Network News

X My Profile
View More Activity

Fortify Your Internet Security Settings Now

The Web became a substantially more dangerous place this week, thanks largely to the publication of instructions that show cyber criminals how to exploit a pervasive, critical flaw in the Internet infrastructure.

While Internet service providers and corporations can mitigate the danger by updating the software that powers vulnerable components of their networks, data released yesterday indicates that only about half of the world's online population is currently protected by these updates.

At issue is a basic design flaw in the domain name system. DNS is the communications standard that acts as a kind of telephone book for the Internet, translating human-friendly Web site names like example.com into numeric addresses that are easier for networking equipment to handle and route.

When people type a Web site name into their Internet browser, the process of routing of that name to Internet address is generally handled through DNS servers managed by Internet service providers and corporations.

But according to research released this month, most of those DNS servers are vulnerable to a security flaw that allows miscreants to silently alter the virtual road maps that those systems rely on to route traffic. As a result, a cyber criminal could trivially rewrite those records so that when customers of a vulnerable ISP or network provider try to visit a particular Web site, they are instead taken to a counterfeit site created by the bad guys.

For example, if exploited, this flaw can easily help scammers steal personal information, such as social security numbers or bank accounts, by tricking people into entering sensitive data at fake bank and e-commerce sites.

Dan Kaminksy, the security researcher who discovered the flaw, worked in secrecy for nearly six months with a handful of other researchers to devise a fix for the flaw. On July 8, in a rare coordinated effort, dozens of software vendors - including Microsoft -- shipped security patches to help customers and network providers protect themselves.

On Wednesday, computer code demonstrating exactly how to exploit the flaw was posted online. The code also was summarily folded into Metasploit, a tool that makes exploiting the vulnerability a point and click operation within the reach of even the most novice of hackers.

In a conference call with reporters on Thursday, Kaminsky said that data from a diagnostic tool he placed on his Web site to let visitors see if their ISP had patched the problem showed a large number of providers had indeed fixed it on their end, but that many still have not addressed the issue. Kaminsky said that on July 8, when the patches were first released, roughly 86 percent of the people who used the test tool were coming from unsecured networks. As of Thursday, he said, about 52 percent of visitors were in the same boat.

Lest anyone think this vulnerability is mere hype, consider the warnings from Kaminsky and others who say the flaw is attracting plenty of attention from cyber criminals.

"This attack is being weaponized out in the field," Kaminsky said.

Joao Damas, senior programming manager at the Internet Systems Consortium, the entity which maintains BIND - the open-source software provider that powers a massive share of the DNS servers worldwide - said he has seen evidence of attackers trying to exploit the flaw.

"I have seen already code that is geared at exploiting this out in the wild, and I'm not even looking for it," Damas said.

My advice to readers is to visit the testing tool on Kaminsky's site. If the response is that your ISP is vulnerable, please post a note in the comments section saying so. If your ISP has not yet addressed this important flaw, please also consider protecting yourself using one of the following methods.

--Set up your system so that it uses the DNS resolvers provided by OpenDNS, an entity that provides a free service which routes all of you Web site queries through DNS servers that are not only patched against this flaw, but which can help you better spot phishing Web sites and prevent people on your network from visiting otherwise objectionable Web sites.

--Reconfigure your DNS settings to use servers that are known to be patched against this flaw. A few of those servers include 4.2.2.1, and 4.2.2.2. To do this in Windows, click Start, Control Panel, Network Connections, and double-click on the connection name that says it's already connected. From there, scroll down to the Internet Protocol setting, and click Properties. If it is not already checked, change the radio button to "Use the following DNS server addresses," and then type in 4.2.2.1 and 4.2.2.2 in the settings below. Click "OK" to finalize the settings. Note that you will only be permitted to make these changes if you are logged in to Windows using an administrator account.

While the patch Microsoft shipped earlier this month to address this problem on Windows machines addresses a facet of the vulnerability that is much more difficult for the bad guys to exploit, Windows users should still follow these steps. Many Windows users no doubt delayed installing this update or uninstalled it, following news that it prevented users of ZoneAlarm firewall products from being able to get online. ZoneAlarm has since pushed out an update that fixes this compatibility glitch.

One final note: While some people may question the sanity of making these changes given the fluid nature of ISPs working overtime to address this flaw, I would strongly urge readers to err on the side of caution. For one thing, online scam artists have shown to be increasingly eager to adopt the latest methods for scamming people online. Secondly, the stopgap solutions mentioned here are fairly simple fixes, remedies that -- even if left in place indefinitely -- will not adversely affect the online experience of most Internet users.

By Brian Krebs  |  July 25, 2008; 10:00 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Before You Go on That Vacation....
Next: Man Gets 4 Years for ID Theft, Software Piracy

Comments

4.2.2.1 (and it's neighbors) is NOT fully patched against this flaw.

Those IPs represent a large cluster of DNS servers, of which, only some are patched. Many fail the tests.

Posted by: Random Guy | July 25, 2008 10:16 AM | Report abuse

Here's my result-What does this mean?
our name server, at XXXXX, may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 42.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds.

Posted by: Verizon FIOS internet | July 25, 2008 10:51 AM | Report abuse

From the client perspective, just don't use Windows. Easy...

Get a Mac, use Ubuntu or any other flavor.

Posted by: Unix-User | July 25, 2008 11:02 AM | Report abuse

Your name server, at XXXXXXXXX, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: YYYYYY

Posted by: VZAccess | July 25, 2008 11:03 AM | Report abuse

My RoadRunner connection says it is vulnerable. The above instructions for how to change the DNS seems to be for XP. Is there instruction for Vista?

Posted by: Rick K | July 25, 2008 11:09 AM | Report abuse

I get an "error trying to establish a database connection" when trying to go to Kaminsky's site. This perhaps means that too many people are trying to access it?

Posted by: Gary | July 25, 2008 11:09 AM | Report abuse

I went to the the highlighted web site in your story to check my DNS (the testing tool) and it said my provider (CHARTER) was poisoned, but even worse it stated that this information had been LEAKED which was beyond THEIR control. I suggest you take that site out of your story. Unbelieveable, I probably caused more of a problem by following YOUR advice

Posted by: Kathleen | July 25, 2008 11:11 AM | Report abuse

Got the essentially the same result as VerizonFIOSInternet:

"Your name server, at [XXXX] may be safe, but the NAT/Firewall in front of it appears to be interfering with its port selection policy. The difference between largest port and smallest port was only 51.

Please talk to your firewall or gateway vendor -- all are working on patches, mitigations, and workarounds."

I changed my DNS prefs a few weeks ago to the Verizon default servers so if VerizonFios has the same preference it makes sense we'd have similar results.

Question for Brian - I changed my prefs from the servers favored by our net admin friend because I was t-shooting a persistent problem reaching a reputable security/tech site. The DNS change made no diff, a firewall update eventually solved it. In the course of researching DNS options, I read varying opinions on how useful/good OpenDNS really is. What's your opinion?

Posted by: VZ DSL user | July 25, 2008 11:38 AM | Report abuse

you were shy, to the night you drove me wild!

Posted by: travis | July 25, 2008 11:49 AM | Report abuse

Your name server, at XXXX, appears vulnerable to DNS Cache Poisoning.

Posted by: Anonymous | July 25, 2008 11:58 AM | Report abuse

@VZ- Depends on what you want it for. It claims to speed up your web searches, but I haven't noticed that. But if you're looking for a good way to block others in your home from seeing certain types of content or pages, it's a great service.

Posted by: Bk | July 25, 2008 12:08 PM | Report abuse

"I went to the the highlighted web site in your story to check my DNS (the testing tool) and it said my provider (CHARTER) was poisoned, but even worse it stated that this information had been LEAKED which was beyond THEIR control. I suggest you take that site out of your story. Unbelieveable, I probably caused more of a problem by following YOUR advice"

Kathleen if you look at that website again, it states, "Due to events outside our control, details of the vulnerability have been leaked. Please consider using a safe DNS server, such as OpenDNS. Note: Comcast users should not worry."

The vulnerability was not in reference to your use of the site rather the overall DNS vulnerability discussed in this news article. That website is merely stating that all people who use the internet are potential targets of this inherent flaw in the DNS.

Posted by: b | July 25, 2008 12:09 PM | Report abuse

Your name server at xxxxxx appears vulnerable to dns cache poisoning.

Posted by: hudvalley | July 25, 2008 12:10 PM | Report abuse

Thank you for your help. I am on hold with Charter. They say that they knew of this and applied the patch.

Posted by: Kathleen | July 25, 2008 12:23 PM | Report abuse

This is not a Windows problem "Unix-User" this is a system wide DNS issue. If your running Ubuntu as you suggest and your using your ISP's DNS servers and they have not patched then your just as open to be hijacked as anyone else.

The problem still exist for those of you that patch your own systems as your ISP may not be. Those of you with notebooks that drift from hotspot to hotspot are probably at even greater risk.

OpenDNS is an option but the truth is this should have been addressed years ago when it was found and it was years ago, not just recently.

Posted by: MS Small Biz Specialist | July 25, 2008 12:35 PM | Report abuse

I am going to switch to DNS but I do not understand how this may affect my receiving email, my work programs etc. Could you please explain a little about this? Thanks again.

Posted by: Kathleen | July 25, 2008 12:38 PM | Report abuse

Kathleen -- Switching DNS servers should have no effect on your sending mail or using other programs. But don't my word for it. Try it and see for yourself. Remember, there's nothing irrevocable about changing DNS servers. You can always change them back or to another DNS server.

Posted by: Anonymous | July 25, 2008 12:50 PM | Report abuse

"Your name server, at xxx.xxx.xxx.xx, appears to be safe, but make sure the ports listed below aren't following an obvious pattern."

Huh? We use SBC Yahoo DSL.

Posted by: Anonymous | July 25, 2008 1:13 PM | Report abuse

For people who were asking about the "please talk to your firewall or router vendor"..

Well, if you are using a secure dns server but are behind a NAT gateway (a dsl router or whatever else that gives you a 10. or 192.168. type IP and translates it on the outside to the "public" IP address your ISP gives you), then you're still vulnerable, till you update the router or whatever else you use for NAT.

Look on the linksys or other router vendor you use's website for the latest update, apply that and see if it gets fixed.

Posted by: Suresh Ramasubramanian | July 25, 2008 1:39 PM | Report abuse

My ISP Bellsouth (aka ATT) has not yet patched their DNS servers. I've put a call into their tech support and am awaiting response..

*****

Your name server, at x.x.x.x, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: 32768

Posted by: rick_in Atlanta | July 25, 2008 2:01 PM | Report abuse

I use Open DNS, the service recommended by Brian. Below the result I see after employing Dan Kaminsky's testing tool :

Your name server, at WWW.XX.YY.ZZ, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.Requests seen for 1aeccc0fb543.toorrr.com:
WWW.XX.YY.ZZ:14733 TXID=44282
WWW.XX.YY.ZZ:24189 TXID=46854
WWW.XX.YY.ZZ:42390 TXID=54132
WWW.XX.YY.ZZ:48734 TXID=39493
WWW.XX.YY.ZZ:12915 TXID=22960

Just how am I to make certain that these ports are «not following an obvious pattern» ? Obvious to whom ?...

Henri

Posted by: M Henri Day | July 25, 2008 3:04 PM | Report abuse

Your name server, at xxx.xxx.xxx.xx, appears to be safe, but make sure the ports listed below aren't following an obvious pattern.

Like the other users, I have the same question, what do i do now? (AT&T DSL)

Posted by: rita | July 25, 2008 3:27 PM | Report abuse

I got the same response as M Henri Day with my ISP which I am sure is a different one.

How does a basic user check five ports at one's ISP??

Posted by: Bartolo | July 25, 2008 3:28 PM | Report abuse

forgot to mention that i get different name servers everytime i click the testing button on the website and all of them have the similar replies as Henri's

Posted by: rita | July 25, 2008 3:33 PM | Report abuse

Yep - Apple are releasing a patch sometime in the next few years so Mac users should be OK. Besides - Macs don't normally use DNS anyway - they're Macs!!1!

Posted by: Rick | July 25, 2008 5:07 PM | Report abuse

If it says "Your name server, at xxx.xxx.xxx.xx, appears to be safe, but make sure the ports listed below aren't following an obvious pattern." then you are probably safe. (This is what the tester prints when the DNS server passes the test.)

If the test result mentions a small difference in the port numbers and a possible NAT problem, but you're actually using your ISP's DNS servers, it could be a quirk involving Nominum caching name servers (CNS or Vantio):

http://www.dslreports.com/forum/r20839639-DNS-Comcast-and-the-DNS-Server-flaw-issue

(Scroll down to Dan Kaminsky's post on that page.)

In Kaminsky's own words:

---begin quote---
This is Dan Kaminsky, the original finder of the bug.

ComCast is using Nominum, the company that employs the inventor of DNS. Nominum has some extra protections that slow my attack down by a couple hundred times. (I called BS on Nominum and they were only too happy to give me a server to try to break. I eventually did, but not in 10 seconds like everyone else but DJB/power.)

A couple hundred times harder to attack corresponds to ~8 bits of entropy, which is how short they are right now. They're investigating now if they can get a couple of bits more in, just for added security. But I do think Nominum, and ComCast by extension, need some credit for working to develop more intensive protections against this attack -- even if it's much less convenient for those of us building test tools.

I am a little amused at the comments re: strong arming. It's not every day that Comcast and I are on the same side of the fence (ahem, net neutrality). This is however a much graver threat, and frankly more ISP's need to follow Comcast's lead here (now there are words I never thought I'd write!).
---end quote---

Note that Comcast isn't the only large ISP that uses Nominum.

Anyway, if your DNS server is running a patched Nominum server, then it's going to show some (but not much) source port randomization (so it will test pretty poorly), but it is nonetheless secured against this vulnerability. (Judging from Nominum's security advisory, I think an unpatched Nominum server would show zero source port randomization.)

Posted by: Barry K. Nathan | July 25, 2008 6:34 PM | Report abuse

The Road Runner (Timewarner cable) seems to be poisoned (as per the test) - this is at my home. I checked at my work this morning, and they had fixed it.

Anybody body else on road runner any comments? Should we just stop using any banking or https:// till it is fixed???

Thanks.

Posted by: Arun in San Diego | July 25, 2008 10:16 PM | Report abuse

The Road Runner DNS server I hit in Alabama appears to have now been patched. It wasn't a couple of days ago.

Posted by: kilgore | July 25, 2008 10:52 PM | Report abuse

Anybody know what needs to be done to remedy this with a MAC?

Posted by: Cheree Shenk | July 26, 2008 5:21 AM | Report abuse

BellSouth's servers are showing vulnerable as of 26 July 2008, 1800 EDT

Posted by: Frustrated in Atlanta | July 26, 2008 6:06 PM | Report abuse

My internet provider is att.net. My DNS server which showmyip says is owned by SBC Global Services fails the test. It has failed it ever since the diagnostic tool was made available.

Posted by: Ohio ATT.net user | July 26, 2008 9:44 PM | Report abuse

Using the online test at doxpara, Time Warner's RoadRunner franchise in Hawaii (Oceanic cable) is shown as vulnerable. When I called RoadRunner's national help line to ask about this, the technician I spoke to knew nothing about this issue.

I have switched to OpenDNS and it seems to be working fine.

Posted by: sc | July 27, 2008 9:16 PM | Report abuse

The problem is that DNS cache poisoning just keeps getting easier. In the latest round, the UDP port number has been borrowed as an additional source of entropy to make forgery of responses more difficult--but not impossible. This doesn't always work because of other features, such as NAT, and because, fundamentally, randomization of port numbers is not an effective security measure. This is just a stopgap, and as connection speeds continue to improve, another 15 or 16 bits of entropy isn't going to stand in the way; even now, I suspect someone with a reasonably sized botnet could poison the cache of pretty much any recursive nameserver of his choosing.

Meanwhile, network administrators are being advised to disable recursion for non-local clients. This is good advice, but again, it ultimately doesn't solve any problem. If you're running a mail server, someone can connect to it and do MAIL FROM: commands to force the mail server to look up names. If you have users with browsers, someone can point them at a site that uses Javascript to set locations on IMG tags to force lookups. In other words, disabling recursion on the nameserver may block direct attacks based on DNS request volume, but there are plenty of other ways to cause DNS lookups besides asking the nameserver directly.

The insecurity of DNS has been recognized for years, but instead of actually solving the problem, people keep pushing half-measures (e.g. source port randomization) that hinge on increasingly brittle assumptions. This latest episode may well be the last available stopgap before people have to bite the bullet and implement a long-overdue infrastructure change.

The infrastructure change exists. It's called DNSSEC, and it's a set of extensions to DNS that make it possible to tell with certainty whether a DNS record is valid. This *solves* the DNS cache poisoning problem, and at the same time enables a variety of additional security measures, such as SSL everywhere and opportunistic encryption with IPsec. Technically, there's nothing stopping DNSSEC from being deployed other than the lack of initiative from top-level DNS managers. But there is a market force opposed to DNSSEC--the certificate signing business, which will eventually become largely obsolete after DNSSEC is widely deployed.

It's true that enabling DNSSEC adds some complexity to DNS operations, but it's really not a big deal. Concerns about enumeration of zone data have been addressed in NSEC3. Concerns that DNSSEC doesn't solve the last mile problem until clients are retrofitted are downright silly in the face of DNS cache poisoning, since the last mile isn't even an issue with these attacks.

What remains is to either sign the root zone or settle on a lookaside strategy for certain TLDs, and for registrars and TLD operators to implement the mechanism for domain owners to publish their zone signing keys. This should have been done years ago. I hope that, a few years from now, we won't *still* be saying that.

I find it keenly disappointing that this article doesn't see fit to mention DNSSEC at all. The big CAs, who make their money directly from the fundamental insecurity of traditional DNS, don't want you to know about it, but there is a real solution, and talking about it is in the public's interest.

Posted by: antibozo | July 28, 2008 3:30 AM | Report abuse

My ISP is AAPT in Australia, and it is, apparently, vulnerable. Also, as some other people have mentioned, these instructions are not specific enough, in my opinion, either to the operating system specified or internet connection set up. Do I change IPv6 or IPv4 or both?

Posted by: Justin Gass | July 28, 2008 11:58 PM | Report abuse

Okay, that was a dumb question. IPv4 is the only protocol that works...

Posted by: Justin Gass | July 29, 2008 12:09 AM | Report abuse

My DNS server from att.net/SBC Global Services still is shown as vulnerable by the DoxPara DNS Checker.

Posted by: Ohio ATT.net user | July 29, 2008 9:52 PM | Report abuse

It now appears Bellsouth (AT&T) has patched their DNS...

Your name server, at x.x.x.x, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).

Posted by: rick_in_atlanta | July 30, 2008 8:47 AM | Report abuse

rick_in_atlanta> It now appears Bellsouth (AT&T) has patched their DNS...

But what port sequence was listed below the message you quoted?

Posted by: antibozo | July 30, 2008 11:12 AM | Report abuse

Kaminsky's testing tool shows I do not appear to be protected. However, TWC Road Runner has told me they have updated their servers to address this issue. I hope that is the case.

Posted by: Tim from San Diego | July 30, 2008 4:39 PM | Report abuse

My ISP, Newroads Telecom (Arkansas and Oklahoma), apparently hasn't patched yet. We've been using OpenDNS for several months, but I switched back to Newroads' servers long enough to check.

Posted by: jjjdavidson | July 31, 2008 12:38 PM | Report abuse

Hmmm. Looks like your upgrades wiped out the prior comments. Or - was THAT the upgrade?

Just to let you know, Oceanic Time-Warner appears to have fixed this vulnerability, as indicated by Kaminsky's website, sometime between last weekend and today (8/6/08).

Posted by: sc | August 6, 2008 7:14 PM | Report abuse

Suresh Ramasubramanian posted an incorrect explanation of the "the NAT/Firewall in front of it appears to be interfering with its port selection policy" message Dan Kaminsky's DNS checker at www.doxpara.com gives out.

The doxpara checker looks at the randomness of the original ports coming from the DNS nameserver and is not affected by your home router/NAT. If it says the range between the largest port and the smallest port is small, then your DNS **nameserver** could still be vulnerable, not your home router/NAT. Talk to your ISP.

Posted by: Anonymous | August 7, 2008 2:11 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company