AOH :: ISNQ4959.HTM

RE: DNS attack could signal Phishing 2.0




RE: DNS attack could signal Phishing 2.0
RE: DNS attack could signal Phishing 2.0



Forwarded from: Paul Hoffman 

At 12:14 AM -0600 12/17/07, InfoSec News wrote:
> > Please read the comments on this article over at CircleID, where it 
> > is pointed out that the data does not support any difficulties with 
> > open recursive DNS servers, but rather with misconfigured DNS 
> > servers. Both David A. Ulevitch and Brett Watson make the points far 
> > better than I could.
> > 
> > http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ 
> > 
> > The authors of this report would have done themselves a favor, had 
> > they listened to their reviewers
> 
> I agree that it would make sense to point out that while DNSSEC ( 
> http://www.dnssec.net ) will help, upgrading from Bind 4 might also 
> help out a bit..

DNSSEC will not help unless the users' systems are configured to reject 
unsigned responses and responses whose signature will not validate. It 
will take typical users about ten minutes to apply the "just click 
through the security warnings" lesson from SSL to these warnings, 
thereby making DNSSEC useless to everyone except the people who are 
already security conscious. No panacea here.

> Still, it doesn't take many servers to create either DNS Poisoning or 
> massive DDoS's via DNS amplification attacks

You have conflated two completely different DNS problems into one, 
thereby falling for Mice and Men's scare tactics. To fix DNS poisoning 
attacks, we need to get the resolvers running the broken code to update 
their code. *None* of the people running those resolvers want to be 
running bad code; it doesn't serve them at all. They can be identified 
and, with a bit of creativity, contacted by email and phone. A round of 
"shaming the lame" could probalby reduce the number of such servers by 
90%.

In order to reduce the possibility of DNS amplification attacks, you 
need to turn off nearly every open DNS resolver. This is essentially 
impossible because there are plenty of good reasons for DNS 
administrators to want their resolvers to be open. Closing open 
resolvers means that mobile users cannot use their home DNS servers and 
are at the whim of whatever local DNS server they are forced to attach 
to. This can and will change over time as PCs allow users to easily use 
passwords to get their DNS resolution services, but for now (and 
probably at least ten years), they're stuck.

As the original message said, read the comments on the original article 
from people who have actually researched this topic. Knee-jerk reactions 
are common (as we have seen in the debate on this topic in the IETF for 
the past few months) but not helpful in actually getting the DNS to be 
secure in the long run.

--Paul Hoffman, Director
--VPN Consortium


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods