In the summer of 2008, my Black Hat USA experience was dominated by a single topic, from a single speaker, Dan Kaminsky and his big DNS flaw. On July 8, 2008, Kaminsky made a big splash announcing that he had found a huge flaw in the internet and that he had brought together the world’s IT vendors to help fix the flaw.
The flaw was found in DNS, the system that maps IP addresses to domain names and Kaminsky warned that it was at risk from cache poisoning. Such an attack could have potentially enabled attackers to redirect web traffic and disrupt the normal operations of the internet. Kaminsky disclosed the details? at Black Hat USA in August 2008.
The room in which Kaminsky presented his flaw in 2008 was packed like no other I had ever seen at Black Hat, with people sitting in every square foot (a clear fire hazard) and everyone waiting with eager anticipation to find out what the vulnerability was all about.
“DNS bugs create a skeleton key across all websites,” Kaminsky said at the time “A lot of people think that breaking DNS is not a big deal and I think I was called out. I don’t think I was hyping anything.”
Now eight years later, what was actual the impact of the so-called Kaminsky flaw?
DNSSEC: Key Solution Not Yet in Wide Use
The original risk was that DNS could be attacked allowing redirection. While some vendors and users have patched DNS, the simple truth is that the vulnerability still remains. One of the key long-term solutions to the Kaminsky Flaw is DNSSEC (Domain Name System Security Extensions), which provides a cryptographic layer to DNS information. While infrastructure exists today for DNSSEC, that was not available in 2008, widepread use of DNSSEC is not yet a reality.
DNS luminary Paul Vixie, original author of the BIND DNS server and current CEO of Farsight Security, is somewhat disheartened by what he has seen in the eight years since the Kaminsky flaw was first disclosed. Vixie noted that not everyone actually patched for the vulnerability and there is still an attack surface for the flaw on the internet today.
“On the other hand this attack pointed to DNSSEC,” Vixie said.
In the aftermath of the Kaminsky Flaw disclosure, the root zone of the internet was signed for DNSSEC in July 2010. The dotcom Top Level Domain (TLD) was finally signed for DNSSEC in April 2011.
“Without this (the Kaminsky Flaw), there wouldn’t have been the use case and the drive to enable DNSSEC,” Vixie said.
Although DNSSEC is enabled at the top levels of the internet, it’s not yet widely deployed by individual domain name holders, he added.
So eight years after Kaminsky first took the Black Hat USA stage, DNS is potentially safer than it was in July 2008, though issues remain. Aside from the potential risk of cache poisoning, DNS reflection is often used in massive Distributed Denial of Service (DDoS) attacks.
Kaminsky is set to deliver the 2016 Black Hat USA keynote on August 3 and he’s set to discuss how DNS isn’t the root cause of a flaw that could cripple the internet, but rather a tool to help secure the internet’s future.
“We need to talk about how infrastructure like DNS — it was there 25 years ago, we can imagine it will be there 25 years from now — acts as foundation for future development in a way that the API of the hour doesn’t,” the abstract for Kaminsky’s talk states.
While the flaw that Kaminsky first disclosed in 2008 might potentially still be a risk today, by bringing it to light the internet of 2016 is likely more secure and stable as a result.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.