Managing Network Security

You're in a Bind!

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


The Devil went down to Georgia

I was in Georgia some time ago looking at their new counter-cybercrime training facilities and meeting with a group working toward defining criteria for doing digital forensics. We were discussing many issues related to network forensics and it was an excellent opportunity to meet and engage with cybercops and other digital forensics folks from around the nation.

Among the folks I met were several of the FBI leads in digital forensics and state and local investigators who have looked at digital evidence of many crimes over a period of many years.

I want to emphasize that I am not pointing any fingers with the comment about the devil going down to Georgia, but I will say that among the folks I met, there was one fellow who always wore a hat and seemed very comfortable with the hot weather we were experiencing.


He was looking for a soul to steal

Some months later, I was contacted by an investigator from Florida who had found the evidence of what I considered to be a rather serious computer breakin and one that concerned me more than a little. This investigator was referred to me by someone I had met in Georgia, which is how I got this connection into the article. In this case, someone had broken into a DNS server (Domain Name Servers translate between host names like all.net and IP addresses like 1.2.3.4), and after some investigation, it was determined that, from this server alone, they had broken into some 500 other DNS servers throughout the United States.

Now to me, the DNS system is pretty much the heart and soul of the Internet. In effect, if the DNS system is subverted, almost all of the traffic on the Internet of use to almost all of its users, comes under the control of the attacker. You cannot find all.net and you might be pointed to badguys.org instead! You might be led to a Trojan site (like they did to RSA a few years back), or you could cause network-wide collapse by routing traffic in huge volumes to all over the place.

Now in perspective, this attacker had an automated program that had broken into 500 DNS servers from one location and presumably had broken into other servers wherever they could be found as well. The vulnerability likely appeared in a significant portion of the DNS servers at that time and the attacker left no obvious indication of their presence. They did leave reentry capabilities for later, so that even if you updated the vulnerable DNS functions, the attacker was still in.


He was in a bind

The vulnerability that was exploited in the Florida case allowed the attacker to gain control of at least 500 computers. It involved a failure in the DNS server software, but that is only step one in the overall attack. Recently, there have been a number of vulnerabilities discovered in the 'bind' program (the program on the user's computer that looks up DNS entries to figure out where to go). Some are in bind itself, others are in the libraries that support bind.

Now the attacks against bind require that you control a DNS that the bind program is trying to access. If you control a DNS and someone tries to get a DNS result from you, you can send an invalid response that overruns a buffer in the bind daemon. This then results in the owner of the DNS server gaining control over your computer. So if you got control over a DNS server that controlled a domain like www.google.com - the most popular search engine on the Internet today - you could potentially gain control over millions of computers in a matter of hours to days.

So as you see, the devil is now in a bind.


Cause he was way behind

Actually, we are way behind. The attack a few years back was never properly investigated and, perhaps for liability reasons, the site that was entered never did tell the other 500 DNS sites about the attack. So there are at least 500 - perhaps many thousands - of DNS servers that have Trojan horses in them allowing this one attacker or their organization to enter at will and alter the DNS operation. Now we have the time delayed use of those machines to go the next step - gain control over millions of systems by exploiting the bind problem and dropping in Trojan horses for remote control of those boxes.

Has it been done? Would we know if it had? Well, I can put it simply. There are cases where such activity has now been detected. But that doesn't mean that it has happened on a large scale. On the other hand, if the DISA studies of the early 1990s are any indication, it is likely that the number of reported cases is only a few percent of the detected cases and that the detected cases is well under one percent of the the actual cases. That means that there are likely hundreds of thousands or more systems now in the control of this one perpetrator.

If this sounds bad, it is probably far worse. This attack was traced, at one point, to an individual associated with German intelligence, and at another point to a high school student in Ohio. I think the high school student was found.


And he was willing to make a deal

Actually, I am willing to make a deal. Here it is. You need to replace update your DNS servers. I don't want you to 'update' them. I want you to create new servers from scratch. Since you need at least two of them to have a domain, you can change one at a time. Make sure that one is running one operating system and the other another. Make sure they have NO common software in them. Make sure that you DO NOT copy over programs, only copy over the domain name tables, and verify them for correctness. Then, generate cryptographic checksums of all software on your system. Store it on physically write protected media along with a checking program, and run the checking program periodically. Save the originals and if the checksums ever change, turn on the drop-in replacement box you have sitting there, get the forensic evidence, and bring your server back into compliance (or update it to a new version if necessary).

Now I said it was a deal. So here's my side of the bargain. If you do your part, I will not testify against you in the law suits and criminal negligence trials that you will face when the big time cyber battles start to go down.

Think it's a bad deal? Think that Force Majure removes any culpability on your part? Try again. When you go out of business and lose your job, do you really think you will be allowed to keep that nice house of yours when we all find out that your DNS was responsible for the destruction of our systems?


Conclusions

Before drawing any conclusions, I want to thank to The Charlie Daniels Band whose words I have used in the titles of my sections in this month's article.

I have been a bit harsh in my deal. I'll back off. If your busted DNS server sends me a bad response that tries to break my bind, I will simply have to act in self defense and take your domain out of service with a large-scale distributed denial of service attack against your site. Or perhaps I will simply show up and cut the wires connecting you to the Internet every day until your DNS no longer does this.

Fix your DNS or feel threatened.


About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/