Network Attacks Via DNS
|
Log in/Create an Account
| Top
| 147 comments
|
Search Discussion
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
TCP or UDP (Score:3, Interesting)
by rf0 (159958) <rghf@jvds.com>
on Sunday August 01, @07:57AM (#9857143)
(http://www.jvps.com/)
|
I have to wonder what protocol they used as DNS does allow for both UDP
and TCP (TCP when the messages is over 512 bytes IIRC)
Rus
|
[ Reply to This
]
|
Re:TCP or UDP (Score:5, Informative)
by Anonymous Coward
on Sunday August 01, @08:01AM (#9857157)
|
An interesting property of DNS is that there are servers all over the
net which will happily relay your message. Even if your only connection
to the net is through application level proxies, you probably have a
local DNS resolver. That's all you need. No packet has to traverse the
firewall directly.
They
may have used spoofed DNS packets just to bypass a firewall, but
information can also be tunneled in real DNS packets, so even if you
only allow DNS to/from certain servers, you're still not safe from this
leak. |
[ Reply to This
| Parent
]
|
Re:TCP or UDP (Score:5, Interesting)
by digitalhermit (113459)
on Sunday August 01, @08:51AM (#9857254)
(http://www.digitalhermit.com/)
|
They
may have used spoofed DNS packets just to bypass a firewall, but
information can also be tunneled in real DNS packets, so even if you
only allow DNS to/from certain servers, you're still not safe from this
leak.
Yup, and that's not the half of it. With the
extensions being duct-taped onto the existing spec it makes it easier
and easier to do this. I've seen some hacks to allow all sorts of
arbitrary information to live on the servers, some relayed
automatically because of the extensions, some used to modify how mail
servers respond, some even for routing. It's nothing new (remember
transferring data via ICMP ECHO?) but it's on a new level now.
KL
|
[ Reply to This
| Parent
]
|
- Re:TCP or UDP by Effugas (Score:2) Sunday August 01, @05:40PM
|
Old news (Score:5, Informative)
by fred87 (720738) <mail@nOSPAM.fredemmott.co.uk>
on Sunday August 01, @07:58AM (#9857149)
(http://www.fredemmott.co.uk/)
|
nessus has been pointing this out as a security hole in it's scan results for at least 3 months now...
|
[ Reply to This
]
|
- Re:Old news by fred87 (Score:3) Sunday August 01, @08:08AM
- Re:Old news by Anonymous Coward (Score:3) Sunday August 01, @08:59AM
- Re:Old news by Xoder (Score:2) Sunday August 01, @11:32AM
- Re:Old news by strobert (Score:2) Sunday August 01, @05:59PM
- 1 reply
beneath your current threshold.
- Re:Old news by Xaria (Score:1) Monday August 02, @12:50AM
- 1 reply
beneath your current threshold.
- Re:Old news by thogard (Score:1) Sunday August 01, @10:14AM
- Re:Old news by davidu (Score:2) Sunday August 01, @01:09PM
- Re:Old news by lysander (Score:3) Sunday August 01, @02:03PM
- 1 reply
beneath your current threshold.
- Re:Old news by Effugas (Score:3) Sunday August 01, @05:29PM
- Re:Old news by burns210 (Score:2) Sunday August 01, @05:37PM
- Re:Old news by jnull (Score:1) Monday August 02, @01:03PM
- 1 reply
beneath your current threshold.
|
This is supposed to be 'news'? (Score:5, Informative)
by fw3 (523647) *
on Sunday August 01, @08:01AM (#9857155)
(http://slashdot.org/ | Last Journal: Sunday December 21, @01:10PM)
|
Layering services over dns has been a discussed topic in books / seminars for at least a decade already.
|
[ Reply to This
]
|
|
Repeated (Score:2)
by lachlan76 (770870) <lachlan76@hotmaiGINSBERGl.com minus poet>
on Sunday August 01, @08:02AM (#9857158)
|
This story seems quite similar to a previous one about using DNS for
communications, from LayerOne. Incredibly stupid to use for mainstream
communications, but perfect for hackers, with low data requirements,
anyway. |
[ Reply to This
]
|
- Re:Repeated by hesaigo999ca (Score:1) Sunday August 01, @05:54PM
|
So does this mean (Score:4, Funny)
by foidulus (743482) *
on Sunday August 01, @08:03AM (#9857160)
|
That is should change my bookmark to http://66.35.250.150 [66.35.250.150] now?
|
[ Reply to This
]
|
|
In other news... (Score:3, Funny)
by Zorilla (791636)
on Sunday August 01, @08:04AM (#9857162)
|
...Microsoft plans to release a security update to Windows XP which
will secure the DNS hack. For all future internet usage, please enter
in http://216.239.57.99. It's not a bug, it's a feature. |
[ Reply to This
]
|
|
90% of the internet is valnerable ... (Score:4, Interesting)
by after (669640)
on Sunday August 01, @08:04AM (#9857163)
(http://nan2d.com/ | Last Journal: Thursday October 16, @11:51PM)
|
to somthing called DNS poison
[google.com]. Why? Because system administrators are anal and fail to
realize that software like BIND is not written to be secure. Hell, DNS
was not even designed for such a large internet. The original DNS
implementors were bad programmers and designers.
BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.
Still
most people use BIND for two reasons: no one wants to learn the crusty
details of DNS and 2) Linux comes with BIND as it's default name
library.
Alternative like djbdns [cr.yp.to] should be used.
|
[ Reply to This
]
|
- Re:90% of the internet is valnerable ... by Anonymous Coward (Score:3) Sunday August 01, @08:08AM
Re:90% of the internet is valnerable ... (Score:4, Informative)
by shepd (155729) <slashdot DOT org AT gmail DOT com>
on Sunday August 01, @08:29AM (#9857202)
(http://beamon.ca/ | Last Journal: Tuesday July 20, @09:44AM)
|
>ufortunately, djbdns is not open-source.
Incorrect, it is open source.
It isn't GPL.
There's a big difference.
>Until a true open source alternative to BIND appears, we're stuck with it.
By "true alternative" do you mean it has to be GPLable?
Get
real. djbdns' source is 100% available for you to look at and patch to
your hearts content. If you find an error, send a fix to DJB and he'll
add it after review. He'll even give you $500 [cr.yp.to] as a reward for your hard work. Find me a GPL program that makes an offer like that.
Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process
For the disbelievers, here's [cr.yp.to] the source code.
Here's
[cr.yp.to] bernstein's statement about the freedom of his software.
Feel free to print it out and sign it if you're insane on the idea he
can revoke your license. |
[ Reply to This
| Parent
]
|
- Re:90% of the internet is valnerable ... by Anonymous Coward (Score:2) Sunday August 01, @08:42AM
Re:90% of the internet is valnerable ... (Score:4, Insightful)
by johnnyb (4816) <johnnyb@eskimo.com>
on Sunday August 01, @09:03AM (#9857278)
(http://www.bartlettpublishing.com/)
|
"Now, if he doesn't like your patch, you can post the patch on the
internet. You can even put it alongside the source. You can even make
an autopatch program that will patch djbdns during make so that dumb
users can handle the process"
Can
you make binaries of your new program and distribute them? If not, I
can't see how you call this open-source. It cuts off all of the
distributors from carrying patched versions that work with their own
distribution, instead of whatever way that djb wants. |
[ Reply to This
| Parent
]
|
- $500 is nothing. by warrax_666 (Score:2) Sunday August 01, @09:16AM
- Re:$500 is nothing. by Dwonis (Score:2) Sunday August 01, @01:08PM
- So? by warrax_666 (Score:2) Monday August 02, @03:07AM
- Re:So? by Dwonis (Score:2) Tuesday August 03, @01:06AM
- 1 reply
beneath your current threshold.
- Re:$500 is nothing. by shepd (Score:1) Monday August 02, @04:55PM
- Re:90% of the internet is valnerable ... by Zeinfeld (Score:2) Sunday August 01, @10:04AM
- Re:90% of the internet is valnerable ... by asdfghjklqwertyuiop (Score:2) Sunday August 01, @12:05PM
- Re:90% of the internet is valnerable ... by Dwonis (Score:2) Sunday August 01, @01:03PM
- Re:90% of the internet is valnerable ... by mcrbids (Score:2) Sunday August 01, @08:15PM
- Re:90% of the internet is valnerable ... by Shadowlore (Score:2) Sunday August 01, @09:57PM
- DJBDNS is not Open Source by Paul Crowley (Score:2) Monday August 02, @07:06AM
- True Alternative by Pan T. Hose (Score:2) Monday August 02, @07:36PM
- 1 reply
beneath your current threshold.
- Re:90% of the internet is valnerable ... by Korth (Score:2) Sunday August 01, @08:45AM
Irrelevant^2 (Score:5, Insightful)
by warrax_666 (144623)
on Sunday August 01, @08:39AM (#9857221)
|
The $500 security guarantee is utterly irrelevant. (Btw: Who gets to
judge what is a security problem? That's right, DJB himself. If that
doesn't tell you something, then you're not the sharpest tool in the
shed).
The $500 correpsonds to less than 50 hours at $10 an hour (being extremely
generous with the hourly wages here, in favour of the "gaurantee"). Do
you think anyone can audit the djbdns source code -- even ignoring the
fact that it's largely uncommented and messy (#define, what's that?) --
in 50 hours? No, I didn't think so.
BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.
BIND
may be Open Source (note capitalization) while djbdns isn't. That
doesn't mean you can't get source for djbdns. In fact it's probably
easier to get source than binaries for djbdns because of the
unbelievably stupid djbdns license.
So they are both equally "insecure" from that perspective.
|
[ Reply to This
| Parent
]
|
- 1 reply
beneath your current threshold.
- Re:90% of the internet is valnerable ... by Tony Hoyle (Score:3) Sunday August 01, @08:20AM
- Re:90% of the internet is valnerable ... by Anonymous Coward (Score:3) Sunday August 01, @08:54AM
- Re:Insightful my ass by pacman on prozac (Score:2) Sunday August 01, @01:21PM
- Re:90% of the internet is valnerable ... by quelrods (Score:2) Sunday August 01, @03:35PM
- Problems with djbdns by Pan T. Hose (Score:2) Sunday August 01, @05:04PM
- Re:90% of the internet is valnerable ... by Flower (Score:2) Sunday August 01, @05:34PM
- 1 reply
beneath your current threshold.
|
helpful (Score:5, Funny)
by Scythr0x0rs (801943) *
on Sunday August 01, @08:12AM (#9857177)
|
some good people could break into the nameservers of a large ISP such
as AOL and send out spoofed NS records for update.windowsupdate.com or
whatever it is and deploy linux to all windows users.
Warning: this update may require a reboot.
|
[ Reply to This
]
|
- Re:helpful by Scythr0x0rs (Score:1) Sunday August 01, @12:42PM
- 1 reply
beneath your current threshold.
|
This is why.... (Score:3, Insightful)
by Cylix (55374)
on Sunday August 01, @08:25AM (#9857196)
(http://www.bastardism.com/cylix | Last Journal: Thursday March 07, @12:05PM)
|
I've set control lists for DNS for a long long time.
After
the IP over DNS tunnel came out... it was actually a bit necessary. Our
staff would do anything to get out of doing work... |
[ Reply to This
]
|
|
Suspicious? (Score:3, Insightful)
by timgoh0 (781057)
on Sunday August 01, @08:37AM (#9857218)
|
Wouldn't large amounts of DNS traffic look suspicious? Especially if they originated from one machine.
|
[ Reply to This
]
|
- Re:Suspicious? by Anonymous Coward (Score:2) Sunday August 01, @09:12AM
- Re:Suspicious? by Anonymous Coward (Score:1) Sunday August 01, @05:50PM
- 1 reply
beneath your current threshold.
- Re:Suspicious? by Shadowlore (Score:2) Sunday August 01, @09:52PM
- 2 replies
beneath your current threshold.
|
Cheating Wireless networks (Score:5, Insightful)
by technothrasher (689062)
on Sunday August 01, @08:40AM (#9857225)
|
I've noticed in the past that many of the public wireless networks that
want you to pay to use allow DNS traffic to flow even before you've
paid. I've often thought that'd you could use that to build a tunnel
and not have to pay for service. Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.
|
[ Reply to This
]
|
|
Reason why (Score:1)
by Teppich (769850)
on Sunday August 01, @09:01AM (#9857274)
(Last Journal: Monday August 02, @04:31PM)
|
my standard iptables rules only allow some ISPs dns-servers.
|
[ Reply to This
]
|
|
Misleading Title (Score:1, Informative)
by Anonymous Coward
on Sunday August 01, @09:06AM (#9857285)
|
The title of the post is misleading. DNS can't be actually used to
attack a network, only to slip sensitive data by firewalls. |
[ Reply to This
]
|
|
Harmless? (Score:5, Insightful)
by jjeffrey (558890) <james@jgj.org.uk>
on Sunday August 01, @09:12AM (#9857294)
(http://jgj.org.uk/)
|
I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.
|
[ Reply to This
]
|
|
So? (Score:1)
by jbb999 (758019)
on Sunday August 01, @09:13AM (#9857297)
|
If you can send data in any form you can tunnel anything you like over it. Why is this news?
|
[ Reply to This
]
|
- Re:So? by AndroidCat (Score:1) Sunday August 01, @10:19AM
|
Well known that DNS is iffy,s urely? (Score:1, Redundant)
by mwillems (266506)
on Sunday August 01, @09:32AM (#9857379)
(http://www.mvw.net/)
|
Surely we all know that "DNS" comes at the top of the list of the
Internet's vulnerabilities? Tunneling data; many bugs in DNS software
over the years; vulnerability to DOS: Surely we all know this already -
why is this news?
DNS was an afterthought - but it seems to me a very necessary one, and one we will have to continue to live with.
|
[ Reply to This
]
|
|
That's why you use proxies! (Score:5, Informative)
by wowbagger (69688)
on Sunday August 01, @09:38AM (#9857396)
(http://slashdot.org/~wowbagger/journal/ | Last Journal: Friday April 30, @10:12AM)
|
That is why any GOOD sysadmin will set up the system so that there is a
single DNS server for the plant, and that server and that server alone is allowed to send and receive DNS packets to the greater Internet - all other machines are to use the local DNS server.
Not
only does this GREATLY reduce the amount of DNS traffic a shop produces
(by caching all requests locally) it helps prevent this sort of
foolishness by requiring all packets to be well formed DNS packets -
else the server drops them.
Then, you can block any client that makes more than a few requests a second.
Yes,
it is easier to set up a firewall to be very porous to outbound
traffic, but it is more secure to deny all direct access, and force
clients to run through proxies for the various services.
|
[ Reply to This
]
|
|
Covert communication over DNS tunnels (Score:2, Insightful)
by Timbo (75953)
on Sunday August 01, @09:41AM (#9857402)
|
There was an old slashdot story
[slashdot.org] eons ago about people using DNS tunnels to abuse the
free dial up lines used for setting up a dial up ISP account. Covert
comms over DNS is nothing new, but oddly it doesn't seem to have ever
caught on. |
[ Reply to This
]
|
|
Firewall 1 lets through DNS by default ? (Score:2)
by rainer_d (115765)
on Sunday August 01, @10:29AM (#9857582)
(http://www.i-duffner.de/)
|
Hi,
I've read somewhere that there are some "implicit" rules in the Firewall 1 default configuration that let DNS through anyway. Is that true ? I have the eval CD here, but haven't had the time and the resources to test it.
cheers, Rainer
|
[ Reply to This
]
|
|
Duh... (Score:5, Funny)
by blixel (158224)
on Sunday August 01, @10:34AM (#9857607)
(http://www.blixel.com/)
|
That
flaw in most firms' network security leaves a vulnerability that can be
used by hackers to sneak intellectual property outside a company,
communicate with a compromised server inside the company,
In
other security news alerts, there was a major hole disocvered in SSH.
It turns out if a hacker installs a rogue SSH daemon on the server, he
can do nefarious things with it. |
[ Reply to This
]
|
Re:Duh... (Score:4, Informative)
by Effugas (2378)
on Sunday August 01, @05:36PM (#9859558)
(http://www.doxpara.com/)
|
Most trojans need to poll the outside world periodically, to determine
whether they have a new set of operations to execute. With this
approach, no polling is necessary -- there's an open pipe _into_ the
organization, and the trojan can remain perfectly silent.
--Dan
|
[ Reply to This
| Parent
]
|
|
"without DNS" = LDAP (Score:4, Interesting)
by Anonymous Coward
on Sunday August 01, @10:56AM (#9857709)
|
Note that LDAP is fully capable of doing host name resolution, there's
even an RFC for it (AFAIK the one that specifies how to store POSIX
user info also specifies how to store host names). And in fact, DNS can be used for user details via Hesiod.
Both
LDAP and DNS are hierarchical federated database systems. Personally, I
find current LDAP implementations to be more manageable, better
designed, and generally nicer (can set very fine grained permissions)
than current DNS implementations. A name system based on LDAP rather
than DNS would be fully feasible and IMHO as or more globally scalable.
But
we must distinguish between DNS-the-protocol and
DNS-the-implementations - It would be possible to have the same piece
of software answer both DNS and LDAP queries from the same database.
Hey, hello Microsoft Active Directory! But MAD is nasty for other
reasons - so where are the Open Source projects to provide a slapd
plugin for DNS protocol lookup to openldap databases? It should
actually be pretty simple, maybe it's so simple no-one is interested
hacking on it....
|
[ Reply to This
]
|
|
How about this : OpenVPN over UDP port 53 ie. DNS (Score:5, Interesting)
by anti-NAT (709310)
on Sunday August 01, @11:02AM (#9857747)
(http://www.nosense.org/)
|
Thought of this almost two years ago. Run OpenVPN
[sourceforge.net] over UDP port 53. I figure a fair number of firewalls
may not analyse UDP DNS traffic to see if it actually is UDP DNS
traffic. Haven't had a chance to try it out though.
Thinking big picture, you realise that once opportunistic IPsec
becomes available, and with IPv6 it will be, any device in the network
trying to interpret traffic, such as firewalls and proxy servers, will
become just about useless.
|
[ Reply to This
]
|
|
nstx (Score:2)
by cosmol (143886)
on Sunday August 01, @11:26AM (#9857834)
|
I saw this story through google news and I thought, "better check slashdot." Got an article from 2000.
http://slashdot.org/article.pl?sid=00/09/10/223024 2&tid=95 [slashdot.org]
and the current version of nstx:http://nstx.dereference.de/nstx/nstx-1.1-beta 5.tgz [dereference.de]
|
[ Reply to This
]
|
- Re:nstx by nutznboltz (Score:3) Sunday August 01, @05:56PM
|
Quick Summary: What's New (Score:4, Informative)
by Effugas (2378)
on Sunday August 01, @05:16PM (#9859470)
(http://www.doxpara.com/)
|
OK, let me repeat.
Throwing arbitrary data in DNS -- NOT a big deal.
Even doing network tunneling over DNS -- ALSO not that big a deal; NSTX has been doing this for a while.
DNS
radio is new. By segmenting audio into small chunks, we actually get
universal caching of the streaming signal -- a functionality we've
never really had before. Generally, audio broadcast over the Internet
falls apart after a few thousand users. Based on this
ring-buffer-into-BIND architecture, combined with the utterly minimal
bandwidth load of Speex, we should be able to host audio for a much
greater number of listeners.
The entire suite of incoming
attacks to firewalls are also new. DNS trusts the hierarchy to tell it
the next hop to its target name; since I can acquire second level
domains in the hierarchy for minimal cost, it's trivial for me to
insert arbitrary destinations along the DNS route path. In technical
terms, whenever a recursing resolver comes to my name server to resolve
a name, rather than providing an answer, I can redirect that request to
another, supposedly authoritative server. That server can be at any
address -- even one I cannot IP route to -- but if the resolver
communicating with me can route to that address (say 10.0.1.11) my
communication will reach that host. If there's an SSH over DNS daemon
running on 10.0.1.11, I've now achieved incoming connectivity to the
network of my choice, completely bypassing firewalls and a trojan's
need to poll.
Recursion on dual hosted interfaces is not even
necessary. There are large numbers of applications that, upon receiving
untrusted traffic, execute DNS name lookups. Most commonly, they are
reverse PTR lookups, but occasionally there are other types (MX from
mail servers, most notably) that can be easily induced. When they are
induced, the hierarchy is followed. When the hierarchy is followed, the
attacks previously discussed start working. In practice, this means an
IDS triggers the DNS server to start proxying traffic between an
external attacker host and an internal trojaned machine. Nasty.
There's some other stuff -- check out the slides and the code -- but long story short, there's some new stuff out :-)
--Dan
|
[ Reply to This
]
|
|
Advertisements and Spam (Score:2)
by HermanAB (661181)
on Sunday August 01, @05:27PM (#9859523)
|
are more of a problem than covert channels. Every cell phone is a
covert channel out of a business. Since DNS can't be used to deliver
advertisements, I don't see a business threat here. It may be a concern
to a military installation though. |
[ Reply to This
]
|
|
9 replies
beneath your current threshold. |