DNS Posioning and Spoofing Made Simpler with BIND Vulnerability

The most common type of attack on DNS—the hierarchical distributed naming system which allows names to be attached to IP addresses—is cache poisoning and man-in-the-browser attacks. An attacker can hijack the name resolution process in order to divert internet traffic away from legitimate servers and towards bogus ones by spoofing the domain name of a legitimate website. Unsuspecting users may think they’re surfing to a genuine site, but instead end up on a malicious page designed to harvest information or deliver malware.

In research presented at the USENIX conference this week, Roee Hay of IBM, Jonathan Kalechstein of the Tecnion Computer Science Department and Gabi Nakibly of the National Electronic Warfare Research & Simulation Center laid out the issue. Generally, during a DNS resolution a resolver issues a query for a name which is responded to by a name server (NS). A resolver may be a client or a cache server handling queries on behalf of other clients. DNS resolvers like BIND use unpredictable values with each generated query. Since the corresponding values in the response must match the values sent in the query, it is difficult for a blind attacker, who does not see the query, to forge a valid response and insert a new name.

The new vulnerability allows an attacker to de-randomize the IP address of the name server a BIND resolver queries—reducing the amount of information a blind attacker must guess to successfully poison BIND's cache. At issue is BIND's Smoothed Round Trip Time (SRTT) algorithm.

BIND stores the SRTT of all name servers in a global cache shared by all domain names. This allows an attacker to influence the name server selection for one domain name while issuing queries for another.

“The general lesson from this vulnerability is that a DNS resolver must never keep a global state shared between different domain names (in our case the SRTT values are kept as a global state),” the research reads.

So, a possible mitigation for the attack is to keep the SRTT entries separated by domain names. No word yet on an ultimate fix for this hacker’s boon, but the vulnerability has been acknowledged by ISC (the maintainers of BIND), the researchers noted.

What’s hot on Infosecurity Magazine?