A large number of Domain Name System servers, a critical part of the Internet’s infrastructure, are vulnerable to attacks that could lead to widespread fraud, according to networking security expert Dan Kaminsky.
A scan conducted by Kaminsky has found that hundreds of thousands of DNS servers could be vulnerable to a type of attack that routes Internet traffic to malicious Web sites. The attack technique, known as DNS cache poisoning, came to public attention in April when attackers used it to redirect traffic from a large number of financial, entertainment, travel, health and software sites to attackers’ servers in order to install malicious code.
Despite the danger, large numbers of servers are still configured in a way that allows the attack to take place, according to Kaminsky. In a scan of about 2.5 million DNS servers, he found that about a tenth could be vulnerable.
DNS servers host a distributed database that allows the translation of domain names (e.g. name.com) to IP addresses. They also route e-mail by listing each domain’s mail exchange server. In a cache poisoning attack, a DNS server is compromised so that a legitimate domain name resolves to the attacker’s IP address, which can present the user with anything the attacker chooses.
Such techniques have been around for years, but the April incident demonstrated that they are not just theoretical. Nevertheless, many DNS servers have been left in the same vulnerable configurations that were exploited. DNS servers are run by all manner of organizations, including corporations and Internet service providers.
At least 230,000 of the servers scanned are configured to forward DNS requests to BIND8 DNS servers, according to Kaminsky. This was one of the vulnerabilities exploited in April, according to security organization the SANS Institute. Of those, 13,000 are Windows name servers forwarding to BIND8, making them exceptionally high-risk, Kaminsky said. Another 53,000 at least are very likely to be vulnerable, he added.
Kaminsky said he has only been able to scan a fraction of the existing name servers so far, which he estimated at nine million.