Faster Attacks Break DNS Patches in Under 10 Hours

The Internet remains vulnerable to exploits of a critical security flaw in the Domain Name System, a Russian programmer demonstrated last week. Writing on his blog on Friday, Evgeniy Polyakov posted that he had succeeded in getting patched DNS software to return an incorrect location in less than 10 hours.

His work shows that DNS patches, which had appeared to solve the immediate problem, are insufficient.

At the Black Hat security conference in Las Vegas last week, Dan Kaminsky, director of penetration testing for IOActive, detailed a vulnerability that makes the DNS vulnerable to cache-poisoning attacks, in which a DNS is tricked into rerouting traffic to a malicious Web site. Once users have been taken to the malicious site, a criminal could load their computers with a range of malware.

The vulnerability has actually been around for years, but Kaminsky developed a quicker, more efficient and more reliable means to implement the attack. Patches were developed and everyone running a DNS server was urged to implement the them. But with Polyakov's discovery, are the patches now useless?

The patches deployed as a result of Kaminsky's findings "have always been intended to deliver risk reduction, not entire risk elimination," Andrew Storms, director of security operations for nCircle Network Security, said in an e-mail.

According to Polyakov, "the attack vector is not new, but simply a repeat of Dan's work to a much higher degree of speed," Storms said. The technique basically "add(s) mathematical difficulty of a brute-force attempt, essentially making the attack take so long that it would be unreasonable to be successful."