Security researcher Dan Kaminsky likely averted a major disaster by developing a fix to the DNS flaw. But a Russian physicist has already demonstrated that the fix is merely a safety measure rather than a complete solution.

To recap the flaw (with apologies to regular readers): the DNS process translates website addresses (such as www.blorge.com) into the IP address (a number) that identifies the computer physically storing the website’s contents. The flaw is that a key stage of the process issues numbers in sequential rather than random order, making it considerably easier for hackers to figure out ways to pose as a legitimate link in the chain.

Most of the attention has been on hackers using this for DNS cache poisoning: that is, they find internet carriers which store copies of DNS information for popular pages (to speed up access for customers), then replace the DNS details to reroute to their own bogus copies of those pages, complete with malicious code. However, Kaminsky revealed this week that the flaw could be exploited in a wide variety of network processes, including e-mail servers and even the main system used for secure websites.

The recently issued patch, developed by Kaminsky with the combined assistance of many parts of the IT industry, both randomised the numbers concerned, and increased the range of possible numbers which could be used.

While this obviously made it much harder for hackers to guess the right number (without the patch, it could take as little as a second), it wasn’t clear how feasible such attacks were with the patched system. However, Evygniy Polyakov says he managed to pull off a cache poisoning in ten hours using just two standard desktop computers. Security experts who’ve spoken to the New York Times say the claim appears to be credible.

The real problem is that DNS was never designed for an era when internet users needed 100% secure connections. The flaw is never going to be purely fixable, and every time a new patch makes it harder for hackers to exploit the problem, increased processing power among hackers’ equipment will eventually catch up.

One answer could be Domain Name System Security Extensions (DNNSEC), an add-on to DNS which requires a digital signature to prove the information DNS follows is from the legitimate source. The problem is that it would be a major hassle to get everyone necessary on board to apply this system worldwide. There are also some concerns that DNNSEC would make DNS data so publicly visible that it raised legal privacy issues in some countries.

Related:

Entry was posted on Saturday, August 9th, 2008 at 5:22 pm under Internet, Security.

Read more entries by John Lister.
Stumble It!