DNS Vulnerability Found by a GSEC Student Three Years Ago!
Kudos to Ian Green! In January 2005 he submitted a paper for his GSEC certification that lays out in wonderful detail the very same vulnerability that is the subject of today's patching frenzy. Here is what Ian told us in an email today:
The DNS Spoofing vulnerability was discovered and reported to SANS during research for GSEC in January 2005. http://www.sans.org/reading_room/whitepapers/dns/1567.php
Extract:
By observing these values of DNS queries over a period of time, the following patterns were noted:
- The DNS transaction ID always begins at 1 and is incremented by 1 for each subsequent DNS query; and
- The UDP source port of the query (which becomes the UDP destination port of the response) remains static for the entirety of a session (from startup to shutdown).
Like they say, "what is old is new, what is new is old"
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments
Tyler Reguly
Jul 9th 2008
1 decade ago
"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."
By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82
Sherman Hand
Jul 10th 2008
1 decade ago
"It is not feasible to think that the world's DNS vendors would have patched and announced in unison for no reason."
By day's end, Kaminsky had even turned his most vocal critic, Matasano's Ptacek, who issued a retraction on this blog after Kaminsky explained the details of his research over the telephone. "He has the goods," Ptacek said afterward. While the attack builds on previous DNS research, it makes cache poisoning attacks extremely easy to pull off. "He's pretty much taken it to point and click to an extent that we didn't see coming."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108518&source=rss_topic82
Sherman Hand
Jul 10th 2008
1 decade ago