digg

Facebook Connect Join Digg About

See the original image at arstechnica.com

New DNS exploit now in the wild and having a blast

arstechnica.com — A new hack designed to exploit a weakness in the DNS protocol is out, just days after information on the exploit was accidentally posted online. A patch for the issue was released almost two weeks ago, but a significant number of servers are still vulnerable.

Who dugg this? Made popular Jul 27, 2008

submitted by

MakiMaki Jul 26, 2008

925 diggs
digg

41 Comments

pbryan, on 07/26/2008, -2/+43It seems that even if a security vulnerability is kept under wraps for months to coordinate fixing it, the weak point winds up being adoption. What motivates system administrators to take action? Exploits in the wild? Actual attacks of their infrastructure? The answer turns out to be a lot simpler: donuts.
loper, on 07/27/2008, -2/+34opendns is secure..
LadiesMan0217, on 07/26/2008, -0/+32I believe the solution is simple. Run the exploits against all servers and redirect all traffic to goatse. This will scare enough business folks to push their sysadmins to do their jobs. If that doesn't do it, then everyone should run the script on their servers and send everyone to kittenwars.com.

Even if you don't want to patch your name servers for whatever reason, you can mitigate this by using iptables to randomize the source port. It has the ability to randomize the source port for any application.
Wingdom, on 07/27/2008, -1/+24To check if your vulnerable go to http://www.doxpara.com/ and run the little test on the right side of the page. Just click the Check My DNS button, its that easy.
This is pretty effed up though that they havent fixed it, they have known about it for months, and the patch has been out for weeks.
outhouseinput, on 07/27/2008, -1/+13My ISP DNS was causing me connectivity issues. I switched over to opendns and everything works much better. 208.67.222.222 and 208.67.220.220 ftw.
schulz89, on 07/27/2008, -1/+9I've moved few months ago to opendns for speed, I'm glad they keep it secure... most dns from internet providers here in Brazil are vulnerable
inactive, on 07/27/2008, -1/+7I think Digg is responsible for system administrators' lack of motivation to take action.

/Oh, right, the security patch. I'll be right on it, after a few more Digg threads.
exabytes16, on 07/27/2008, -0/+5The guy who discovered it was working with ISPs and such to develop a patch for this vulnerability. Problem is, the black hats know what that vulnerability is. That leaves us here: there's a fix that needs to be pushed out to all kinds of DNS servers.

I guess it's a case of "Loose lips sink ships."
inactive, on 07/27/2008, -1/+5open dns for all!
ch4os1337, on 07/27/2008, -2/+6So... They let out what the problem was in detail before the fix was ready?.....
unexplainedmilk, on 07/27/2008, -3/+7OpenDNS has nothing to do with corporate DNS servers used for company domains (i.e. name servers) and/or Active Directory installations.
m4csrgh3yk3v, on 07/27/2008, -7/+10This is why digg is starting to suck.

It was in the wild 4 days ago. http://www.caughq.org/exploits/CAU-EX-2008-0002.tx ...

digg users submitted it and yet get no traction:
http://digg.com/search?s=dns+flaw&submit=Search&se ...

welcome to the 4 days ago news site: digg.com
paulmer2003, on 07/27/2008, -4/+7Uh, the full details of this exploit were on full-disclosure (and on many security fourms) like, a week ago. Buried.
iatebabies, on 07/27/2008, -0/+3http://www.milw0rm.org/exploits/6130
zadadka, on 07/27/2008, -3/+5If some of you muppets saying "old news" bothered to RTFA, the first line says :"About two weeks ago we covered....".
MrViklund, on 07/27/2008, -0/+2How can you be so stupid to "accidentally" post something Online???
LiberalsSuckAss, on 07/27/2008, -0/+2I wouldn't call Digg a "4 days ago news site" at all.

Anytime Barack Obama farts, Digg immediately posts about how wonderful it smelled.
N01SE, on 07/27/2008, -1/+3Nothing is totally secure.
dood, on 07/27/2008, -0/+1Kinda. The fix isn't really 100%. Those loose lips raised awareness of the nature of the problem.

It's impractical to exploit a patched server, of course, given the randomness involved, but an essentially similar method could work. I think it's important for everyone who runs name servers to understand why the exploit worked in the first place, so they can see why it could come up again in the future.
DyceFreak, on 07/27/2008, -1/+2From the description:
"A new hack designed to exploit a weakness in the DNS protocol is out"
"A patch for the issue was released almost two weeks ago"

these Digg topic makers are retarded politicians I think...
automatic updates anyone?
inactive, on 07/28/2008, -0/+1DyceFreak, is your ISP running its production DNS server on your Windows workstation?
Hamsterpotpies, on 07/27/2008, -0/+1Verizon's EVD0 DNS is still able to be bugged. Just a heads up.
NedSlider, on 07/27/2008, -1/+2"these Digg topic makers are retarded politicians I think...
automatic updates anyone?"

Duh - most DNS servers run on Linux. Most sys admins will NEVER deploy an update on a production server without first testing the effects in a controlled environment. In large organisations it can often take months to get management to authorise the deployment of a patch. This helps explain a little of the reasoning WHY some ISPs have been slow to deploy but they do need to pull their collective fingers out on this one. The main issue arises from those still running older BIND 8 implementations who will need to upgrade to BIND 9 rather than simply applying a patch.

Automatic updates are for users who don't understand what is running on their computers.
sysop073, on 07/28/2008, -0/+1It came out by mistake about a week ago, a blog post was published before it was supposed to be
MrViklund, on 07/27/2008, -0/+1Yupp.
But when on Digg. You are not entitled to you own opinion. People will digg you down if you do not agree with them. You will see.
grawity, on 07/27/2008, -0/+1"Firefox can't find the server at 2607c508baac.doxdns1.com"
does that mean I'm secure?
sysop073, on 07/28/2008, -0/+1It was a miscommunication, the person who posted it thought the news had already broken
geocar, on 07/27/2008, -0/+1Two weeks?

Try eight years!

DJBDNS has never been vulnerable to this attack, and people have talked about port randomization way back into the 1990's.

Furthermore, DNS spoofing isn't new- what's new using the AUTHORITY section instead of the ADDITIONAL section- simply ignoring answers out of bailiwick (as djbdns does) solves that problem.
bdickason, on 07/27/2008, -0/+1I got a random page takeover (dell ad shown in upper left corner with blank screen) today from Youtube and have been seeing it on other sites. It comes from m1.m2dn.net and if I look in the browser history it shows something like wyciwyg://21/youtube.com/etcetc. I googled and it looked like an old bug but could these be related or am I just an idiot? :

(mac ffox 3.0.1 btw)
cobr@, on 07/27/2008, -0/+1look above or 208.67.222.222 208.67.220.220
N01SE, on 07/27/2008, -1/+1All unmoderated sites eventually become ***** over time, it's a reflection of the typical internet user, not the sites themselves.
Xyc0, on 07/27/2008, -8/+8Replace hackers with crackers, and you are all set. Get your terms strait.
DyceFreak, on 07/27/2008, -1/+1no... automatic updates are for people who want what they would call, A secure windows... see its a feature, which automatically installs security fixes for situations like these. Using a method of deployment called a hotfix.
-Sys Admin 101

the security of the web relies on its system administrators, and if system administrators are like you NedSlider, then we are all in big trouble.

any competent system administrator would have already tested this little-changing patch in a sandbox, and had it deployed in either a day, or two days... unless they are lazy, like what you describe.
JoeHumphrey, on 07/29/2008, -0/+0There's no absolutely secure network, but we got some ways to monitor our network effective.I wanna recommend everyone here that Capsa, which is used to monitor, analyzer the whole network, is a very good software in this aspect. Just try it on http://www.etherlook.com/?promid=label
antimatt3r, on 07/28/2008, -0/+0The people at Matasano Chargen are very smart people, but your right this is probably one of the dumbest things Ive seen a computer security company do.

I wondered if this was a possibile plublicity stunt to get attention but they realized after doing this that their reputation would be tarnished forever and tried to pull it.
N01SE, on 07/27/2008, -0/+0What, are you giving it to us? What's the IP?
N01SE, on 07/27/2008, -1/+0The vulnerability is that it's possible to change the lookup to something other than what is stated in the DNS. That is really not a serious vulnerability for most clients, it would only be embarrassing if it happened to a frequently visited site, but very easy to fix.
MrViklund, on 07/27/2008, -5/+2OSX is.
N01SE, on 07/27/2008, -3/+0Hackers target Windows for a reason (it is the most widely used operating system), there is no reason to hack OSX or Linux, who cares.
DanPlainview, on 07/27/2008, -12/+7Dugg for skull and crossbones.
DanPlainview, on 07/27/2008, -7/+1OK. Who's the ***** that ***** up my 5 digg streak? Huh? It's a skull and mother ***** crossbones. You sir, are joyless.
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.