In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning.
"That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said.
The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person's PC.
How does DNS get poisoned?
There are a few steps to go through before a DNS server starts redirecting Web surfers to bogus sites.
Most people's PCs access a DNS server at an Internet service provider or within a company to map text-based Internet addresses to actual IP addresses. One DNS server can be used by thousands of Internet users.
For performance reasons, DNS servers cache the returned data, so that it takes less time to respond to the next request. When a DNS cache is poisoned, it affects all future lookups of the affected domain, for everyone who uses that particular DNS server.
To poison a DNS server:
• First, the target machine has to be tricked into querying a malicious DNS server set up by the attacker. This can be done, for example, by sending an e-mail message to a nonexistent user at the target ISP. Another way is to send an e-mail with an externally hosted image to an actual user.
• The target DNS server will then query the attacker's DNS server. In the DNS reply, the scammer includes extra data that will poison the victim's DNS cache. The extra information can be a malicious URL or even an entire domain space, such as .com.
• If the target DNS server is not configured properly, it will accept the new numerical IP listing and delete the proper entry.
• Once this has occurred, any queries sent to the DNS server for the affected URLs will be redirected to the replacement IP addresses set by the attacker. If a domain space is poisoned, all queries ending in that domain will be redirected.
Source: SANS Internet Storm Center, CNET News.com
Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam.
The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses.
In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.
As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats.
The poisoned caches act like "forged street signs that you put up to get people to go in the wrong direction," said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. "There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade."
There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.
The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against.
BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.
DNS cache poisoning is not new. In March, the attack method was used to redirect people who wanted to visit popular Web sites such as CNN.com and MSN.com to malicious sites that installed spyware, according to SANS.
"If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be," Mockapetris said. "Running that configuration would be Internet malpractice."
The new threat--pharming
Kaminsky scanned the DNS servers in mid-July and has not yet identified which particular organizations have the potentially vulnerable DNS installations. However, he plans to start sending e-mails to the administrators of those systems, he said in an interview.
"I have a couple hundred thousand e-mails to send," he said. "This is the not-fun part of security. But we can't limit ourselves to the fun stuff. We have to protect our infrastructure."
The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming.
Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic DNS consultancy and software company Men & Mice. "It is very well doable, and it has been done recently," he said.
Awareness around DNS issues in general has grown in the past couple of years, Petursson said. Four years ago, Microsoft suffered a large Web site outage as a result of poor DNS configuration. The incident cast a spotlight on the Domain Name System as a potential problem.
"It is surprising that you still find tens of thousands or hundreds of thousands vulnerable servers out there," Petursson said.
Kaminsky's research should be a wake-up call for anyone managing a DNS server, particularly broadband Internet providers, Mockapetris said. Kaminsky said he doesn't intend to use his research to target vulnerable organizations. However, other, less well-intentioned people could run scans of their own and find attack targets, he cautioned.
"This technology is known to a certain set of the hacker community, and I suspect that knowledge will only get more widespread," Mockapetris said.
