Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
A recently found flaw in the internet's addressing system is worse than first feared, says the man who found it.
Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas.
He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.
"Every network is at risk," he said. That's what this flaw has shown."
DNS Flaw: First Attacks Reported [webmasterworld.com]
We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in. "Yet when it comes to computer safety we forget to look both ways before crossing the internet highway."
It concerns me when I see major hitters like this (Verisign) bickering over whether or not it is a "doom or gloom" scenario. Tell that the person that falls prey to an attack. Surely doom and gloom for them.
Apparently VeriSign isn't at risk...
But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was "not vulnerable".
Time to go buy a $1,500 SSL...
I'm really surprised that neither of these two topics on the DNS Flaws have gotten any traction. I think people are just oblivious to the facts. They don't care. It's their host's problem, not theirs. I understand that. Some people "may" want to change hosts. :)
I guess were all waiting for the "BIG BANG"? Not me...
Same thing happened with the previous thread referenced. Do I really stop threads in their tracks like that? I was the last to reply in both of these. Okay, I'll stay away. :(
DNS Flaw: First Attacks Reported
Seems I am vulnerable (showed up yellow, but not red like some other sites I tested).
What does one have to do to fix this?
The DNS Report is still worth the look. You get much more than the above. There are other FAILs and WARNs to be concerned with. The Open DNS Relay is just one of them, the biggest I think.
All you need to do is run it once. If there are no FAILs and no WARNs, congratulations. You've at least got a certain level of security in place. There may be one or two WARNs present, read the details and you'll know if you can bypass it. Same Class C is a common WARN.
It doesn't stop there though. You want to make sure you've got everything locked down these days. < Heh, I'm paranoid.
Recursive Queries (Already knew this from the IANA test)
Different subnets - WARNING: Not all of your nameservers are in different subnets
Different autonomous systems - WARNING: Single point of failure
...the 2 warns have nothing to do with this recursive DNS?
Any ideas on solutions? I got none...which is maybe why so many people are staying mum. What good does it do us to discuss a problem we cannot correct; hell, it's so far above my head I get dizzy trying to figure out the implications, let alone resolutions!
I can't believe I haven't seen a post regarding 11 hackers having charges filed against them by the U.S. Attorney General for stealing credit card information from 40,000,000 accounts...now that's a problem I understand!
Just as I thought I was safe.. I was able to disable recursion and get the green bar on the IANA site.
Tutorial for anyone that's as confused as I was: [webhostgear.com...]
There are a lot of best practices that can be followed with DNS... trouble is around half the planet still runs their DNS as open relay sites (just kinda asking for cache poisoning problems).
It comes down to are you (or is your DNS service provider) responsive to implementing best practices and staying on top of DNS and other core infrastructure patches, fixes and updates?
Can you fix the problem? Based on HugeNerd's reporting of Mr. Kaminsky's remarks (presuming that gloomy view is correct), you can minimally mitigate the problem by installed software that at least attempts to address the issue du jour.
Certainly it seems better to do that than leave existing known problematic and flawed software in place.
FWIW, you probably should also be on the lookout for a new round of SQL injection attempts which seem to be on the rise recently (apparently mostly impacting sites running old .js versions who did not patch, fix or upgrade their software)