Thursday, April 29, 2021

Daniel Kaminsky, RIP

Nicole Perlroth (via Hacker News):

He was a respected practitioner of “penetration testing,” the business of compromising the security of computer systems at the behest of owners who want to harden their systems from attack. […] When Daniel was 11, his mother said, she received an angry phone call from someone who identified himself as a network administrator for the Western United States. […] Without her knowledge, Daniel had been examining military websites. The administrator vowed to “punish” him by cutting off the family’s internet access. Mrs. Maurer warned the administrator that if he made good on his threat, she would take out an advertisement in The San Francisco Chronicle denouncing the Pentagon’s security.


In 2005, after researchers discovered Sony BMG was covertly installing software on PCs to combat music piracy, Sony executives played down the move. Mr. Kaminsky forced the issue into public awareness after discovering that Sony’s software had infected more than 568,000 computers.


In 2008, Kaminsky discovered a fundamental flaw in the Domain Name System (DNS) protocol that could allow attackers to easily perform cache poisoning attacks on most nameservers[…]. With most Internet-based applications depending on DNS to locate their peers, a wide range of attacks became feasible, including website impersonation, email interception, and authentication bypass via the “Forgot My Password” feature on many popular websites. After discovering the problem, Kaminsky initially contacted Paul Vixie, who described the severity of the issue as meaning “everything in the digital universe was going to have to get patched.” Kaminsky then alerted the Department of Homeland Security and executives at Cisco and Microsoft to work on a fix.

Kaminsky worked with DNS vendors in secret to develop a patch to make exploiting the vulnerability more difficult, releasing it on July 8, 2008. To date, the DNS design flaw vulnerability has not been fully fixed.


The actual vulnerability was related to DNS only having 65,536 possible transaction IDs, a number small enough to simply guess given enough opportunities. Dan Bernstein, author of djbdns, had reported this as early as 1999. djbdns dealt with the issue using Source Port Randomization, in which the UDP port was used as a second transaction identifier, thus raising the possible ID count into the billions. […] Kaminsky’s attack bypassed this TTL defense by targeting “sibling” names like “” instead of “” directly. Because the name was unique, it had no entry in the cache, and thus no TTL. But because the name was a sibling, the transaction-ID guessing spoofed response could not only include information for itself, but for the target as well.

Comments RSS · Twitter

Leave a Comment