By Dan Goodin in San Francisco
21st July 2008
Two weeks ago, when security researcher Dan Kaminsky announced a
devastating flaw in the internet's address lookup system, he took the
unusual step of admonishing his peers not to publicly speculate on the
specifics. The concern, he said, was that online discussions about how
the vulnerability worked could teach black hat hackers how to exploit it
before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a hypothesis
 that several researchers say is highly plausible. It describes a
simple method for tampering with DNS name servers that get queried when
a user tries to visit a specific website. As a result, attackers would
redirect someone trying to visit a site such as bankofamerica.com to an
impostor site that steals their credentials.
The recipe calls for the attacker to flood a DNS server with multiple
requests for domain names, for instance www.ulam00001.com,
www.ulam00002.com and so on. Since the name server hasn't seen these
requests before, it queries a root server for the name server that
handles lookups for domains ending in .com. The attacker then uses the
information to send fraudulent lookup information to the DNS server and
make it appear as if it came from the authoritative .com name server.
With enough requests, eventually one of the spoofed requests will match
and the IP address for a requested domain will be falsified.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com