DNS Exploit Means Quick Patches Are Critical
IOActive researcher Dan Kaminsky discovered the bug earlier this month. The attack code was released Wednesday by developers of the Metasploit hacking toolkit, headed by the infamous HD Moore.
By exploiting this vulnerability, an attacker can redirect an ISP's users to a malicious phishing server every time they try to visit a legitimate Web site. The patches released through various vendors should protect from the threat, but it may be a rush for some.
Understanding the Root of the Threat
The threat emerges from two different issues with the DNS protocol, according to McAfee Avert Labs. DNS primarily uses UDP packets to send questions and receive answers. The client will accept any packet as an answer to its question on three conditions: the packet is coming from the DNS server, the source and destination ports match the destination and source ports of the question packet and, most importantly, the transaction ID and question match its question.
"An attacker can spoof such an answer packet as long as he can pretend to be the DNS server and also guess the source port and transaction ID (the destination port is usually 53)," said Ravi Balupari, a security researcher at McAfee Avert Labs. "The attacker also needs to make sure his spoofed answer packet reaches the client before the actual answer packet from the legitimate DNS server."
Complicating matters, when a DNS server replies to a question, it can also include additional information in the answer to make future processes more efficient. Combining the answer packet spoof with the additional information makes the story more interesting because it makes exploitation easier.
In...