Halvar Flake, CEO of SABRE Security GmbH, who criticized Dan Kaminsky’s DNS server flaw as overblown, has caused a stir among security researchers for possibly exposing the details in a blog post.
Flake hypothesized on his blog about how an attacker could conduct DNS cache poisoning by overloading the server with requests until a legitimate answer is received. The goal is to get a DNS cache poisoning packet to match the transaction ID, according to Flake’s post. The technique also involves redirecting the name server to an IP address set up by the attacker, and the use of Bailiwick checking to dupe the server that the queried domain is legit.
Security researcher Thomas Ptacek and the team at Matasano Security, LLC responded quickly to the post with a post of their own, but quickly pulled it down, calling the post an error in judgment. Ptacek was one of two researchers briefed by Kaminsky on the details of the flaw. In the original post, Matasano said the attack could occur in less than 10 seconds, according to a researcher who had the post cached in his RSS feed reader.
“We confirmed the severity of the problem then and, by inadvertently verifying another researcher’s results today, reconfirm it today,” Ptacek said. “This is a serious problem, it merits immediate attention, and the extra attention it’s receiving today may increase the threat. The Internet needs to patch this problem ASAP.”
Kaminsky said he was trying to keep details of the flaw private to give companies and the government time to patch the domain name servers (DNS). In a Twitter post late Monday night, Kaminsky confirmed that the researchers figured out the details.
“DNS bug is public. You need to patch, or switch to opendns, RIGHT NOW,” Kaminsky said.
In a similar message on his DoxPara Research blog, Kaminsky warned IT pros to deploy the patches immediately.
“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”