Dan Kaminsky, the security researcher who discovered the DNS cache poisoning flaw, said he made his discovery while trying to speed up content distribution on the Web.
"I was not intentionally seeking to cause anything that could break the net; I was trying to make the Internet faster."
Dan Kaminsky, Director of Penetration Testing, IOActive Inc.
Kaminsky, director of penetration testing at IOActive Inc., said he was conducting research on how to use DNS to speed up distribution times by finding the fastest server. The flaw was discovered when he was testing how to switch people from one server to the next to control the fastest speeds.
"I was not intentionally seeking to cause anything that could break the net; I was trying to make the Internet faster," Kaminsky said in a webcast conducted Thursday by Jeff Moss, founder and director of Black Hat, as a preview of Kaminsky's upcoming briefing in August at the Black Hat conference in Las Vegas.
Kaminsky said he knew immediately that he discovered a bad issue because the flaw was affecting the way DNS works, not the way it is implemented.
"This bug is core to the design," Kaminsky said. "We have made the exploit thousands if not tens of thousands of time harder to work."
Kaminsky said he was proud of the way the flaw disclosure was handled and happy that vendors lined up to coordinate a massive patch release July 8. By keeping the details private, IT administrators had 13 days to deploy the patches, he said.
"Everyone wants to believe that their scenario is safe," Kaminsky said. "If source ports are not randomized you are not safe."
According to Kaminsky, the coordinated patch release wasn't perfect, but he pointed to some statistics from a DNS checker tool on his Doxpara Research blog that shows the patches are being deployed. On July 8, 86% of the people using the tool were vulnerable to DNS cache poisoning. As of July 24, 52% of those tested where vulnerable, he said.
"It's not perfect," Kaminsky said. "I am nothing but thankful for all the IT administrators who have done thousands upon thousands of hours of work already."
Kaminsky acknowledged Halvar Flake for correctly guessing the details of the flaw. Flake, a noted reverse engineer and CEO of SABRE Security GmbH, raised a stir among security researchers for exposing the details in a blog post just 13 days after the patches were released. Flake also criticized the attention being given to the flaw, calling it overblown.
Joao Damas, senior program manager at the SANS Internet Storm Center (ISC), called the flaw serious and said he wished administrators had more time to deploy the patches.
"Even though some people think that this is a combination of things that were previously known, there is one new factor that makes a complete difference in how effective attacks can be," Damas said. "They can be extremely effective so please patch immediately."
There's another reason why administrators should patch their systems immediately, said Jerry Dixon, director of the national cyber security division at the Department of Homeland Security. Metasploit Project founder H.D. Moore released the exploit for the recent DNS cache poisoning vulnerability via his Metasploit Framework. Using the framework, an attacker wouldn't have to build the exploit from scratch.
"When you're going down a road there's always a chance in getting injured in car accident, so in this case the patch is your seatbelt; make sure you use it and apply it," Dixon said.