13>0
Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.
Leave a Reply to Dave Cancel reply
Major Projects
Phreebird: Zero Configuration DNSSEC
Interpolique: Easy Cross Language Injection Defense For The Web
DanKam: Augmented Reality for Color Blindness
Security Talks
2014
Yet Another Dan Kaminsky Talk: Hard Drive Operating Systems, Storage XOR Execution, Secure Random By Default, Cryptomnemonics, Ending Use After Free in Browsers, Fast Spoofed DDoS Tracing, NSA Crypto Fallout
Slides
2012
Black Ops: Practical System-Wide Timing Attack Defense, Real World Entropy Generation For Devices, Safe String Interpolation, Image Loads For Censorship Detection, Certificate Extraction w/ Flash Sockets, Stateless TCP Sockets
Slides
2011
Black Ops of TCP/IP 2011: Bitcoin Cloud Deanon/Data Embedding, External Interface UPNP, TCP SEQ# Attacks Revisted, Generic Password to Asymmetric Key Generation, Net Neutrality Validation
Slides
2010
Introducing The Domain Key Infrastructure:
Zero Configuration DNSSEC Serving, End-To-End Client Integration w/ UI Via OpenSSL and Secure Proxies, Federated OpenSSH, DNS over HTTP/X.509, Self-Securing URLs, Secure Scalable Email (Finally!)
Slides
Code (Phreebird Suite)
Black Hat USA Slides
Interpolique:
Where's The Safety in Type Safety?, Preventing Injection Attacks (XSS/SQL) With String Safety, Why Ease Of Use Matters, Automatic Query Parameterization, How LISP Was Right About Dynamic Scope, Dynamic DOM Manipulation For Secure Integration of Untrusted HTML
Slides Audio
Code
Realism in Web Defense:
Why Security Fails, What's Wrong With Session Management On The Web, The Failure Of Referrer Checking, Interpreter Suicide, Towards a Real Session Context, Treelocking, The Beginnings of Interpolique
Slides
2009
Staring Into The Abyss:
Middleware Fingerprinting, Firewall Rule Bypass, Internal Address Disclosure, Same Origin Attacks Against Proxied Hosts, TCP NAT2NAT via Active FTP And TCP Spoofing
Slides Paper
Black Ops Of PKI:
Structural Weaknesses of X.509, Architectural Advantages of DNSSEC, ASN.1 Confusion, Null Terminator Attacks Against Certificates
Slides Video
Financial Cryptography Paper
2008
It's The End Of The Cache As We Know It:
DNS Server+Client Cache Poisoning, Issues with SSL, Breaking “Forgot My Password” Systems, Attacking Autoupdaters and Unhardened Parsers, Rerouting Internal Traffic
Black Hat Slides
BH Fed Slides (Adds Drupal, DNSSEC)
Video Audio
"Illustrated Guide To The Kaminsky Bug"
Sarah on DNS
Ad Injection Gone Wild:
Subdomain NXDOMAIN injection for Universal Cross Site Scripting
Slides
2007
Design Reviewing The Web:
DNS Rebinding, VPN to the Browser, Provider Hostility Detection, Audio CAPTCHA Analysis
Slides Video
2006
Pattern Recognition:
Net Neutrality Violation Detection, Large Scale SSL Scanning, Securing Online Banking, Cryptomnemonics, Context Free Grammar Fuzzing, Security Dotplots
Slides
Weaponizing Noam Chomsky, or Hacking with Pattern Languages:
The Nymic Domain, XML Trees For Automatically Extracted Grammar, Syntax Highlighting for Compression Depth, Live Discovered Grammar Rendering, "CFG9000" Context Free Grammar Fuzzer, Dotplots for Format Identification and Fuzzer Guidance, Tilt Shift Dotplots, Visual Bindiff
Slides Video Code
2005:
Black Ops of TCP/IP 2005.5:
Worldwide DNS Scans, Temporal IDS Evasion, the Sony Rootkit, MD5 Conflation of Web Pages
Slides Video
2004:
MD5 To Be Considered Harmful Someday:
Applied Attacks Against Simple Collisions Via Malicious Appendage, Executable Confusion, Auditor Bypass, Bit Commitment Shirking, HMAC Implications, Collision Steganography, P2P Attacks Against Kazaa Hash
Slides Paper
Code (Confoo)
Code (Stripwire)
Black Ops of DNS:
Tunneling Audio, Video, and SSH over DNS
Slides Audio
Code (OzymanDNS 0.1)
Code (OzymanDNS 0.1 for Windows)
2003:
Stack Black Ops:
Generic ActiveX, SQL for Large Network Scans, Bandwidth Brokering, SSL for IDS’s
Slides Audio
Code (Paketto Keiretsu 2.00pre5)
2002:
Black Ops of TCP/IP:
High Speed Scanning, Parasitic Traceroute, TCP NAT2NAT
Slides Audio 1 Audio 2
Code (Paketto Keiretsu 1.01)
2001:
Gateway Cryptography:
SSH Dynamic Forwarding, Securing Meet-In-The-Middle, PPTP over SSH
Slides Audio
SSH Cheat Sheet
Dan Kaminsky's Blog 
Thanks Dan! Keep up the good work.
Is it fair to say the sudden urgency is in response to Halver Flake?
No probably it’s related to the screwup by matasano
What’s with the secrecy? The bad guys in all likelihood already knew about this! It does not take a genius to know this if you read the relevant code, especially after an advisory is out!
Does your subject line mean thirteen *days* is better than zero?
Clever!
The cat has been out of the bag the entire time.
Just because you don’t observe the cat does not mitigate its existence.
The cat both exists inside and outside of the bag.
The bag is your mind.
Update the bag, Dan. -Tony Azzolino’s ghost.
do NOT blindly start using OpenDNS until you understand all the consequences
They don’t return NXDOMAIN for non-existant domains.
At least there wasn’t any code to go with the explanation.
Also, I want to thank you SCO for providing such useful information about whether this vulnerability affects their BIND implementation.
I’ve got to second Andrew Dalgleish: Do not use OpenDNS if you don’t know what you’re doing. There won’t be NXDOMAIN returns breaking spam filters and other applications on your server and it will show advertising to your unsuspecting users.
*Do* fix your nameservers. Upgrade, disable recursion etc.
Is it just me, or is the checker broken? I keep getting a message that /printme.html is not found on the site. That seems to be a 404… Something hacked or mislaid?
Thanks lieutenant Dan!
.. sorry, could not resist, its my nature, I can’t help it.
I was thinking of some way to `responsibly’ report this, I came up with jack shit.
Anyway, thanks again.
You can enable NXDOMAIN returns on OpenDNS, just register your IP/subnet and disable typo correction. Why are so many people believing otherwise without checking? For what it is worth I opened an incident the day the word spread with my provider about their DNS not being patched and nothing changed so OpenDNS here I come.
For my little spot of cyberspace I do the following:
1. I run a local dns server that randomizes source ports whose network facing NAT does not derandomize source ports.
2. My local server resolves through the root servers. The queries are sent to a random root.
3. I limit my dns server to strictly use TCP queries and not to use UDP for queries.
Hopefully, this works for me and that this or something else works for you.
mm
this attack been in the wild for like 10 years 🙂
I mean, who didn’t notice, our little blahblah.microsoft.com iamandidiot.microsoft.com etc poisons? guess what the attack was. here you go.
but to the real solution: dnssec!
The entire idea that the cat was ever in a bag here is just a total farce. 13 days??? Halvar was more correct when he hypothesized N=4 and N=N/4 for the motivated.
The idea that somehow the “open” researcher has the monopoly on this stuff is quite near-sighted.
If Dan really cared about the security of DNS he would have never announced this.
OpenDNS will be the only DNS who will be used? Then we can have a nice statistic regarding the domains we are visiting?
So alot of people will know what we like and so on …. ?
This is the solving issue to a big flaw in DNS implementation : use OpenDNS ?
You mean….do what you were supposed to do in the first place? 🙂
Hmmm… advertising to my users that type a bad address vs. undetectable phishing attacks. Yeah, I think I’ll deal with OpenDNS until our ISP pulls their head out of their ass.
Rudd-O says “if you read the relevant code, you know how to exploit it.”
The patch makes DNS more secure in a general way.
To exploit an insecure server, you have to hit a window in time when it is vulnerable. In normal operation, that isn’t very predictable.
… but what if someone finds a way to create more windows of vulnerability?
As much as I want the precise details, I’m grateful for the secrecy. We needed time to develop a patch for our (non-BIND, non-Microsoft) DNS server and deploy it.
Thanks to Dan, we had the time to do that, and get it deployed, before some of the details leaked.
ZoneEdit seems to have been affected by the exploit. All of my DNS hosted with them (which is thankfully little these days as I run my own, patched, DNS) is now pointing elsewhere. Good motivation to move everything to my own systems.
很好很强大
等待黑客攻击工具的出现
by the way,I’m the friends who is come from china.
Mr. Kaminsky,
If you and other bright individuals really want to help, you should whip up a utility for users to poke their ISPs for the vulnerability. We have seen similar utilities to test for P2P throttling recently.
I’m with a small town ISP and from past experience with other issues, I just know they haven’t patched this. Subscribers are the ultimate victim and target of these fraudsters, how about helping us help ourselves?
DNS Checker
When will it be checking my website by IP address instead of by my internet connection, since the two of them are not even by the same company…
What about RFC2827 again as things like spoofing protection, uRPF, FW-extensions, tracking UDP-state, HIPS looking at floods from single SRC IP would all help to address attacks on ISPs and Enterprises. Essentially one must spoof the authoratative NS SRC IP for this to work right?
Sure you have to initiate the lookup via iframes/image tags/SPAM or compromised hosts to start the race in the first place, but with some form of ‘state’ and good filtering this shouldn’t be *such* an issue. Network configs can buy time to addess patching…. TIME is still the issue, both the start time and the response time…
Maybe I am missing something. Maybe not.
FWIW, I suspect this flaw was discovered and being exploited some time ago. I recall seeing something similar to the “cat out of the bag” pattern in a DNS server cache.
From Spain: thanks Don!
How has this been open since the early 90’s. Are there teams of scientists, web developers, and even hackers who pour through Web infrastructure? I was a software code writer in the early 90’s but didn’t think anyone would pay for such services. D’oh! But seriously, what else is out there waiting for exploitation?
I think that the text of the checker needs to be changed. It currently says: “All requests came from the following source port: 19446
Do not be concerned at this time. IT administrators have only recently been apprised of this issue, and should have some time to safely evaluate and deploy a fix.” The warning should probably be a little more insistent 😦
Thank you for your research. We are really appreciate it.
“I keep getting a message that /printme.html is not found on the site. That seems to be a 404…” This typically happens on hosts that have IPv6 enabled in their web browser and you’re running a web server on your own computer. I think the problem is that one of the test site CNAMEs resolves to ::1, which is the IPv6 localhost.
Covad has yet to fix this on their DNS servers (at least the ones they assigned to us), despite a phone call and email to their abuse team. 😦
OpenDNS not only doesn’t return NXDOMAIN, but a lookup of http://www.google.com returns a CNAME google.navigation.opendns.com. I expected their no-NXDOMAIN stuff, but I don’t expect them to hijack Google.
As a workaround, it is recommended to set DNS
servers to forward only. Can someone explain why
that helps? Cannot responses from the forwarder be
spoofed same as normal query responses? Is it that
“glue RRs” from forwarders are discarded; or that
source ports of forwarded requests are better
randomized than normal queries; or that forwarding
is done with TCP not UDP?
The “published attack” has ns.victim.com spoofed.
That does not affect a server set to forward only.
Could the attacker spoof login.victim.com
directly, and would not that affect a forward only
server equally?
Tested from an iPhone… NS – 209.183.35.23 Vunerable
@Dave
:Tested from an iPhone… NS – 209.183.35.23 Vunerable
You are not really testing the iPhone, the “DNS server you use” belongs to your phone company. (Your iPhone asks the phone company’s systems for DNS information, and they talk to the computer doing the test.)
FYI The ip address 209.183.35.23 belongs to Cingular.
I prefer the test at DNS-ORAC to Dan’s; it lists the names it finds for the IP server that talks to it. (I.e. it would mention Cingular on the results page.) It also draws pretty graphs of how secure it thinks you are:
https://www.dns-oarc.net/
ttfn
Non-recursing nameservers discard glue RRs. Or at least they should, anyway! (If the recursive bit is set in the query – asking the queried nameserver to do recursion – then it would make sense not to even include glue in the response, but of course a spoofed response could, so we need to ignore/discard glue, not just assume it’s not there.)
@Paul Szabo
:Cannot responses from the forwarder be
spoofed same as normal query responses?
Your forwarding DNS server is talking to recursing DNS server, probably at your ISP.
An attacker wanting to commit fraud is motivated to get lots of visitors to their auction/shopping/… site/proxy – so that they can gather lots credit card & social security numbers. So the ISP systems are the obvious target.
Presuming the ISP has fixed their systems the attackers are left with targeting those users who run their own vulnerable recursing DNS servers.
The recursing bit is important, as it means the DNS system is talking to servers outside the ISP. The ISP can probably not distinguish between valid & falsified responses from those servers.
A forwarding DNS only talks to the ISP’s server. It is very hard for an attacker to target this, because ISP normally throws away data at the border from external networks claiming to come from an address inside. So faked responses are unlikely to reach you.
Forwarding to OpenDNS is less secure, as fake replies can pretend to come from the OpenDNS server. However the attacker cannot normally be sure of the details of your DNS system such as, recently used port number(s), recent identification numbers, or even which IP address to send to. So the attack is much harder than before.
ttfn
Thanks Dan,
now the TIGER is out of the bag…
METASPLOIT published 12 hours ago the source code for the exploit…
http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/baliwicked_host.rb?rev=5579
I will attend to DAKAMI webcast tonight and I will be there in Vegas to hear about this;
Yes 13>,0 but I am very disappointed that patching was not done on many servers because of summer time, and “we do not believe it” arrogant behaviour of some IT people.
Now the exploit is available since few hours… In France we experienced last night the first consequence as the french railway on line and intranet ticketing system collapsed for half a day.
I’m very happy of this because finally they will all hear the word “PATCH”
A grat supporter of you DAKAMI,
Mauro “lenetwizz”
I’m confused about the DNS Checker.
It always reports about a DNS server at 208.69.32.13 (toorrr.com), which I don’t use. In fact, changing my DNS settings or switching ISPs has no efect.
According to whois, toorrr.com belongs to Dan Kaminsky.
What am I missing here?
Oh, I see the IP is from OpenDNS. More confusion. Anyway, the test at dns-oarc.net works much better.
Thanks Dan, Keep up the good work.
Dan, I put a question out there and was wondering your take on it.
http://mice.org/blog/dns-poisoning-and-mal-ads/
Thanks for the great work on all this too!
Debbie Mahler
MICE Training & Education
We use managed DNS service provide. Are we, as an organization, vulnerable?
@Pacman: If your DNS service provider is vulnerable so are you. Try the tool at https://www.dns-oarc.net/oarc/services/dnsentropy from a computer which uses your DNS service provider to check for the vulnerability.
Wait, how can you trust these DNS validator? I mean, if your DNS has been poisoned, what better target than these validators? You could be redirected to a mock-up page that says everything is A-OK.
can you explain what, if any, problems would be if my ports aren’t following an obvious pattern
Could you please explain how to determine whether one’s ports are following an obvious pattern, and what remedial action to take? Thanks!
@Niles Gibbs: The one I’ve linked to uses TLS. Your browser warns you if there’s a self signed or invalid certificate. But you naturally have to trust the test itself…
https://www.dns-oarc.net/oarc/services/dnsentropy
@chris: If your ports aren’t following an obvious pattern, everything’s all right. If they *do* follow a predictable pattern something is wrong.
Gee, this is scary. Especially because my DNS results are rather inconclusive.
Thanks
WHEN I TRY TO DOWNLOAD OPENDNS UPDATER I GET A MESSAGE THAT THE PUBLISHER CAN NOT BE VERIFIED AND I SHOULC NO TRUN SOFTWARE?
Thanks, Dan – and NPR.
DNS Checker: no apparent problem but ports could be construed as obvious patter.
Much Thanks.
No, sorry there not. 🙂
Thanks, Dan–to you and to NPR.
Thanks, Dan and NPR for running the story.
I hate rogers.
OK, OpenDns.
I heard your radio interview on NPR, got excited, went to OpenDNS and downloaded/installed it. Two days later I read in the knowledge base that HughesNet people CANNOT use OpenDNS. All that for nothing. I just wanted this put into your Blog so people would know…
Your name server, at XXXXXXXXXX, appears vulnerable to DNS Cache Poisoning.
All requests came from the following source port: XXXX
This rogers canada
This exploit has been out how long, and most isps haven’t updated, including my own. Thankgod for opendns. Wowway sucks.
Thank you for your work and sharing it.
I am concerned about this DNS checker, I have patched my servers but it still says I am vulnerable. Is anyone else seeing this?
Thk U, nice ap.
According to this website (http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html), the DNS flaw is inadequate. What is your reaction? Is it really feasable? Are we in even more danger now that this new exploit exists?
thanks mate 8)
It’s a myth that OpenDNS provides a solid DNS service. In fact, they spy at you and track your Internet activity; and sell the data collected. Also, if you use remote desktop sevice to connect to a remote server, you’ll get disconnected frequently because of the OpenDNS redirect/relay system. So, you better use your ISP, a real DNS service such as the one provided by Level3, or you set up your own DNS server.