Discussion of Major flaw in DNS
A lecture on this summer's hottest vulnerbility.
A presentation by ParIT Member Mark Jenkins.
Monday, August 11, 2008
6:30pm - 8:30pm
University of Manitoba (Fort Gary Campus)
E2-461 EITC (Engineering and Information Technology Complex)
The largest multi-vendor patch in computer history was released on July 8, 2008, to fix a serious flaw in the domain name system (DNS) that leads to cache poisoning. This was discovered by Dan Kaminsky. He realized that a spoofed DNS response with a correct transaction ID could be easily generated by inducing resolvers to query a large number of fake subdomains of a target domain. This is made easier by the so-called "birthday paradox", and the small number of bits (16) in the transaction ID. The spoofed response can also contain additional resource records related to the target domain, and most name server implementations will accept these. I will review the internet protocol (IP) and internet routing to explain why spoofed responses are possible, explain and demonstrate the attack (on an offline, simulated, system), briefly review the relevant mathematics and probability theory of the birthday paradox, discuss the fix released by vendors, and discuss the effectiveness of alternative mitigations that limit the level of trust given to additional resource records.
Open Document Presentation file
PDF file
Presentation source files
Monday, August 11, 2008
6:30pm - 8:30pm
University of Manitoba (Fort Gary Campus)
E2-461 EITC (Engineering and Information Technology Complex)
The largest multi-vendor patch in computer history was released on July 8, 2008, to fix a serious flaw in the domain name system (DNS) that leads to cache poisoning. This was discovered by Dan Kaminsky. He realized that a spoofed DNS response with a correct transaction ID could be easily generated by inducing resolvers to query a large number of fake subdomains of a target domain. This is made easier by the so-called "birthday paradox", and the small number of bits (16) in the transaction ID. The spoofed response can also contain additional resource records related to the target domain, and most name server implementations will accept these. I will review the internet protocol (IP) and internet routing to explain why spoofed responses are possible, explain and demonstrate the attack (on an offline, simulated, system), briefly review the relevant mathematics and probability theory of the birthday paradox, discuss the fix released by vendors, and discuss the effectiveness of alternative mitigations that limit the level of trust given to additional resource records.
Open Document Presentation file
PDF file
Presentation source files
