Security

Dan Kaminsky on DNS, BGP and an Emerging Theme

This year saw several presentations on a number of core vulnerabilities in the internet’s architecture, which have served to highlight the folly of believing that anything on the internet is secure these days. Did anyone ever believe that anyway? Now Dan Kaminsky, who discovered a fundamental flaw in the Domain Name System earlier this year, […]
Image may contain Human Person Face and Lou Thesz

Kaminsky_by_quinn

This year saw several presentations on a number of core vulnerabilities in the internet's architecture, which have served to highlight the folly of believing that anything on the internet is secure these days.

Did anyone ever believe that anyway?

Now Dan Kaminsky, who discovered a fundamental flaw in the Domain Name System earlier this year, has written a post on his blog that puts these security vulnerabilities into context – including the Debian Non-Random Number Generator issue, the SNMPv3 bug and the BGP issue. He looks at how some of these vulnerabilities could be combined for effective attacks and also addresses the likelihood that a BGP attack, as demonstrated by Anton Kapela and Alex Pilosov at the DefCon hacker conference earlier this month, could succeed without being observed.

In comparison to the DNS flaw, he writes that "BGP has far fewer potential attackers, fewer necessary defenders, is a much less agile attack, and is way easier to monitor forensically (and indeed, with companies like Renesys, is being monitored forensically). But so what? It can work, and when it does, it can do much of the same damage we were afraid of via DNS."

But more importantly, he provides a much needed overview of what all of these issues are telling us:

We have now had three attacks, in one year, that underscore the fundamentally untrustworthy nature of routing. DNS, BGP, and SNMPv3 all underscore the fact that the network should only be trusted as a best-effort data transmission system — that if you want to make sure everything’s OK, you can’t just assume — you need to cryptographically authenticate, you need to cryptographically encrypt, and you need to do these things to a level of security beyond “secure unless there’s an attacker.”

A lot of us — myself included, when I first started really looking at SSL — thought we were already distrusting the network. We weren’t. That’s what Mike Perry’s telling us, that’s what Mike Zusman’s telling us, and that’s what I’m telling you.

There are some real discussions to be had. It’s 2008. Where’s secure email? Why is almost every autoupdater not from Microsoft thoroughly broken? What is going on with non-browser network clients that can’t handle traffic from an untrusted server? How are we going to migrate the web, and indeed all commercial network activity, to authenticated and encrypted protocols that respect the fundamentally untrustworthy nature of the network?

DNS vs. BGP vs. SNMPv3 is inside baseball. The reality is as follows:

Weaknesses in authentication and encryption, some which have been known to at least some degree for quite some time and many of which are sourced in the core design of the system, continue to pose a threat to the Internet infrastructure at large, both by corrupting routing, and making those corrupted routes problematic.

The question is what to do about it.

(Photo: Quinn Norton)

See also: