[ISN] NIST unveils tool to foil attacks via DNS

From: InfoSec News (alerts@private)
Date: Tue Mar 25 2008 - 22:03:24 PST


http://www.gcn.com/online/vol1_no1/46004-1.html

By Dan Campbell
Special to GCN
GCN.com
03/25/08

Network researchers at the National Institute of Standards and 
Technology (NIST) have unveiled a method that federal systems 
administrators can use to protect their systems from increasingly 
complex attacks launched via the Domain Name System (DNS) of the 
Internet and private IP networks.

DNS has long been a critical function of the Internet and private IP 
networks, but one that tended to operate somewhat incognito. That may be 
changing as more complex network attacks targeted at DNS emerge.

In a recently published paper, authors Scott Rose and Anastase Nakassis, 
writing under the auspices of NIST and the Homeland Security 
Department's Science and Technology Directorate, contend that DNS 
security extensions (DNSSEC) originally intended to protect DNS zone 
data contain an unintended side effect that facilitates an attack 
precursor called zone enumeration.

Attackers use DNSSEC responses to determine the Resource Records (RR) in 
a DNS zone, and then launch attacks more quickly against specific hosts 
in the zone. The attack potential gets worse when DNS host names give 
hints to the content, application or operating system, and consequently 
the vulnerabilities, that reside on the hosts. Rose and Nakassis added 
that the security or privacy concerns of intercepting information in 
newer DNS RRs go beyond an attacker simply identifying the host IP 
address and name.

The authors state that zone enumeration is possible without the help of 
DNSSEC. They cautioned that such traditional methods often become 
impractical because they rely on time-consuming or processor-intensive 
brute force techniques often thwarted by intrusion detection systems.

The authors also describe several techniques that allow networks to reap 
the intended authentication and integrity benefits of DNSSEC while 
reducing DNS information leakage. These techniques are important 
because, as DNS becomes more and more vital to network operation, the 
need to protect it with techniques offered by DNSSEC increases.

As federal agencies continue to deploy IPv6 technology, DNS will move 
from its current critical-but-inconspicuous status to the forefront, the 
NIST analysts said. The spread of IPv6 will generate a demand for 
network protection methods that are as secure as they are robust. The 
enormous IPv6 address size makes memorization impractical and 
address-to-hostname mapping vital, Internet specialists agree. Address 
subnet scanning becomes all but impossible in the IPv6 environment. As a 
result, DNS zone data becomes much more desirable to intercept and 
decipher as a prelude to launching an attack.

The techniques described by the NIST scientists likely hold forth the 
promise of improving DNSSEC authentication and integrity protection, so 
as to shield DNS zones and foil attempts to compromise data.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Mar 25 2008 - 22:18:31 PST