Proof of concept code for new DNS cache poisoning attacks publicly available

Number: AL08-001
Date: 21 July 2008

Purpose

The purpose of this alert is to raise awareness that proof of concept code that can facilitate DNS cache poisoning attacks has been publicly disclosed.

Assessment

CCIRC issued advisory "AV08-056 Multiple vendor DNS implementations vulnerable to cache poisoning" on July 8 to warn system administrators on deficiencies in the DNS protocol and common DNS implementations.

The recent research into these and other related vulnerabilities that produced extremely effective exploitation methods to achieve cache poisoning have been publicly disclosed. Although it is difficult to predict when this information will be exploited, CCIRC is expecting that attack tools will become available soon.

DNS software makers have implemented source port randomization in their DNS software to reduce the effectiveness of the exploitation method.

Suggested action

Although the following recommendations should be considered for caching name servers, they are not sufficient to mitigate the attack:

• Only allow queries from known IP addresses;
• Apply anti-spoofing filters at the network perimeter;
• Do not provide authoritative name service on a caching name server.

CCIRC highly recommends that system administrators test and apply fixes to their caching "name servers" and operating systems at the earliest opportunity. This should be considered has a high priority.

Network Administrator should verify that Network Address Translation (NAT) devices do not interfere with the patch. There are known issues with NAT which may nullify the source port randomization of the DNS patch.

For more information, please refer to:

CCIRC Advisory AV08-056
www.ps-sp.gc.ca/prg/em/ccirc/2008/av08-056-eng.aspx

ISC Bind advisory
http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php

Microsoft advisory MS08-037 Vulnerabilities in DNS Could Allow Spoofing (953230)
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

US-CERT/CERT-CC Vulnerability note
http://www.kb.cert.org/vuls/id/800113

CERT/CC Securing DNS servers
http://www.cert.org/archive/pdf/dns.pdf

Note to Readers

Public Safety Canada (PS) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories, and other information products.

The Government Operations Centre (GOC) provides strategic level coordination and direction on behalf of the Government of Canada, in response to emerging or occurring events in the national interest, including threats to and incidents involving Canadian critical infrastructure. The GOC receives, shares, and coordinates information with other federal departments, as well as provincial/territorial and international partners.

For general information on critical infrastructure protection and emergency preparedness, please contact PS's Public Affairs division at:

Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@ps.gc.ca