For those of you that may run DNS servers...

http://www.us-cert.gov/cas/techalerts/TA08-190B.html

7/9/2008 12:15:18 AM

[old]

this has been around for a while...

7/9/2008 1:46:44 AM

looks pretty new to me

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447

7/9/2008 8:01:52 AM

i was talking about cache poisoning

it's been around since the pyramids were built

7/9/2008 8:03:17 AM

evan: what's impressive here is the extremely coordinated response to attack it across all platforms at the same time.


but yeah i was using cache poisoning a decade ago to spoof my hostname on IRC servers.

7/9/2008 8:11:23 AM

I've been reading up on this.. basically Dan Kaminsky has "found" some new method of poisoning dns cache and has not released the details to the public. he was able to get cisco, microsoft, ISC etc and others involved to do patches to mitigate the issue.

The details are supposed to be released at a talk he is doing in early august.

7/9/2008 8:14:28 AM

<3 people that find shit wrong and the vendors work with them to fix it before they release it.

7/9/2008 9:42:33 AM

Having known Dan personally for some years, and having been contacted by DHS back in mid-May about this, I can share some of the details.

What I can spell out presently is that Dan has found a way to take a single UDP packet and rewrite A records in any DNS server that accepts UDP requests due to weaknesses in entropy and the 16-bit nonce.

The original notice was supposed to have been released on June 10th, but Microsoft (one of Dan's current employers), out of all the vendors missed the patch deadline so it was pushed off until yesterday.

If you've not familiar with Dan's work, I think he still has his website up at http://www.doxpara.com, but he is not planning to release the proto-code until BlackHat.

The running joke about Dan is that he was dropped on his head as a kid and just sees things VERY differently from everyone. It was explained to me along the same lines as "seeing the arrow in the FedEx truck".

[Edited on July 9, 2008 at 10:16 AM. Reason : ]

7/9/2008 10:14:31 AM

Quote :

"What I can spell out presently is that Dan has found a way to take a single UDP packet and rewrite A records in any DNS server that accepts UDP requests due to weaknesses in entropy and the 16-bit nonce. "

ok, yeah, that's just a SMALL problem.

7/9/2008 10:31:11 AM

3-years old:
http://www.theregister.co.uk/2008/07/09/dns_bug_student_discovery/

7/9/2008 6:00:11 PM

^ Maybe, maybe not. I listened to an interview with Dan Kaminsky and he says that the exploit is not that obvious, and that the patching is only a way to circumvent the problem without revealing what the exploit is.

If the "new" exploit was really this old exploit, then I'm surprised he was able to get all of these companies on board with releasing patches quickly.

7/9/2008 7:13:42 PM

so how much does someone get paid for finding shit like this and saving the internetz

7/9/2008 8:39:04 PM

Dan doesn't get paid anything for his own research. He does it for the love of research, seriously.

The vulnerability is not that obvious and it's not the one being mentioned as "old" in here. Beyond patching, the implementation of DNSSEC is the only way to truly fix it.

It's not as if the patch was extremely quick. Maybe by comparison, but the process was nearly 4 months in the works.

7/9/2008 8:55:12 PM

^ having your name in hundreds if not thousands of articles as being the one to uncover this new exploit certainly is worth more than someone paying you for the time it took you though. I'm sure he does consulting and this will make his name a lot more valuable.

7/9/2008 10:30:11 PM

Without a doubt!

IOActive, DoxPara and Microsoft are only 3 of his gigs.

He's one smart cookie.

7/10/2008 1:33:07 PM