[kwlug disc.] DNS security threat

Bob Jonkman bjonkman at sobac.com
Wed Aug 13 18:28:10 EDT 2008 

Just following up:  Dan Kaminsky has posted his PowerPoint slides from 
his Black Hat presentation:

  http://www.doxpara.com/DMK_BO2K8.ppt


I've posted a text-only version for those who don't do PowerPoint... 

  http://sobac.com/temp/DMK_BO2K8-textonly.htm


I'm hoping that a video of the entire presentation will be available at 
some point...

--Bob.


>>> 5 Aug 2008 2:00  Bob Jonkman <kwlug-disc at kwlug.org>  >>>

> And that other record can be for the name server itself.  In other
> words, not only can the exploit return a false answer for the request,
> it can set the name server to a compromised server for all subsequent
> queries.
> 
> The patches randomize the request port.  This doesn't fix the problem,
> but makes it more difficult to execute.  There's some dependency on
> the speed of the connected DNS server as well -- the faster the
> connection, the more bogus requests an attacker can get in.  This is
> one reason why this exploit is feasible today -- the timing with
> gigabit ethernet makes it possible; the timing with 10 Mbps ethernet
> (or dialup!) made it nearly impossible.
> 
> Dan Kaminsky presents at Black Hat on Wednesday at 11:15 -0700 (PDT,
> Las Vegas time; 08:15 -0400 EDT, our time).  I can find no live feed
> for this.
> 
>  http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Kamins
>  ky
> 
> Kaminsky also participated in a panel on 24 July 2008; podcast at:
> 
>  https://www.blackhat.com/html/webinars/blackhat-webcast-2-july-08.mp3
> 
> 
> (I remember when the Black Hat conference was a back-room activity of 
> DefCon -- when did Black Hat become the predominant conference?)
> 
> --Bob.
> 
> 
> On 1 Aug 2008 at 16:39, Rashkae wrote:
> 
> > For reasons that are a bit beyond my personal understanding, it's
> > part of the DNS standard that a Authorative server can include
> > records for other hosts as part of it's reply to a query.  The real
> > flaw is in the protocol itself, and this patch is only a sloppy
> > band-aid.
> > 
> 
> 
> -- -- -- --
> Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
> SOBAC Microcomputer Services              Voice: +1-519-669-0388
> 6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
> Software   ---   Office & Business Automation   ---   Consulting
> 
> 
> _______________________________________________
> KWLUG-Disc mailing list
> KWLUG-Disc at kwlug.org
> http://listserv.kwlug.org/mailman/listinfo/kwlug-disc


-- -- -- --
Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/    
SOBAC Microcomputer Services              Voice: +1-519-669-0388       
6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting

More information about the KWLUG-Disc mailing list