Last summer Dan Kaminsky got everybody all a-tingle over an ever-so-simple vulnerability in DNS.  Mad props to him for figuring it out, of course.  But a big kabong in the head for the rest of us for not seeing it earlier.  DNS is over 25 years old and is core to the functioning of the Internet.  The fact that something so obvious made it so long without getting discovered is a lesson for us all.  You can read about the Kaminsky vulnerability here (http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky).  Wired magazine, despite being way more liberal than I can usually stomach, does a good job on articles like this.  Good back story, etc.  Anyway, it’s worth the read.

If you want to know more detail about the vulnerability I suggest you give a serious 20 minutes to Steve Friedl’s description of the Kaminsky DNS vulnerability.  Steve does a really good job of breaking things down so I’m not going to repeat what he already said so well. Go check out his schtick.  Seriously.  Go.  Read it.

The current solution to the problem is termed by most to be temporary.  It take the chances of successfully executing the attack from 1 in 65,535 to a much larger 1 in 161 million.  I’m calculating this number by multiplying the number of possible source ports (65,535-1,025) by the number of random ports chosen by a patched Microsoft DNS server (2,500).  64,510*2,500=161,275,000.  This means that there is a 1 in 161 million chance that someone will be able to poision the cache using Kaminsky’s technique.  The real problem is not yet fixed.  The solution was to up the odds on someone being able to acutally succeed.

And I almost agree.  A 1 in 161 million chance is a big-time long shot.  But the odds of winning the Mega Millions Jackpot is 1 in 175 million.  That means you have a slightly better chance at winning the Kaminsky DNS poisoning lottery before you get to retire after picking all five numbers plus the powerball.  What gets me is this:  Someone wins the lottery every week or so (sometimes a bit longer).    The fact that someone has to win means that people still play.  Motivated attackers know this.  If they play long enough they still have a chance to win.  And play, I suspect, they will.  After all, it’s not costing them a buck a pop to do so.  And, oh my, what a payday!

While the solution is simple and reasonably effective it seems that it has no capacity to be a long-term solution (Which has already be admitted over and over.  DNSSEC anyone?).  It also seems that we need to limit the number of times someone gets to play.  Enter Intrusion Prevention Systems and shunning.

My lasting impression from this little lesson in security is that there is always something lurking under the covers.  And it’s often hidden inside things we think we know and understand very well.  How cool is this line of work?  I love it.

Colin Weaver