-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Now that the details of the attack have been leaked (yesterday), I can say that stub resolvers are not the focus of this attack. The potential attack is a fully automated, drive-by attack using brute force methods to crack the transaction ID field (a 16-bit random number). In around 5 seconds (varies by bandwidth), any vulnerable resolving name server can have its cache poisoned. There is no real time window limit on the attack - if you have less bandwidth, the attack will take longer (maybe 30 seconds) but it will still succeed.
To trigger the attack, an unsuspecting user simply visits a hacked web page (for example, any Facebook page, or recently, the website of the University of California at Irvine). This loads a very small JavaScript into the user's browser, which then sets about conducting the attack. It needs the help of a special outside DNS server, but this is not at all difficult to set up. The targeted resolving name server - the resolver used by the web browser - will see roughly 10 MB of extraneous traffic. The result is a pharming attack, in which the criminals stage a man-in- the-middle attack on an online banking site, or any other website they choose in order to steal usernames, passwords, etc. It can even be used against email delivery. From the pharming attack, the attackers can potential start emptying bank accounts, stealing identities, etc. If you operate your own DNS caching resolver, and if it is based on BIND, CNS, Microsoft DNS, or the Cisco DNS resolver, it is your responsibility to make sure your server is secure. However, if you use someone else's resolver, and they don't fix it, you are at risk. For example, my home ISP, Comcast, doesn't seem to think they have to do anything. My father's ISP, AT&T, is still vulnerable as well. ** Test ** Visit this web page: https://www.dns-oarc.net/oarc/services/dnsentropy Click on the Test My DNS button and wait for the test to complete - it may take a minute or two. If the results are anything less than "Good" on the source port randomization test, you need to fix something. ** Quick Fix ** Go to http://www.opendns.com/, click on the Get Started button, and follow instructions. Their resolvers use very good source port randomization. ** Long Term Fix ** The only long term fix is DNSSEC. Source port randomization buys us a few years at best - the effective cypher length is doubled from 16 bits to 32. Do you feel secure knowing your Internet experience is protected from a pharming attack by even a 32 bit cypher? I didn't think so. DNSSEC increases the cypher length to an arbitrary length. The implementation now in use commonly uses 1024 bits or more. Chris Buxton Professional Services Men & Mice -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkiGG8IACgkQ0p/8Jp6Boi1xAwCgpLZitHmepxFdw5Yax81Ji2v5 1pMAoI/JmUfJRTkIQ4N3cCWoyucdTQ3d =LVV/ -----END PGP SIGNATURE----- -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
