Detailed Report on the DNS Spoofing Attack (CVE-2008-1447) Exploit

Verified

Added on 2019/09/20

AI Summary

This report provides a detailed analysis of the DNS spoofing attack, also known as CVE-2008-1447 or DNS cache poisoning, a vulnerability discovered by Dan Kaminsky. It targets recursive name servers, allowing attackers to redirect users to malicious websites. The report explains the technical aspects of the attack, including the exploitation of the 16-bit Query ID field. It outlines the attack vector, exploitation scenarios, and potential impacts such as malware distribution and data theft. The report further discusses mitigation strategies for website owners, server administrators, and end-users, including security patches, firewall configurations, and verification of website security. Finally, it recommends remediation through the adoption of DNSSEC and the installation of security patches. The report draws upon various sources, including research papers and security advisories, to provide a comprehensive understanding of the vulnerability and its countermeasures.

Contents
Executive Summary...............................................................................................................................2
Technical Description............................................................................................................................2
Exploitation Description....................................................................................................................2
Attack Vector....................................................................................................................................2
Exploitation Scenario........................................................................................................................3
Mitigation..........................................................................................................................................3
Remediation.......................................................................................................................................3
References............................................................................................................................................5

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Executive Summary
This paper would provide the DNS vulnerability referred to as CVE-2008 – 1447 or more
commonly known as the DNS Spoofing attack or DNS Cache Poisoning attack. The
discovery was made my Dan Kaminsky and this vulnerability allows an attacker to attack
recursive name servers. These name servers are those that receives requests from the client
and then passes on these to an actual authoritative name server. This attack combines a
previously known method of attack wherein the attacker poisons the recursive server and then
points the recursive server to a fake authoritative server so as to ensure that the attack is
successful [2]. This paper would also talk about this vulnerability in detail and then it would
also talk about the exploitation scenario wherein the actual attack would be demonstrated.
The paper would then talk about the mitigation factors which means steps as a user could take
reduce the threat or impact and then finally remediation for the vulnerability.
Technical Description
Exploitation Description
This vulnerability affects the DNS protocol itself and is not specific to any particular
implementation. The DNS protocol typically makes use of a Query ID field in order to match
the income requests to previously sent queries. This Query ID is only 16 bits long which is
why it becomes an easier target for exploiting this scenario. As such, the vulnerability allows
for name servers to be spoofed in a way that the cache can be infected thereby not pointing to
the original authoritative server but to a server of choice by the attacker. A successful attack
basically means, that the attacker has spoofed the DNS cache, poisoned it and then pointed it
to an entirely new domain so that the users coming to the original server would be redirected
to the custom server of choice. So for instance, an attacker could hijack www.google.com and
point to a server that is riddled with malware and viruses or by even acting smartly, the
attacker could capture users’ password and username and financial details among other things
based on the website they hijack. Moreover the attacker could just grab all the mails,
intercept chat traffic and combine with other attacks to make matters worse do anything else
he/she wants provided that domain name resolution is needed.
Attack Vector
As mentioned previously, the attacker would be looking for recursive servers that are those
name servers that are ready to accept request from a client and pass this information to an
authoritative name server. The attack discloses a novel method of poisoning the cache of the

recursive name server so that it receives request but doesn’t forward it to the original
authoritative server and instead to a server of attacker’s choice. This is because the QueryID
in the recursive server is only 16bits long which makes it easier for the attacker to attack and
poison it[1].
Exploitation Scenario
1. The attacker needs to figure out the destination port.
2. This is easily done by performing a DNS test using a 3rd party tool.
3. Once the post is known, the attacker would send a large number of DNS queries to the
server and each of the individual request would be about asking a random host.
4. This is done to ensure that the server would eventually request the authoritative name
server.
5. The attacker then follows each of the request with a fake reply to the destination port
with a guess of TXID. Now since the ID is 16 bit number, the odd of guessing it right
is low with a slow internet connection, but with a faster internet connection and a
vulnerable DNS server, the attack can be successful in nearly 10 seconds [3].
6. Now, once this is succeeded, the attacker can place a custom DNS server , so every
time an end-user request the original DNS server, the request is instead flown to the
attackers DN server.
Mitigation
a) As a website owner or server administrator running a BIND as a caching resolver :
a. Apart from this, security patches for caching resolvers needs to be applied.
b. Apart from this, they would need to restrict various UDP Ports in their
firewall.
c. On Windows Server, one needs to enable Cryptographic protocols such as the
TLS or SSL in order to prevent the attacker to be able to monitor the traffic.
d. Monitoring the network with NXDOMAIN Reponses from valid authoritative
sources and if they see a sudden increase in such replies, then they might be
the victim of such an attack [4].
b) As an end-user
a. Making sure the URL is same as that the user intended to type.
b. To verify is the website is secure and authorized via an authority

Remediation
a. The solution here is to shift to DNSSEC [5].
b. Also, they would need to enable DNSSEC validation.
c. Installing security patches from their respective service providers to ensure the
vulnerability is completely patched.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

References
[1]D. Kaminsky, Dan Kaminsky’s 2008 DNS Vulnerability. 2008.
[2]Nominum Software Security Advisory NOM-20080708. 2008.
[3]Common Vulnerability Scoring System v3.0. 2014.
[4]K8938: BIND DNS cache poisoning vulnerability. 2016.
[5]"CVE-2008-1447: DNS Cache Poisoning Issue ("Kaminsky bug") | Internet Systems
Consortium Knowledge Base", Kb.isc.org, 2018. [Online]. Available:
https://kb.isc.org/article/AA-00924/0/CVE-2008-1447%3A-DNS-Cache-Poisoning-
Issue-Kaminsky-bug.html. [Accessed: 22- Apr- 2018].