A recent report warning users of security holes in major vendors’ networking products should be a wake-up call to companies operating online, industry experts say.
The US Department of Homeland Security’s Computer Emergency Response Team this week published a vulnerability note warning that common implementations of the Internet Domain Name System – which translates between host names and Internet Protocol addresses – let hackers launch cache poisoning attacks. This in turn lets cyber-criminals re-route e-mail messages and Web page requests to servers under their control.
“There have been cache poisoning attacks in the past, but this one is different in the sense that it’s a lot quicker,” said Richard Mockapetris chief scientist at Redwood City, Calif.-based Nominum Inc., which makes DNS hardware. “The old style attack would basically require the attacker to be lucky in the sense that each individual cache poisoning attack had a small chance of success, so if you did it for weeks or months you might be able to pull it off. This will succeed against some software in 10 minutes or less.”
CERT warned of three different vulnerabilities. The first is the transaction ID field of the DNS protocol, which could let an attacker predict an ID after 32,768 guessing attempts. The second is a vulnerability of some DNS implementations in which multiple identical queries for the same resource record will generate multiple outstanding queries for that record. This third is implementations which use the same port to generate queries.
“Some people are saying, ‘These are three known attacks, there’s not a lot of news here,’ but I think there’s a lot of news here,” said Richard Hyatt, chief technology officer at Toronto-based BlueCat Networks Inc. “I think people need to wake up and actually start taking DNS seriously. This is basically an electronic phone book and if that’s broken, how are you ever going to find the right number?”
Hyatt added that having the right intrusion prevention systems and firewalls is a good start to addressing the problem.
“If you let people send 32,000 responses back to your DNS server effectively you’re getting an attack,” he said. “We should not be allowing these types of attacks. A good IDS or good IPS should be picking up these trends and saying, ‘Hey, look, your DNS server is being attacked, people are trying to figure out the ID.’”
The security hole has affected most vendor implementations of DNS, said Jayanth Angl, research analyst at the London, Ont.-based Info-Tech Research Group.
“It’s a pretty widespread issue, given that DNS protocol is an industry standard,” Angl said. “But almost instantly we did see a number of patches and updates from most of the major vendors.”
The CERT warnings list of 84 vendors affected reads like a who’s who of the tech industry and includes Avaya, Cisco, EMC, Foundry, IBM, NetApp, Novell, Nortel and Sun.
Angl said companies that use the Berkely Internet Domain Name (BIND) from Internet Systems Consortium Inc. should ensure they have the most up-to-date version.
Hyatt agreed, warning some companies running old versions of BIND don’t enter the correct settings and are unable to detect attacks on networks.
He added that when his company launched its Adonis appliance, he was advising companies to use BIND version 9.
“Our ISP at the time, who I’m not going to mention, was running BIND 4, which is as vulnerable as hell.”
Hyatt said companies should have their own DNS caching system, instead of relying on their Internet service provider.
“People say, ‘Oh, I’ll use my service provider,’” Hyatt said. “Well if your service provider doesn’t patch your DNS, guess what? You’re probably going to end up getting attacked at some point.”
Now that the vulnerability has been publicized, Mockapetris said any competent hacker could figure out how to mount this attack.
“I would fast-track an upgrade if I thought my corporation was doing financially valuable transactions over the network,” he said. “The result of this could be, counterfeit Web sites could purport to be your bank. When you ask to go to your bank, you’re really going to a hacker site somewhere and they’ll get your user ID and your password, or they can redirect your mail in order to snoop your conversations.”
Nominum said it has already told its customers about the problem and has provided a patch. Microsoft Corp. also announced patch updates to its SQL Server database and Exchange messaging products.
A common problem in companies is figuring out who’s actually in charge of updating the DNS system, Angle said.
“In a lot of organizations, quite frankly, people don’t know who’s managing it and who’s accountable and exactly how the enterprise’s DNS is configured,” he said. “It’s really a case of defining responsibilities, keeping systems up to date. I don’t think it’s necessary to know how it works at the protocol level but you do have do have someone accountable.”
