Stories with Tag DNSSEC

• An illustrated guide to the Kaminsky DNS vulnerability (2008)

  permalink

  Posted: 2025-02-25 10:54:37

  Verbose tl;dr

  The Kaminsky DNS vulnerability exploited a weakness in DNS resolvers' handling of NXDOMAIN responses (indicating a nonexistent domain). Attackers could forge responses for nonexistent subdomains, poisoning the resolver's cache with a malicious IP address. The small size of the DNS response ID field (16 bits) and predictable transaction IDs made it relatively easy for attackers to guess the correct ID, allowing the forged response to be accepted. This enabled them to redirect traffic intended for legitimate websites to malicious servers, facilitating phishing and other attacks. The vulnerability was mitigated by increasing the entropy of transaction IDs, making them harder to predict and forged responses less likely to be accepted.

  Dan Kaminsky's 2008 DNS vulnerability exploited a critical weakness in the DNS protocol, specifically its susceptibility to cache poisoning. This comprehensive guide illustrates the mechanics of this attack and its severity. The fundamental issue stems from the limited number of ports used for DNS queries (port 53 UDP) and the predictable, incremental nature of transaction IDs. When a client requests a domain name resolution, the DNS resolver queries an authoritative nameserver for the correct IP address. This query includes a transaction ID, which the resolver uses to match the response from the nameserver to the original request.

  Kaminsky discovered that an attacker could exploit this system by flooding a DNS resolver with spoofed responses to the client's original query, each with a different, guessed transaction ID. Due to the limited range of these IDs (16 bits, allowing for 65,536 possibilities) and the speed at which responses could be generated, an attacker had a reasonable chance of guessing the correct ID before the legitimate response arrived.

  The attack is further facilitated by the open nature of UDP and the lack of authentication in standard DNS. This allows the attacker to send spoofed responses from any source address, masquerading as the authoritative nameserver. If a spoofed response with the correct transaction ID arrives first, the resolver caches this false information, effectively poisoning the cache. Subsequent requests for the same domain name will then resolve to the attacker's malicious IP address, potentially redirecting users to phishing sites or other malicious servers.

  The guide meticulously details the steps involved, starting with the client's initial query and the resolver's subsequent query to the authoritative nameserver. It then illustrates the attacker's strategy of sending multiple spoofed responses with varying transaction IDs and forged information pointing to a malicious server. The critical moment occurs when one of these spoofed responses matches the original transaction ID, leading the resolver to accept the forged data as legitimate. The illustration clearly shows the poisoned cache entry, highlighting the potential for widespread impact as other clients querying the same resolver are also directed to the malicious server.

  The gravity of this vulnerability stemmed from its potential for large-scale attacks targeting any DNS resolver. This could have allowed attackers to redirect vast swathes of internet traffic to malicious destinations, severely compromising online security and trust. The illustrated guide effectively conveys the technical intricacies of the attack, emphasizing the vulnerability's simplicity and potentially devastating consequences, which prompted a swift and widespread patching effort across the internet infrastructure. The guide concludes by highlighting the importance of patching DNS servers and implementing security measures to mitigate the risk of similar vulnerabilities in the future.

  • dns
  • Kaminsky
  • Vulnerability
  • DNS Cache Poisoning
  • Security
  • networking
  • Illustrated Guide
  • 2008
  • Dan Kaminsky
  • DNSSEC

  Summary of Comments ( 2 )
  https://news.ycombinator.com/item?id=43170343

  Verbose tl;dr

  The Hacker News comments on the illustrated guide to the Kaminsky DNS vulnerability largely praise the clarity and helpfulness of the guide, especially its visual aids. Several commenters reminisce about dealing with the vulnerability when it was discovered, highlighting the urgency and widespread impact it had at the time. Some discuss technical details, including the difficulty of patching all affected DNS servers and the intricacies of the exploit itself. One commenter points out that the same underlying issue (predictable transaction IDs) has cropped up in other protocols besides DNS. Another emphasizes the importance of the vulnerability's disclosure and coordinated patching process as a positive example of handling security flaws responsibly. A few users also link to related resources, including Dan Kaminsky's own presentations on the vulnerability.

  The Hacker News post titled "An illustrated guide to the Kaminsky DNS vulnerability (2008)" has several comments discussing various aspects of the vulnerability and its impact.

  Several commenters praised the clarity and helpfulness of the illustrated guide, finding it much easier to understand than other explanations they had encountered. They appreciated the visual approach and how it broke down a complex topic into digestible parts. One commenter mentioned how valuable this guide was for educational purposes, making it easier to teach the vulnerability to others.

  A significant portion of the discussion revolved around the practical implications of the vulnerability and the scramble to patch systems in 2008. Commenters shared anecdotes about the urgency of the situation and the widespread effort required to mitigate the risk. Some discussed the challenges of patching diverse systems and the pressure to act quickly. One commenter recounted their experience of being called in on a weekend to apply emergency patches. Another highlighted the importance of DNSSEC as a long-term solution.

  Some comments delved into the technical details of the vulnerability, exploring aspects like the birthday paradox, the role of source port randomization, and the specific techniques used in the exploit. One commenter provided a more concise summary of the vulnerability, focusing on the key elements of the attack. Another discussed the difficulty of predicting transaction IDs due to the birthday paradox. Several commenters corrected or clarified technical details mentioned in other comments, ensuring accuracy in the discussion.

  A few comments touched on Dan Kaminsky's role and contribution. They acknowledged his responsible disclosure and the collaborative effort to patch the vulnerability before it was widely exploited.

  There's a thread discussing how the vulnerability highlighted the fragility of the internet infrastructure and the importance of security best practices. Some users discussed the implications for other protocols and the need for ongoing vigilance against similar vulnerabilities.

  Finally, a few comments mentioned related vulnerabilities and attacks, expanding the scope of the discussion beyond the specific Kaminsky DNS vulnerability. One commenter pointed out how this incident paved the way for improvements in DNS security and served as a valuable learning experience for the industry.

• Mastercard DNS error went unnoticed for years

  permalink

  Posted: 2025-01-22 15:25:57

  Verbose tl;dr

  A misconfigured DNS record for Mastercard went unnoticed for an estimated two to five years, routing traffic intended for a Mastercard authentication service to a server controlled by a third-party vendor. This misdirected traffic included sensitive authentication data, potentially impacting cardholders globally. While Mastercard claims no evidence of malicious activity or misuse of the data, the incident highlights the risk of silent failures in critical infrastructure and the importance of robust monitoring and validation. The misconfiguration involved an incorrect CNAME record, effectively masking the error and making it difficult to detect through standard monitoring practices. This situation persisted until a concerned individual noticed the discrepancy and alerted Mastercard.

  Brian Krebs, in a post titled "Mastercard DNS error went unnoticed for years" on KrebsOnSecurity, reports on a significant yet surprisingly long-lived DNS misconfiguration affecting Mastercard that persisted undetected for an estimated two to five years. This error, stemming from a typographical mistake in a single digit within a critical DNS record, directed traffic intended for Mastercard's payment gateway to an internal server. This internal server, ill-equipped to handle the massive volume of external requests, silently discarded these transactions without logging or alerting relevant parties.

  The misconfiguration specifically impacted a domain crucial for processing “Click to Pay” transactions, Mastercard's online checkout system designed for seamless and secure online purchases. While the primary Mastercard payment gateway remained unaffected, the erroneous DNS record meant that any merchant utilizing this particular “Click to Pay” domain experienced transaction failures. This resulted in a substantial but unquantified number of failed payments for customers attempting to use the service through affected merchants.

  Remarkably, the error went unnoticed for an extended period due to several compounding factors. Primarily, the silent failure mode of the internal server meant no error messages or notifications were generated. This lack of feedback combined with a potential lack of robust monitoring and alerting systems around “Click to Pay” transactions created a blind spot where the issue could persist undetected. Furthermore, the affected domain appears to have been less commonly used than the primary payment gateway, further reducing the visibility of the problem.

  The issue was ultimately discovered and reported by a security researcher who prefers to remain anonymous. This individual, after encountering repeated payment failures, investigated the DNS records and identified the single-digit typo. Upon notification, Mastercard swiftly rectified the error, restoring functionality to the affected domain. While the financial impact of the failed transactions remains undisclosed, the incident highlights the potential consequences of even minor DNS misconfigurations, especially within critical financial infrastructure, and emphasizes the importance of comprehensive monitoring and alerting mechanisms. The incident also underscores the crucial role security researchers play in identifying and reporting vulnerabilities, even those as seemingly mundane as a typographical error. The silent nature of the failure raises concerns about the potential for similar undetected issues to exist within complex online systems.

  • Mastercard
  • dns
  • Error
  • Security
  • Cybersecurity
  • DNSSEC
  • Domain Name System
  • Outage
  • Vulnerability
  • Internet Infrastructure
  • Financial Services
  • Technology
  • KrebsOnSecurity
  • Brian Krebs

  Summary of Comments ( 171 )
  https://news.ycombinator.com/item?id=42793783

  Verbose tl;dr

  HN commenters discuss the surprising longevity of Mastercard's DNS misconfiguration, with several expressing disbelief that such a basic error could persist undetected for so long, particularly within a major financial institution. Some speculate about the potential causes, including insufficient monitoring, complex internal DNS setups, and the possibility that the affected subdomain wasn't actively used or monitored. Others highlight the importance of robust monitoring and testing, suggesting that Mastercard's internal processes likely had gaps. The possibility of the subdomain being used for internal purposes and therefore less scrutinized is also raised. Some commenters criticize the article's author for lacking technical depth, while others defend the reporting, focusing on the broader issue of oversight within a critical financial infrastructure.

  The Hacker News post titled "Mastercard DNS error went unnoticed for years" has generated several comments discussing the implications of the KrebsOnSecurity article about Mastercard's long-standing DNS misconfiguration.

  Several commenters express surprise and concern over the length of time – reportedly years – that this misconfiguration persisted. Some speculate about the potential reasons for this oversight, including a lack of proper monitoring or alerting systems, complacency, and insufficient testing procedures. One commenter highlights the irony of a financial giant like Mastercard experiencing such a basic infrastructure issue.

  The discussion touches on the potential consequences of this DNS error. While Krebs' article doesn't mention any specific negative impacts, commenters suggest possibilities like performance degradation or even potential security vulnerabilities. One commenter raises the possibility that Mastercard may have relied on other mechanisms for internal communication, minimizing the impact of the faulty external DNS.

  The conversation also delves into the technical aspects of the issue, with commenters discussing the intricacies of DNSSEC, CAA records, and other DNS-related technologies. Some commenters point out the importance of redundant DNS servers and robust monitoring practices to prevent similar issues. One commenter speculates about the specific tools and processes Mastercard likely uses for DNS management.

  A few commenters question the accuracy or completeness of Krebs' reporting, suggesting that there might be more to the story than what's been revealed. Others offer alternative explanations for the observed behavior, positing that the misconfiguration might have been intentional or related to specific testing or staging environments.

  Several comments also highlight the broader implications of this incident for the industry, emphasizing the need for better DNS management practices and increased awareness of potential vulnerabilities. One commenter points to the increasing complexity of modern IT infrastructure and the challenges of maintaining reliable and secure systems.

  Finally, some commenters offer humorous takes on the situation, poking fun at Mastercard's apparent oversight and the potential consequences of such a basic error.