Re: [WEB SECURITY] Major DNS Vulnerabilities

["Johannes B. Ullrich, Ph.D." <jullrich@xxxxxxxx>]

I have no real insider information, but even without that, the problem is kind of obvious. You got a single source port, and a small number of query IDs, making it reasonable easy to spoof a response. Add a decent tool to attack this problem (maybe that's the part that is going to be released at Blackhat?), a bunch of motivated users for such a tool (Phishing/Pharming?) and you got a big problem.

The overall issue has been discussed for a while (for example see this paper http://www.sans.org/reading_room/whitepapers/dns/1567.php). 

If you would like to implement DNSSEC (the real solution to this problem), try "DNSSEC Look Aside Validation" (https://secure.isc.org/index.pl?/ops/dlv/) as an interim solution.

To bring this back to web-application security: The only real defense from a web application standpoint is HTTPS (and using "real" certificates). Remember that HTTPS is not just about encryption, but its also about authentication.

Final note about the DNS patch: It will hurt performance of your DNS server. Its yet one more random number the server has to come up with for each query.




----- Original Message -----
From: "Michael S. Menefee" <mmenefee@xxxxxxxxxxxxxxx>
To: robert@xxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx
Sent: Wednesday, July 9, 2008 12:19:34 AM GMT -05:00 US/Canada Eastern
Subject: RE: [WEB SECURITY] Major DNS Vulnerabilities 

Robert,

Kindly disregard my last post. Apparently the idea is for Kaminsky to
announce more about the details at black hat in august. Although I can
understand the approach, its frustrating as a security professional to
simply accept that "you need to patch this" or even worse: "customer you
need to patch this" without more details...blackhat's next month and
this story is news today...not sure I *agree* with the approach,
although I can *understand* it, but why wait for the hype of blackhat to
make the details known? I for one need more plausable justification to
recommend most things--this included.

Anyways, thanks again for the headsup, although this story quickly
exploded damn near everywhere all at once :)


--
Michael S. Menefee, CISSP (#43728)
Principal Consultant
Secure Solve, Inc.
Phone: (919) 439-3598
Fax: (919) 287-2570
mmenefee@xxxxxxxxxxxxxxx
www.securesolve.com

-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
Sent: Tuesday, July 08, 2008 4:37 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Major DNS Vulnerabilities 


Looks as though its time to patch again. This time against 81 different
products

http://it.slashdot.org/article.pl?sid=08/07/08/195225
http://securosis.com/publications/CERT%20Advisory.doc
http://securosis.com/publications/DNS-Executive-Overview.pdf

Regards,
- Robert
http://www.webappsec.org/



------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA