Security: NIST Unveils Tool to Foil Attacks via DNS

NIST Unveils Tool to Foil Attacks via DNS
Government Computer News (03/25/08) Campbell, Dan

National Institute of Standards and Technology (NIST) network researchers Scott Rose and Anastase Nakassis have written a paper that introduced a method federal systems administrators can use to protect their systems from the attacks launched over the Domain Name System (DNS). Rose and Nakassis say that DNS security extensions (DNSSEC) that are originally meant to protect DNS zone data contain an unintentional side effect that enables an attack precursor known as "zone enumeration." Although zone enumeration is possible without DNSSEC, the traditional methods of enabling zone enumeration are often impractical because they use time-consuming or processor-intensive brute force techniques that are often repelled by intrusion detection systems. Rose and Nakassis also note that there are several techniques that allow networks to realize the intended authentication and integrity benefits of DNSSEC while simultaneously "reducing DNS information leakage." Such techniques are important because the need to protect network operations with methods offered by DNSSEC will only increase as DNS becomes more and more important. In addition, the techniques could improve DNSSEC authentication and integrity protection, which would in turn protect DNS zones and stop attempts to compromise data.
Click Here to View Full Article

Security: DNS Attack Could Signal Phishing 2.0

DNS Attack Could Signal Phishing 2.0
Robert McMillan, IDG News Service

Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet

The study, set to be published in February, takes a close look at "open recursive" DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

…

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a "second secret authority" for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9052198

Security: Rebinding Attacks Unbound; DNS rebinding vulnerability

Rebinding Attacks Unbound
Security Focus (10/17/07) Biancuzzi, Federico

Stanford University Ph.D. student Adam Barth participated in a study that determined that Web browsers are still vulnerable to DNS rebinding. He says in an interview that rebinding attacks are successful because browsers and plug-ins employ DNS host names to distinguish between different origins, but browsers do not really communicate with the hosts by name--they must first use DNS to align the host name with an IP address and then communicate with the host through its IP address. DNS rebinding can be used to bypass firewalls or to temporarily commandeer a client's IP address to issue spam email or defraud pay-per-click advertisers. Barth says the solution used to fix the classic DNS rebinding vulnerability--DNS pinning--no longer effectively defends against the vulnerability because today's browsers contain many different technologies that allow network access, such as Java and Flash. These technologies support separate pin databases, but are allowed to communicate within the browser. Barth says an effective defense against firewall circumvention is the configuration of DNS resolvers not to bind host names to internal IP addresses, while host name authorization can prevent DNS rebinding vulnerabilities in the longer term. "I'm hopeful the vendors will reach a consensus to fix these issues using host name authorization, but this requires the vendors to cooperate with each other," he notes. Barth says DNSSEC offers no protection against DNS rebinding attacks because it is designed to prevent pharming not rebinding. Barth and fellow members of the Stanford Web Security Lab are presenting a paper on DNS rebinding at the 2007 ACM Conference on Computer and Communications Security, Oct. 29-Nov. 2, in Alexandria, Va. For more information about the conference, visit http://www.sigsac.org/ccs.html
Click Here to View Full Article