More than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 6, 2008

4 Min Read

At the Black Hat conference in Las Vegas on Wednesday, attendees occupied every available seat and most of the floor space to hear security researcher Dan Kaminsky finally explain the Domain Name System (DNS) vulnerability that has been the talk of the Internet security community since early July.

"There are a lot of people out there," Kaminsky began as he scanned the audience. "Holy cr**!"

On Tuesday, July 8, Kaminsky and more than 80 technology vendors launched an unprecedented campaign to fix a flaw in widely distributed DNS software that could allow a form of attack called DNS cache poisoning.

The attack could be used to send Internet users to malicious sites or hijack e-mail.

To characterize the seriousness of the flaw, Kaminsky quoted security researcher Brad Hill's assessment: "Remember how pissed you were when you found out that the NSA had rooms where they could read everything? That's every kid right now."

As Kaminsky explained during his presentation, DNS is basically the Internet's version of 411. So being able to alter the associations between domain names and IP addresses allows malicious attackers to control where online information gets routed.

"Everything breaks when DNS breaks," said Kaminsky.

Following his July 8 announcement, Kaminsky said that he planned to reveal details about the vulnerability at the Black Hat conference on Wednesday, Aug. 6, and he encouraged security researchers to refrain from speculating about the withheld details, to give those with vulnerable systems time to patch.

But on Monday, July 21, security researcher Halvar Flake posted his guess about how the DNS vulnerability worked on his blog. Then a security researcher at Matasano Security corrected some of the details in his own blog post. That prompted US CERT to warn that technical details about the DNS vulnerability had been released and to urge Internet users to patch vulnerable systems immediately.

Upon learning about the disclosure, Kaminsky in a blog post responded, "Patch. Today. Now. Yes, stay late."

What wasn't revealed until today was that another security researcher, Pieter de Boer, found the bug only 51 hours after Kaminsky's initial announcement. As it turns out, there are at least 15 known ways to run this attack and, Kaminsky suggested, perhaps 20 more undiscovered ways. So Kaminsky's effort to keep the flaw secret to buy time, derided by some, now looks even wiser.

The security community's commitment to fix the DNS bug appears to be working. On July 8 and 9, 85% of the unique name servers submitting to a self-test on Kaminsky's blog were vulnerable. As of July 25, that number had dropped to just over 50%.

During his presentation, Kaminsky revealed that 70% of the Fortune 500 have patched, 15% have tried to patch but had issues with NAT (Network Address Translation), and 15% haven't done anything.

"We did kinda good here," said Kaminsky.

At a news conference after his presentation, Kaminsky said the response went far beyond what he had expected. Nonetheless, there's still work to do.

Cybe criminals, meanwhile, have started exploiting the DNS vulnerability. Late last month, according to security researcher HD Moore, an AT&T Internet Services DNS cache server was altered to replace the cached entry for with a Web page that served advertisements using an iframe. Though the server has since been fixed and the attack wasn't particularly malicious, it's clear that concern about Kaminsky's DNS flaw is warranted.

At the news conference, Kaminsky said that there have probably been far more such incidents. But he said that those affected tend not to want to say anything.

"We need to stop assuming the network is as friendly as it is," said Kaminsky. "...Every network is a hostile network."

Kaminsky said if there was one thing he could ask for, it would be securing e-mail. "E-mail has the highest sensitive-information-to-total-lack-of-encryption ratio to anything else that we use," said Kaminsky. "If there's one change that I ask for, can we start looking into securing e-mail between companies? ... We are just addicted to sending sensitive information across the Internet insecurely."

The slides from Kaminsky's presentation, which explain the technical aspects of the DNS attack, are now available on his Web site,

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights