Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >
LAS VEGAS -- The recent Domain Name System (define) caching flaw that had security experts scrambling to protect the Web wasn't just hype. The Internet as we know it was at risk, according to a security researcher Dan Kaminsky.
During a discussion on front of a packed hall at the Black Hat conference today, Kaminsky detailed flaws in the system that translates domain names into IP addresses, which he's been trying to hide for the last thirty days.
In a 70-minute session with over 50 slides, Kaminsky explained in excruciating detail the flaw in DNS and the myriad ways it could have been exploited to destroy the Internet as we know it.
"We've had a remarkable amount of uptake," Kaminksy said. "Fortune 500 firms are doing way better than I thought with 70 percent tested and patched."
Kaminsky first warned of the DNS caching flaw on July 8th. At the time, he noted that he intended to provide full disclosure of the flaw at the Black Hat conference this week.
Kaminsky's disclosure was part of a coordinated effort that involved dozens of vendors and the US-CERT. The idea was to give DNS users time to patch their systems before making full details of the flaw available.
But his plans to keep the bug under wraps were thwarted; by July 24th, the flaw had already been weopanized out in the wild. That's when security experts got concerned. The flaw could have been widely exploited.
"Almost everything on the Internet depends on DNS returning the right number for the right request," Kaminsky said.
Each DNS request is supposed to carry with it a random number transaction ID. But it turns out that the random number is only one out of 65,000 -- much more than was needed. This is what vendors have patched.
After all, Kaminsky continued, "if everything depends on receiving the right number for the right names, wouldn't a bad guy want his number returned instead?"
Plus, the Time to Live (TTL) timing on DNS, which limits the length of time a DNS entry is valid, doesn't necessarily impact the ability to maliciously corrupt DNS.
The bottom line: TThere are a ton of different routes to doom on this."