Multiple defenses offer the best protection against insidious security threats. Sandy Wilbourn explains what the Kaminsky DNS cache poisoning flaw is and how to safeguard your company’s network.
In addition, Network Address Translation (NAT), firewalls, load balancers, and other devices in the network (potentially) may de-randomize UDP source ports, thus rendering this protection less effective. For these reasons, it is essential that other defenses are available and enabled.
- A secure mode of DNS operation when a potential attack is detected is another useful defense. The DNS server should be able to switch from a UDP to a TCP connection when mismatched query parameters are observed (a sign an attack may be underway). This allows an attacker only one chance to send a fake DNS answer for each fake DNS question, which both slows the progress of an attack and significantly reduces the probability of success (potentially by hundreds of times).
- The single most important defense provides protection when an attacker gets lucky and correctly guesses query parameters, thus beating other defenses. This defense screens DNS query responses and discards potentially harmful information in the response, such as additional information that delegates DNS answers to a server that is controlled by the attacker. This protects the DNS server in ways a firewall, IPS or any other external device cannot.
- Finally, alert IT of unusual DNS activity and providing specific details so remedial action can be taken.
Additional Defenses with Routers, Firewalls and IPS
In the first step of the Kaminsky attack, fake questions are sent to a caching server. To succeed at sending fake questions, an attacker needs to spoof an address on the enterprise network. Firewalls and routers can be configured to provide excellent protection against external users spoofing an internal IP address. Keep the following in mind:
- Be sure to configure the firewall rules, router Access Control Lists (ACLs) or Reverse Path Forwarding (RPF) check, to prevent external users from spoofing an internal IP address. This will block external users from initiating internal, recursive DNS queries.
- Another important consideration is verifying that firewalls in the path of the DNS server do not de-randomize the UDP source ports used in DNS queries coming from the caching DNS server out to the Internet. There may be configuration options on the firewall or it may be necessary to contact the vendor. This is important because one of the defenses against the Kaminsky attack relies on random UDP source ports.
IPS is another important part of the security equation and provides an additional layer of defense. IPS looks at application data flows and detects threats based on algorithms that detect anomalous behaviors and send alerts.
- Sending multiple fake responses to the caching name server will increase the chances of a successful cache poisoning attack. IPS signatures can detect anomalous DNS packet rate behavior, and vendors are responding with features that will make it simple to implement such signatures. This will regulate the number of fake response packets to the DNS server.
- Both firewalls and IPS should be configured to send alerts to a Security Information and Event Management (SIEM) server, or a management server, when they see multiple fake responses from a single source to a DNS query. This will help in alerting and providing remedies against cache poisoning attacks.
Properly implementing a defense-in-depth approach that includes a combination of firewalls, IPS and intelligent DNS servers with layers of defense will provide total protection against DNS cache poisoning.
Sandy Wilbourn is the vice president of engineering at Nominum and also the co-founder and former security blogger at Determina.