DNS Patch hacked. Well, it's not the end of the world as we know it. RLLY!

DNS Patch is hacked!!! It's the end of the Internet!!! Not really, just kidding. Read on.

Well, I'm continuing my "it's not the end of the world" series. We have been seeing a lot of sensational headlines these last weeks. Let's start a little bit from the beginning. Start reading the unixwiz.net article that explains how DNS works and what the issue was that the Kaminsky patch solved. I think most of us can skip this part and move on to the current issue.

So, before the patch, you could poison a DNS server using 32,769 packets or about 10 seconds. After the patch, you needed in between 134,217,728 and 4,294,967,296 packets. That's an order of magnitude more. Nobody said that the patch was a final solution, just that it was good enough for now. Just till we will find a final solution. As Dan Kaminsky said in his latest post, it's about Risk management, not Risk elimination. Lori MacVittie had an excellent post today to proof this point: "The Unpossible Task of Eliminating Risk".

Now a Russian researcher has managed to poison a patched BIND DNS server by doing just that. Throwing more resources against it. It took him about 10 hours and several hundred thousand of packets to poison an entry. He proved what we all knew, we patched our systems to mitigate an easy exploit to a more difficult one. Ten seconds or ten hours is a big difference. There has been research in the past indicating that DNS Cache Poisoning was possible (pdf). Nothing has changed at all.

If you are being hit by 10mbit or more of UDP packets, and you are not detecting and monitoring this, you have more issues coming. Provided you've not been DDoS'ed by this datastream. So it's not the end of the world as we have seen in a lot of articles.

Yes, we need to look for a better solution in the long run. Dan Kaminsky has some suggestions here. Until then, patch and monitor.

(Photo under Creative Commons from swiv's Photostream)