DNS

I'm still rather haunted by Dan Kaminsky's DNS presentation from last week's Black Hat conference. As I mentioned in my Day 1 wrap-up, you forget how pretty much everything you do is dependent on having trustworthy DNS. Dan showed that DNS is anything but trustworthy.

So I spent some time trying to figure out how to solve the problem. Sure, a lot of really smart folks spent some time doing the same. And they couldn't really see a tangible answer, so they are pushing towards source port randomization to at least minimize the likelihood that the DNS cache will be poisoned via a Kaminsky attack.

Part of the luxury of not being a real technical guy is that I tend to look at the problem in an unconventional way. I suspect (but don't know this for sure) that many others are trying to solve the entire problem. Which I suspect is akin to boiling the ocean.

After looking at DNSSEC for a little while, clearly that is intangible for a network the scale of the Internet. The idea of digitally signing all of the requests is a good one in theory, but clearly ain't going to get there. And with the zone enumeration issue inherent to early versions of DNSSEC, folks are starting to layer band-aids and duct tape over the issues, in a feeble attempt to try to get the technology to "work."

I really doubt it's going to happen. So what's plan B?

I've also been doing a lot of research into CSRF (cross-site request forgery attacks) and I see some similarities to the Kaminsky DNS issue. Not like twin brothers. More like 3rd cousins. Basically, in both scenarios, it's not clear that you can trust the other side of the transaction, so you need to layer some more "tests" on top of the base transaction to make sure you are receiving traffic from the real McCoy.

One of the techniques to defending against CSRF is to add a token to each transaction, which would be difficult (not impossible, but difficult) to spoof and therefore would sort of validate that the other side of the transaction is legit.

Why couldn't we do this for DNS requests? I know, I know. We'd have to update all the name servers and then propagate the software through the DNS hierarchy. But that's only if we are trying to boil the ocean.

What if we only tried to boil a lake, or even a puddle and started building some of the code into our key applications (or as a proxy for our key applications)? And then we could get our trading partners (who we are doing high value transactions with) to add the same code to their applications. Thus, any traffic I'm sending to IP addresses in their environment are also "tokenized."

If a large enterprise moves in this direction, they likely have enough pull to get their ISP (or multiple ISPs as it may be) to build the code into their name servers. Then it sort of becomes a bottoms-up movement, as opposed to a top-down mandate. Top down doesn't work too well in the age of the Internet.

In terms of caveats, I have no idea if this would even work. I'm literally making this up. Or if Kaminsky would make mince-meat out of this in seconds. Or if many others have tried this and failed already.

I also don't know how complicated it would be to add this proxy layer to tokenize the DNS requests. I don't know if it will scale or if it will solve the problem. Or if the very nature of DNS requires that we boil the ocean, as opposed to the puddle.

Basically, I'm throwing some spaghetti against the wall and I figure the real smart guys out there will take a look, tell me I'm an idiot and then maybe suggest something that would be more tangible/feasible/logical, etc. It's all about fostering the discussion, since after seeing Kaminsky's pitch, sticking our heads in the sand and waiting for divine intervention to fix the problem ain't going to happen.

Photo credit: "lake (or puddle?) of free boiling mud" originally uploaded by magtravels

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

•  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
• Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
• Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
• Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
• Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...