DNS

Well my friends the end is near, no more internet porn, no free downloading of pirated movies or music, and for me personally the most devastating will be the loss of LOLCatz. Recent highly public vulnerabilities against the core routing infrastructure of the Internet, such as the DNS or BGP vulnerabilities, highlight what some already knew – we have built an industry on an inherently weak foundation and these are clearly the first signs of the apocalypse.

The eventual end was prophesied in the 16th century by Nostradamus in his 15th quatrain

At the great battle of Armageddon
Shall join the crusade through packets attached among the Internets
The pertanious army of God against the army of the evil Serpent
The Dragon shall be loosened on October third in the year two-thousand and twelve

And written in the book of Revelations 9:13-17

13 And the sixth security researcher disclosed, and we heard a voice from the four horns of defcon, twitter, blogs, and the media which is before the Internets

14 Saying to the sixth security researcher which had disclosed irresponsibly, Loose the four exploits which had been bound in the great vulnerability disclosure debate

15 And the four exploits were loosed, which were prepared for an hour, and a day, and a month, and a year, for to slay the whole of the Internets

16 And the number of the army of the exploiters were twenty six hundred: and I heard the number of them

17 And thus I saw the exploits in the vision, and them that executed them, having code of buffer overflows, and of impersonation, and redirection: and the heads of the exploiters were green as the land; and out of their mouths issued forth demon tongues that spat an indistinguishable language of number and letters – urtehsuk!

It is far more likely that nothing will happen and by 2012 we will deploy converged technologies that allow one to bank online, listen to Britney’s daughters new album “Freaknut”, write their blog, program their HVAC, and toast a bagel from their wirst watch, of course some 15 year old Chinese kid with acne, an anti-social disposition and advanced computer skills will now be able to burn toast from across the world.

This is the most rational, well thought out and emotionless analysis of the DNS vulnerability I have read (here) – kudos to Peter Tippet and Russ Cooper from Verizon for using the Art of Security (here) and drop kicking the FUD back to where it belongs, a 1950’s Roger Corman B-Movie.

Summary:

At the end of the day, there are new attack scenarios that may be attractive for whatever reason, but they are a far cry from the earth-shattering tales being suggested by many in the press today.

None of this discussion is to suggest that a new and simple DNS-related attack should be ignored. Indeed, we recommend that every administrator of DNS systems both in companies and at hosting providers and other service providers should: 1) have ready standby systems both for testing and for at least cold-swappable implementation, 2) that appropriate software upgrades be applied after testing and 4) that other countermeasures both at the DNS level and at other levels suggested by this discussion be deployed. Although patching is important, administrators should certainly use many of the numerous other configurations, authentication, cache sizing, and other countermeasures available both within their DNS systems and elsewhere.

Of course, we have considered a number of other scenarios which we have not published here. None represent dire consequences for the Internet. All have some or many of the same limitations described above. Some are more and some are less onerous, but by and large, do not get much more effective when cache poisoning is involved.