As part of my standard presentation about DNS security, I describe the threat of cache poisoning: If a bad guy is able to inject bogus resource records into your name server’s cache, he can redirect you to a visually identical replica of the web site you think you’re going to. You enter your credentials, your account information, your credit card information, into the bogus site, and the bad guy uses your personal information to drain your account or charge your card. Or the bad guy redirects your email through his mail server, either modifying your messages slightly or simply recording them. These are among the most insidious threats to Internet infrastructure because they’re so difficult to detect. The potential damage is massive and after the poisoned records time out of the name server’s cache, there’s no evidence of the attack—except for the credit card charges or outgoing wire transfers.
I then go on to describe what I consider the three major cache poisoning “attacks” over the past twenty years: the Kashpureff attack, the Klein vulnerability, and the Kaminsky vulnerability. These attacks used flaws in the implementation of popular name servers and weaknesses in the design of DNS to induce a name server to accept bogus records. Of course I also describe how we addressed each of them.
The problem is that, of these three, two weren’t really attacks. Amit Klein’s discovery of the weakness of BIND’s pseudo-random number generator was addressed by grafting in a better one. Dan Kaminsky’s eponymous vulnerability was addressed—at least for the time being—by introducing query port randomization. The Internet community was incredibly fortunate that these two serious vulnerabilities were caught and reported by white hats. Even Eugene Kashpureff, who actually carried out his namesake attack, did it as a protest, not for direct personal gain. It could have been much worse.
But that leaves people like me without a spectacular object lesson to point to, one in which sweet, silver-haired grandmothers are relieved of their life’s savings. But no more.
As the saying goes, “Be careful what you wish for; you might get it.”
A tweet from Dan York of the Internet Society tipped me off to a recent blog entry from CERT/CC describing likely cases of cache poisoning that repeatedly rerouted email addressed to “the biggest free webmail providers” over the past year.
CERT/CC isn’t sure of the mechanism used to poison the name servers’ caches, so they’re trying to enlist the help of the Internet community. In fact, that’s why they’re finally publicizing the case. But now we’re facing the probability that email sent to or from “the biggest free webmail providers” over the last year was intercepted, possibly modified without our knowledge, or just unceremoniously canned (which might be the least-bad option).
Now can we please get on to the business of deploying DNSSEC?