Tony Finch - Kaminsky's DNS hack

dotat[info]fanf wrote
on 23rd July 2008 at 19:20
Previous Entry Add to Memories Tell a Friend Next Entry

Kaminsky's DNS hack

[info]beezari posted a copy of the leaked Matasano explanation of Kaminsky's new DNS attack. I believe the explanation isn't quite right. In his interview in the WIRED Threat Level blog Kaminsky mentions that the attack relies on CNAMEs. This means that it does not depend on glue nor on additional section processing, which is what Matasano described. I believe the real explanation is...

$ md5 <~/doc/kaminsky
ef96f2d9e973a36e825793ddeff48ae5
(Leave a comment)
From:[info]gerald_duck
Date:2008-07-23 20:46 (UTC)
(Link)
The problem, as I've noted before, is that nobody's going to take a copy of that md5sum and you can easily edit your posting later. :-p

(The other problem is that md5 is no longer strong enough for this kind of thing.)
(Reply) (Thread)
From:[info]robhu
Date:2008-07-23 21:14 (UTC)
(Link)
Also, a blackhat probably poisoned your DNS server so you're not really viewing [info]fanf's LJ ;-)
(Reply) (Parent) (Thread)
From:[info]simont
Date:2008-07-24 10:20 (UTC)
(Link)
ef96f2d9e973a36e825793ddeff48ae5

[info]fanf might be able to edit his LJ post, but he can't edit my comment. And if you reply to this comment, then I won't be able to edit it either (just in case you're worried we might be colluding).
(Reply) (Parent) (Thread)
From:[info]gerald_duck
Date:2008-07-24 10:27 (UTC)
(Link)
Well, LJ annotates comments that get edited anyway.

On the other hand, if he deleted the comments, who would miss them? More useful to me is that I've now been e-mailed a copy of your reply to my comment. (-8
(Reply) (Parent) (Thread)
From:[info]gareth_rees
Date:2008-07-23 21:27 (UTC)
(Link)
I tried rate-limiting my e-mail based on this MD5 but it didn't slow down any virus attacks. Am I doing it wrong?
(Reply) (Thread)
From:[info]fanf
Date:2008-07-24 12:10 (UTC)
(Link)
This comment is still giving me grins.
(Reply) (Parent) (Thread)
From:[info]pm215
Date:2008-07-23 21:51 (UTC)
(Link)
Somebody just pointed me at this exploit code: it doesn't seem to involve CNAMES.

http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/baliwicked_host.rb
(Reply) (Thread)
From:[info]gerald_duck
Date:2008-07-24 09:55 (UTC)
(Link)
A problem we now face — and the current security through obscurity can only exacerbate it — is that everyone and their dog is trying to work out what Kaminsky's hack is.

I wonder how many other problems are going to be spotted…
(Reply) (Parent) (Thread)
From:[info]fanf
Date:2008-07-24 11:44 (UTC)
(Link)
That's based on the Matasano description. See also http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

Note that in the example they are attacking a name that doesn't exist in the public DNS and which isn't in the cache before they run the attack. I believe Kaminsky's exploit is more powerful than this.
(Reply) (Parent) (Thread)
From:[info]mas90
Date:2008-07-23 23:59 (UTC)
(Link)
If I were to tweak the Matasano explanation to be more interesting, I'd say in the last-but-one paragraph that Mallory doesn't reply "CXOPQ.VICTIM.COM A 6.6.6.0", she instead replies "CXOPQ.VICTIM.COM CNAME WWW.VICTIM.COM.", with an additional RR "WWW.VICTIM.COM A 6.6.6.0".

If I understand correctly, that is definitely in-bailiwick since the additional RR is for the answer to the original query (it's equivalent to the normal use of additional RRs for NS glue) and will successfully poison Alice's cache for WWW.VICTIM.COM.

I don't expect you can confirm nor deny that this is what Kaminsky is getting at if you're in possession of the canonical explanation however :-P
(Reply) (Thread)
From:[info]fanf
Date:2008-07-24 10:24 (UTC)
(Link)
I don't have the canonical explanation. All I have in addition to the above links is a post by Florian Weimer on the namedroppers list which also mentions CNAME. (Florian has known the details for months.)

Your description of the attack agrees with mine. The interesting bit is why CNAME is necessary, and additional RRs aren't enough.
(Reply) (Parent) (Thread)
From:[info]nonameyet
Date:2008-07-24 10:03 (UTC)
(Link)
Hmm. From time to time I wonder whether SMTP and its implementations are up to the demands put on them by today's internet, but what I read about this makes me think that DNS and specifically BIND are really struggling to keep up.

In this day and age caching answers to questions you didn't ask does some patently stupid.
(Reply) (Thread)
From:[info]fanf
Date:2008-07-24 10:27 (UTC)
(Link)
You have to cache unasked-for records in some situations, glue being the most obvious answer. You could immediately look up the authoritative NS RR set using the glue in order to make the glue unnecessary. However if you extend this to other additional data then you defeat various useful optimisations. DNSSEC is the answer :-)
(Reply) (Parent) (Thread)
From:[info]nonameyet
Date:2008-07-24 13:32 (UTC)
(Link)
> However if you extend this to other additional data then you defeat
> various useful optimisations.

If these optimisations necessarily break security they must be dropped, however useful. If "useful" means that the internet will melt without them then we need a new system and to retire DNS.

> DNSSEC is the answer :-)
I take the smiley to mean that I shouldn't go ahead and use DNSSEC on my machines (at least not yet).
(Reply) (Parent) (Thread)
From:[info]fanf
Date:2008-07-24 13:37 (UTC)
(Link)
No, the smiley just means that DNSSEC has only a tiny amount of deployment and won't be very useful until the root zone is signed.
(Reply) (Parent) (Thread)
(Leave a comment)
Powered by LiveJournal.com