“One-Character Patch” for DNS? Not so fast

Data:2 settembre 2008
Categoria:Sicurezza
Commenti:0 commenti
Tag:Si parla di:

Author: Robert Lemos

A domain-name system (DNS) researcher proposed on Wednesday that the addition of a single character to the popular BIND name server software could severely limit cache poisoning attacks, such as those described by researcher Dan Kaminsky.

By changing a ‘<’ to ‘<=’ in a trust check in the Berkeley Internet Name Domain (BIND) server software, the patch would prevent a previously unknown server from poisoning the cache, unless the time to live (TTL) — a limit on the age of a name server entry — had expired. The suggestion, made by computer scientist Gabriel Somlo, would make exploitation of name server caches more difficult.

However, the “one-character patch” also has some serious side effects, Dan Kaminsky, director of penetration testing for IOActive, said in an e-mail interview with SecurityFocus. Some major hosts have no TTLs or very low TTLs and, for those servers, you gain very little, he said. Other hosts have very high TTLs, he added.

“If we can’t override them — can’t override high TTLs — those sites go down for a very long time,” Kaminsky said. “You don’t get to fix DNS by breaking it. People will just not deploy your patch.”

In July, an alliance of software makers and infrastructure providers revealed the existence of a major flaw — found by Kaminsky — in the domain-name system (DNS). The flaw could allow an attacker the ability to redirect victim’s from trusted Web sites, such as those of banks, to fake sites. One researcher’s theorizing on the nature of the flaw led to most of the details of the issue leaking out less than two weeks later. Last week, the White House sent out a memo to the chief information officers at major agencies, mandating that they move to a complex security solution, known as DNS Security (DNSSEC), by December 2009.

Somlo’s “one-character patch” has received some attention — most notably from an uncritical Slashdot post. Yet, the computer scientist had merely proposed the change on a mailing list for BIND users, asking for feedback. Somlo could not immediately be contacted by SecurityFocus.

“I never claimed my one-character patch would fix all bugs in bind (sic) — I don’t have that kind of power,” Somlo joked on the mailing list.

Lascia un commento.

Ricerca

Saverio Rizza

Consulente informatico, scrivo articoli "rancorosi" che spaccio per consigli sulla sicurezza su questo sito e gestisco il primo social network italiano sulla sicurezza su code inspection. Puoi trovarmi anche su Linkedin.

Abbonati al feed RSS

Icona del feed RSS Sottoscrivi il feed RSS per essere sempre aggiornato sulle novita' del blog.

Argomenti trattati

ICT Security e' basato sulla piattaforma di blogging WordPress.