Dissecting DNS Attack Scenarios

This is the most rational, well thought out and emotionless analysis of the DNS vulnerability I have read (here) – kudos to Peter Tippet and Russ Cooper from Verizon for using the Art of Security (here) and drop kicking the FUD back to where it belongs, a 1950’s Roger Corman B-Movie.

Summary:

At the end of the day, there are new attack scenarios that may be attractive for whatever reason, but they are a far cry from the earth-shattering tales being suggested by many in the press today.

None of this discussion is to suggest that a new and simple DNS-related attack should be ignored. Indeed, we recommend that every administrator of DNS systems both in companies and at hosting providers and other service providers should: 1) have ready standby systems both for testing and for at least cold-swappable implementation, 2) that appropriate software upgrades be applied after testing and 4) that other countermeasures both at the DNS level and at other levels suggested by this discussion be deployed. Although patching is important, administrators should certainly use many of the numerous other configurations, authentication, cache sizing, and other countermeasures available both within their DNS systems and elsewhere.

Of course, we have considered a number of other scenarios which we have not published here. None represent dire consequences for the Internet. All have some or many of the same limitations described above. Some are more and some are less onerous, but by and large, do not get much more effective when cache poisoning is involved.

3 thoughts on “Dissecting DNS Attack Scenarios

  1. Pingback: Amerit Williams: DNS Attack Scrutiny

  2. I am truly amazed by the amount of chaos this vulnerability caused – experts spoke out, hackers played media stars for a while, a conference was practically dedicated to the vulnerability…
    And yet, what it bolis down to is again – systematic and planned countermeasures – none of which are spectacular or new.
    To me, the entire chaos is not so much an indicator of the danger that this vulnerability brings, but more to the simple laziness of the network and system admins to have these countermeasures, or the lack of planned defence measures.
    If all these admins were scared by the high media profile of the DNS vulnerability and have taken only firefighting countermeasures, the next vulnerability will find them with their pants down – again

    Bozidar Spirovski
    http://www.shortinfosec.net

  3. @Bozidar

    Right there with you bro, amazing that in 2008 we are in the same place we were in 1998…if IT were firefighting the entire world would be in flames.

Leave a comment