It’s been more than six months since Dan Kaminksy detailed the problems he had found lurking in the DNS system, and the coordinated patching effort that followed his discovery was nothing short of extraordinary. A huge percentage of the vulnerable servers were patched before the details of the flaw came out, thanks to behind-the-scenes work by Kaminsky, Microsoft, CERT and others.
But, despite the success, Kaminsky said there are still serious dangers lurking in the DNS system, and that even the small percentage of vulnerable servers represents a serious threat. During a talk at the Black Hat DC conference in February, Kaminsky said that about one to three percent of DNS servers have had a confirmed cache-poisoning event.
“There’s been an increasing amount of attacks in January. That’s not good,” he said. “The bad guys can attack more caches than we can defend.”
Kaminsky said that he also has seen evidence of effective DNS-based attacks against mail servers and other parts of the infrastructure. He detailed several types of attacks that are possible as a result of the weaknesses in the DNS system, as well as in other parts of the security infrastructure, including SSL.
“SSL is a disaster zone, with half the servers out there not even identifying themselves,” he said. “You start a session and all you did was create encryption to some guy you don’t know. But none of this should matter. None of these important systems should be vulnerable.”