DNS flaw is so big it puts every network at risk

A recently found flaw in the internet's addressing system is worse than first feared, so Dan Kaminsky said when speaking publicly about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

"Every network is at risk," he said. "That's what this flaw has shown."

DNS is the internet's address book and helps computers translate the website names people prefer so www.neowin.net gets translated to its real address of 209.124.63.212

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website. In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Using the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.

Report a problem with article
Previous Story

Windows Live Messenger 9 to have WPF effects

Next Story

Samsung and Microsoft work to speed up SSDs

29 Comments

Commenting is disabled on this article.

"Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."

still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something?

(ThaCrip said @ #10)
"Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website."

still even if that's true i dont think it would hurt me much since say it was a website you ordered stuff from... without the 'ssl' lock being there which it's pretty safe to assume it wont be since it aint the legit site.. then i dont see how it could hurt me all that much unless im missing something?

Depends on what site you're browsing. Not every site uses a form of encryption, even though most should. Sites like MySpace and Facebook would probably be the first target for phishers.

(Laser_iCE said @ #10.1)

Depends on what site you're browsing. Not every site uses a form of encryption, even though most should. Sites like MySpace and Facebook would probably be the first target for phishers.

i see your point... but im mainly referring to more serious stuff like getting your credit card info stolen etc... cause i myself never order from a site without SSL enabled. so if that's not there i would detect that something is up.

stuff like myspace etc would not be to serious if people's username/passwords got stolen unless people just wanted to harm there data on there accounts etc right?

(ThaCrip said @ #10.2)

i see your point... but im mainly referring to more serious stuff like getting your credit card info stolen etc... cause i myself never order from a site without SSL enabled. so if that's not there i would detect that something is up.

stuff like myspace etc would not be to serious if people's username/passwords got stolen unless people just wanted to harm there data on there accounts etc right?

Well that and the fact that once their accounts are compromised, so are their profiles which would allow the hacker to insert malicious code and any body who visited the profile would run the malicious code. Also, if done convincingly enough (or some people are simply that stupid/trusting), they message the persons friends to a download for something that might be appealing (mp3 download, ringtone, etc.) which then could be anything, a worm, a trojan/backdoor, etc. They're generally after the stupid ones because there's more of them. Once the user is infected, they are at the hackers will and the DNS flaw becomes pretty pointless

This is old news. The vulnerability was made public on the 8th of July. Microsoft, Cisco and other various vendors had been collaborating for MONTHS to get patches prepared, and most ISP's patched within the first week.
OpenDNS supposedly never was vulnerable because they had designed their systems better in the first place or something

(warwagon said @ #8.1)
Yes, Its Awesome Use it!

for the low low price of "FREE!!"

208.67.222.222
208.67.220.220

add those DNS numbers and your golden

there is no need, Comcast isn't vulnerable.

(VRam said @ #7)
Has OpenDNS been patched against this vulnerability?

It certainly has. That's what I use for our home network.

(g0wg said @ #7.3)
how isn't it vulnerable? (out of mer curiousity)

Like very little DNS servers did was to do source port randomizing of 16bit of which a range of 1024-65535 UDP ports would be open at a time for a response back for a lookup. This and the 16bit Query ID means the attacker has a 1 in over 4 billion to successfully take over a DNS address compared to 1 in 65536 (if on a fixed UDP port).

Listen to the Latest Security now

http://media.grc.com/sn/sn-155.mp3


At the end after he talks about how DNS works he talks about how the flaw works. Its really scarry stuff.

Long Story short if an ISP hadn't patched this flaw, then a hacker in a mater of minutes could change the DNS record for paypal.com on the ISP's DNS server.

So now everyone of the ISP's customers that go to paypal.com will be going to a phishing site. It can also give the record a long TTL so it won't expire for a while.

I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.

(warwagon said @ #6)
Listen to the Latest Security now

http://media.grc.com/sn/sn-155.mp3


At the end after he talks about how DNS works he talks about how the flaw works. Its really scarry stuff.

Long Story short if an ISP hadn't patched this flaw, then a hacker in a mater of minutes could change the DNS record for paypal.com on the ISP's DNS server.

So now everyone of the ISP's customers that go to paypal.com will be going to a phishing site. It can also give the record a long TTL so it won't expire for a while.

I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.

I was listening to that on the way home from work the other day, I had no idea DNS was so... trusting...

(warwagon said @ #6)
I recommend to stay safe, to use OpenDNS. www.OpenDNS.com which isn't effected.

Eggs & single baskets come to mind.

(Joe USer said @ #6.2)

Eggs & single baskets come to mind.


How does that make sense? How do you suggest using multiple DNS providers?

(Kirkburn said @ #6.3)

How does that make sense? How do you suggest using multiple DNS providers?

You don't understand? You put all your eggs into one basket and it's easier to steal them all at once. So, if everybody uses OpenDNS, wouldn't it be easier to "hack" them all at once with the next best exploit? Don't tell me it's perfectly secure because there's no such thing :)

However, you don't need to go that far in using another DNS server if your ISP's DNS server is fine. Just check whether or not you can be affected at www.doxpara.com , if you are then yes, use another DNS server that isn't compromised otherwise stick with your ISP's, it's the fastest for you.

That's what they want you to think. In the mean time, please make sure to log in and out of all your financial accounts frequently, and on every PC that's on a different network than the last one you just used.

OMG, the interwebs is going to get hax0red! Internet meltdown in 3...2...*click* Love it how people blow this crap out of proportion.

(ir0nw0lf said @ #3)
OMG, the interwebs is going to get hax0red! Internet meltdown in 3...2...*click* Love it how people blow this crap out of proportion.

Haha, well considering the exploit is now out in the wild since the Black Hat conference, the internet does have the potential to get hax0red. The only option? Disconnect your **** and run!