Kaminsky (finally) provides DNS flaw details

In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn't want to parse who said what when. He just wants everyone to understand that they must patch their systems now.

Speaking during the second pre-Black Hat security conference Webinar, Kaminsky, who's director of penetration testing for IOActive, provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8. DNS is what translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet. His announcement coincided with a massive, multivendor patch release. But he withheld details, hoping that most people would get their systems patched before the bad guys got a hold of it.

Kaminsky said the word is getting out about the patches, but there are still many systems that are vulnerable. From the period of July 8 through July 13, 86 percent of the people testing their system on his Web site were vulnerable. Today it's 52 percent. "Not perfect; not even good enough," he said. But "I'll take 52 any day of week and twice on Sunday."

He started off by saying that he was trying to find a way to do content distribution using DNS when realized the problem. "How much trouble are we in? A lot."

Of the public discussion from individuals within the security community, Kaminsky said Halvar Flake's speculation was the closest. For those who said they knew of flaws in DNS before today, Kaminsky said "you didn't know this one."

Kaminsky described the flaw he's been working on as containing three flaws; two have been known, but one was not. Security researchers always thought it was hard to poison DNS records. He said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number." The good guy will always have it, but the bad guy has a 1 in 65,000 chance of getting it because the transaction ID is based in part on the port number used.

One bug with DNS is that the bad guy can start the race anytime he wants. If he doesn't know the transaction number, he can always guess. Another fundamental flaw is that there will be multiple bad guys trying to guess the transaction number. The flaw Kaminsky found that builds on the first two is that not only can multiple bad guys participate in a single race, but there can also be multiple races. The example he gave was www.blackhat.com. A bad guy shouldn't just try to guess the transaction ID for that address, but also for 1.blackhat.com, 2.blackhat.com, etc.

Everyone thought, he said, if "one sets a long time to live (TTL), say, for one year, that would work." But Kaminsky found that going to look up 1.blackhat.com, 2.blackhat.com, etc, he can find the name server and then guess the transaction ID. Kaminsky said the process of getting a response is about 10 seconds.

"Patch is the way to go; it shuts down the attack vector," said Jerry Dixon, former director of National Cyber Security Division of DHS. This was echoed by Rich Mogul of Securosis, and by Joao Damas, a senior program manager at the Internet Systems Consortium.

Kaminsky said the current patch has made exploits thousands of times harder--one in several hundred million, "not infinity." The bug is core to the design; it's fundamental to the design."

What have we learned? "We learned what needs to be done to fix the Net in the future. I await the security community's judgment on what we've done."

As for the long-term "Where do we go from here?" Kaminsky said there's going to be an awesome debate about that.

On August 6, Kaminsky will present "End of Cache as we know it" at Black Hat in Las Vegas.