[kwlug disc.] DNS security threat

Bob Jonkman bjonkman at sobac.com
Tue Aug 26 18:05:09 EDT 2008 

And now Dan Kaminsky's voice and the  video of the slide presentation is online as well:

http://www.hackaday.com/2008/08/25/dan-kaminskys-dns-black-hat-video/


--Bob.


On 13 Aug 2008 at 17:28, Bob Jonkman wrote:

> Just following up:  Dan Kaminsky has posted his PowerPoint slides from
> his Black Hat presentation:
> 
>   http://www.doxpara.com/DMK_BO2K8.ppt
> 
> 
> I've posted a text-only version for those who don't do PowerPoint... 
> 
>   http://sobac.com/temp/DMK_BO2K8-textonly.htm
> 
> 
> I'm hoping that a video of the entire presentation will be available
> at some point...
> 
> --Bob.
> 
> 
> >>> 5 Aug 2008 2:00  Bob Jonkman <kwlug-disc at kwlug.org>  >>>
> 
> > And that other record can be for the name server itself.  In other
> > words, not only can the exploit return a false answer for the
> > request, it can set the name server to a compromised server for all
> > subsequent queries.
> > 
> > The patches randomize the request port.  This doesn't fix the
> > problem, but makes it more difficult to execute.  There's some
> > dependency on the speed of the connected DNS server as well -- the
> > faster the connection, the more bogus requests an attacker can get
> > in.  This is one reason why this exploit is feasible today -- the
> > timing with gigabit ethernet makes it possible; the timing with 10
> > Mbps ethernet (or dialup!) made it nearly impossible.
> > 
> > Dan Kaminsky presents at Black Hat on Wednesday at 11:15 -0700 (PDT,
> > Las Vegas time; 08:15 -0400 EDT, our time).  I can find no live feed
> > for this.
> > 
> >  http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#Kami
> >  ns ky
> > 
> > Kaminsky also participated in a panel on 24 July 2008; podcast at:
> > 
> >  https://www.blackhat.com/html/webinars/blackhat-webcast-2-july-08.m
> >  p3
> > 
> > 
> > (I remember when the Black Hat conference was a back-room activity
> > of DefCon -- when did Black Hat become the predominant conference?)
> > 
> > --Bob.
> > 
> > 
> > On 1 Aug 2008 at 16:39, Rashkae wrote:
> > 
> > > For reasons that are a bit beyond my personal understanding, it's
> > > part of the DNS standard that a Authorative server can include
> > > records for other hosts as part of it's reply to a query.  The
> > > real flaw is in the protocol itself, and this patch is only a
> > > sloppy band-aid.
> > > 
> > 
> > 
> > -- -- -- --
> > Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
> > SOBAC Microcomputer Services              Voice: +1-519-669-0388 6
> > James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
> > Software   ---   Office & Business Automation   ---   Consulting
> > 
> > 
> > _______________________________________________
> > KWLUG-Disc mailing list
> > KWLUG-Disc at kwlug.org
> > http://listserv.kwlug.org/mailman/listinfo/kwlug-disc
> 
> 
> -- -- -- --
> Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/   
> SOBAC Microcomputer Services              Voice: +1-519-669-0388      
> 6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
> Software   ---   Office & Business Automation   ---   Consulting
> 
> 
> _______________________________________________
> KWLUG-Disc mailing list
> KWLUG-Disc at kwlug.org
> http://listserv.kwlug.org/mailman/listinfo/kwlug-disc


-- -- -- --
Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Voice: +1-519-669-0388
6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting

More information about the KWLUG-Disc mailing list