Patches meant to fix a flaw in the Internet's Domain Name System (DNS) don't completely protect the Web's traffic cop from attack, a Russian research claimed Friday.
The head of the non-profit that maintains the most commonly used DNS software, however, said there was little to worry about.
In a blog post, Russian researcher Evgeniy Polyakov said he had created an exploit able to insert bogus routing information into systems running the most-up-to-date version of BIND (Berkeley Internet Name Domain), the popular open-source software that runs a majority of the Web's DNS servers.
BIND 9.5.0-P2 was released Aug. 2 as a follow-on to the initial patch issued July 8, the day that researcher Dan Kaminsky announced the DNS flaw and a coordinated patching effort by several vendors, including Internet Systems Consortium (ISC), which maintains BIND; Microsoft; and Cisco Systems.
Both the July 8 and August 2 BIND updates added source port randomization in the name server to reduce the likelihood of "cache poisoning," the term used to describe attacks that attempt to reroute users' requests for legitimate sites to fakes created to dupe them into entering confidential information.
Polyakov claimed that his exploit was able to insert rogue instructions into a DNS server running BIND 9.5.0-P2, although it took a pair of attacking PCs connected to the server via a Gigabit Ethernet (GigE) network connection about 10 hours to pull off the attack.
"Attack took about half of the day, i.e. a bit less than 10 hours," Polyakov said on his blog. "So, if you have a GigE LAN, any Trojaned machine can poison your DNS during one night."
Computerworld was not immediately able to verify Polyakov's claims.
Paul Vixie, the president of ISC, said the threat posed by Polyakov's exploit was small potatoes compared to the ease with which attackers can poison the caches of unpatched DNS servers. "While I think it's bad that anybody who can hammer you at GigE speed for ten hours can poison your cache, it's not a threat to the real world the way 11 seconds at 10-megabit was," Vixie said in a message posted Sunday to a BIND mailing list.
"Any DNS server with a host-based firewall can implement a 100 percent effective mitigation for the Polyakov attack, and it's possible that an upstream/outboard firewall could also be made to do it," Vixie said. "At some point ISC will have to put logic like this into BIND, of course, but protecting against the Polyakov attack is like synflood protection in that it's a rate-limit problem."
According to other entries posted to his blog, Polyakov began working on an exploit for the DNS flaw around July 29.
Although Kaminsky withheld details of the flaw when he first disclosed the bug early last month, other security researchers parsed the vulnerability from the scant information they had. In a presentation at the Black Hat security conference last week where he outlined the flaw and provided more information, Kaminsky noted that others had reproduced the vulnerability within five days, but kept quiet.
On July 21, however, Thomas Dullien, CEO of the German security company Zynamics GmbH, took a stab at the flaw and posted his best guesses about its details and how it might be exploited. Two days later, working attack code able to poison unpatched DNS servers went public.
For his part, ISC's Vixie urged a move toward a more secure routing system for the Internet, a call that some in the most technical communalities of the Internet have voiced for years. "It's long past time for Secure DNS, which is a combination of TSIG+TKEY, SIG(0), and DNSSEC. End to end crypto authentication," said Vixie in a comment he posted on Slashdot.org Saturday.
"In the time it would take for this Russian's attack to work over your 512K DSL line (2.2 years, I heard?) we could completely secure the DNS or at least the parts of DNS whose operators gave a rat's ass about security," Vixie concluded.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Data grids and service-oriented architecture
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Wireless LANs: Is my enterprise at risk?
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
Solve Exchange Mailbox Storage Issues Once and for All
Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
CRM your salespeople will love
Controlling storage costs with Oracle database 11g
Zones provide focussed content from CIO and leading technology partners.- White PaperLearn to tie virtualized computing to virtualized storage, to offer a dynamic set of capabilities within the data centre and create improved performance and system reliability. Discover how best to utilize EMC Celerra in a VMware ESX environment.
- White PaperWhat you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
- White PaperJoin industry expert Martin Tuip to discover best practice strategy for the archival and removal of .PST files using email archiving. Learn how to ensure long-term email records are there when needed, and reduce the risk to your business and clients.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
TJX Maxx hacker banged up for 30 years 09 January, 2009 11:26:00
Key figure in the infamous TJX Maxx Wi-Fi hack of 2005 has been sentenced to 30-years in prison by a Turkish court.Maksym Yastremskiy, the Ukrainian accused of being a key figure in the infamous TJX Maxx Wi-Fi hack of 2005, has been sentenced to 30-years in prison by a Turkish court. - +
Data breaches rose sharply in 2008, says study 08 January, 2009 08:27:00
More than 35 million data records were breached in 2008, according to the Identity Theft Resource Center.More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center (ITRC). - +
Rogue SSL certificate exploit puts VeriSign on the spot 07 January, 2009 11:04:00
Wishes "white hat" researchers had notified VeriSign before public demo.Following the success of researchers last week in creating a false SSL certificate based on VeriSign's RapidSSL brand, the company is scrambling to explain how it happened, how it's preventing it from reoccurring, and whether its other SSL certificate-generation services are at risk. - +
With Gaza conflict, cyberattacks come too 05 January, 2009 08:03:00
Pro-Palestinian hackers have defaced thousands of sites following attacks in Gaza.The conflict raging in Gaza between Israel and Palestine has spilled over to the Internet. - +
5 ways to secure your Blackberry 18 December, 2008 12:58:00
What do Tom Cruise and the McCain campaign have in common? They have both been bitten by the loss of a Blackberry. Mobile expert Dan Hoffman gives advice on how to keep your cherished mobile device safe, even if it's out of your handsWhat do Tom Cruise and the McCain campaign have in common? They have both been bitten by the loss of a Blackberry. Mobile expert Dan Hoffman gives advice on how to keep your cherished mobile device safe, even if it's out of your hands.
Research software developer appoints Susan Dart to new Business Development Director role 08 January, 2009 09:08:00
Research software developer appoints Susan Dart to new Business Development Director role 08 January, 2009 09:08:00
Anyware Introduce Two Powerful PCI TV Tuner Cards with S5 Power Up and Windows Media Center Remote 07 January, 2009 17:30:00
Fortinet Cures Mobile Phone “Curse of Silence/CurseSMS” Attack 07 January, 2009 16:30:00
SEAGATE SHIPS DESKTOP HARD DRIVE WITH WORLD’S HIGHEST AREAL DENSITY – 500GB PER DISK 06 January, 2009 15:34:00
|
||
|
||
|
|
||
|
Enterprise Wireless WLAN Security
Learn more about the security challenges to be faced when defining and implementing security mechanisms within diverse wired and wireless network environments. Download this must-read guide to plan your wireless data protection strategy now.
