From the “I told you so” files:
A month ago Dan Kaminsky revealed to the world that there was a serious flaw in DNS – and nearly every DNS vendor had patches available right away. The patches never claimed to eliminate the flaw – but rather to mitigate and reduce the risk from the flaw.
So I was a little surprised today to get an email from MessageLabs claiming that DNS is still vulnerable. This is what they sent me:
MessageLabs has today revealed that an intricate flaw in the
underlying design of the Internet’s DNS (domain name system) protocol is still
vulnerable several weeks after patches were made available. MessageLabs recorded 52 percent increase in suspicious DNS traffic between July and August indicating that the online
underworld is poised to launch targeted attacks in the coming weeks.
This is kinda funny. Of course there was an increase in DNS traffic – everyone on earth was looking to see if their DNS servers were vulnerable. No one has ever claimed that the patches provide 100 percent protection and no one has ever claimed that 100 percent of all DNS servers have been patched either.
The most basic of all hacking attacks is to look for servers that haven’t been patched for flaws (whatever those flaws might be) and attack them. With the DNS flaw, there is even a Metasploit module so it’s really a trivial matter to exploit.
*UPDATED* Websense is reporting that ISP China Netcom has actually been hit by the same caching exploit. In that case it looks like that attack is based on typo domains (i.e gogle.cn). Bottom line here is that all DNS admins should ensure their servers are patched and more importantly also make sure they have some kind of IDS/IDP monitoring/rules in place to watch for any suspicious activities.
