Wednesday, July 23, 2008
Today www.matasano.com broke the surprise that was kept closely guarded secret by Dan Kaminsky who was going to go public with the vulnerability on 7th August at the BlackHat Security Conference, Now what happens in this attack ?
The attacker does not directly send spoofed packets to the user for actual domains for example www.anishshaikh.com, it sends responses to the user for non-existent domains like anyspoofdomain.anishshaikh.com and once the transaction ID matches it adds some extra details with the DNS Packet of the fake entry with Additional Resource records that contain malicious DNS entry for a real domain which is overwritten by the new spoofed entry and when the user visits the website that has the spoofed entries in his DNS cache he goes to the malicious website instead of the original website.
What happen when this attack is in progres ?
1) This attack will generate a lot of traffic
2) User has to first visit a malicious website for the attacker to start guessing transaction ID's
More details about this attack published by MataSano can be found here.
How do I stop this attack from happening on my domain ?
Simply add a '*' entry in your DNS server and the put the IP address of your main website that is hosting Webpage for example www.anishshaikh.com, so whenever an user tries to access fake entries for example fakeentry.anishshaikh.com and attacker is spoofing them the attacker will fail because the '*' entry which we made will give a valid response and redirect it to www.anishshaikh.com and this attack becomes invalid and attacker fails but this will only work with your domain and attacker will not be able to use your domain to spoof entries and for the rest of the world.. Who Cares ?