to live....

    Anyone else finding the comments section getting more and more like the the pages of crap (un)social networking sites......

    @First bithc@

    u suks*****

    I were here

    u stink******

    f**k* u ******

    Lunix Rks

    Windoze bitch...

    Must be Pub O'Clock....

This topic is closed for new posts.

Other stories you might like