In order to avoid repeating name resolution for every network connection, many systems store the results in a cache for a certain length of time. If an attacker succeeded in slipping false addresses into such a cache, he could divert any network connections to systems under his control. That would open up the possibility of enormous phishing campaigns and the large-scale theft of passwords, credit-card data, and even access data for online banking.

The fundamental problem with the DNS is that the responses to queries can, in principle, be faked. For that reason, current systems use a randomly selected 16-bit transaction ID for each query. If the answer also contains this ID it comes from the correct server, and the prospect of an attacker guessing it is negligibly small.Amit Klein, however, has already shown several times how implementation errors, say in the random-number generator used, can be exploited to enable DNS cache poisoning.

Vulnerability notes from US-CERT say the security expert Dan Kaminsky has now discovered a general method for reducing the odds sufficiently, for cache poisoning to be implemented effectively. The method is evidently not based on defective implementation, but on a cunning attack scenario that markedly increases the attacker's chances. Kaminsky doesn't want to reveal the details until the Black Hat conference in August. Almost all noteworthy vendors are affected, including ISC (whose BIND is the most widely used server), Cisco and Microsoft.

Click Here to Continue Reading