Jul 30 2008
Oh oh, I use AT&T
Not that I’m surprised, but it appears that a DNS server at AT&T has been the first high profile targets of the DNS vulnerability discovered by Dan Kaminsky. I’ve been testing my internet connection every once in a while since I called out AT&T to patch last week and as of Monday it appeared to be safe. Even the 3G connection I’m using right now appears to be safe. But at least one server in the AT&T network was vulnerable and HD Moore’s company BreakingPoint was the target. A little bit of delicious irony there, since HD is the creator of Metasploit and released a plugin to test for the DNS vulnerability last week.
I’m getting tired of writing about the DNS issue and hope that AT&T and other service providers make a lot better effort in patching for the vulnerability now that it’s in the wild and being exploited. Dan mentioned an interesting set of statistics last week: When he first put up his vulnerability test page 78% of all tests came back as vulnerable, while as of last week only 56% of the tests came back as vulnerable. I’m quoting these numbers from memory, so they may be off a little, but it’s still an impressive effort to patch. Not nearly good enough, but still impressive.
I hope this spurs a fresh round of patching by large service providers as well as smaller companies, but I’m not going to hold my breath. I wonder how many more tricks Dan has up is sleeve for his talk at Black Hat, because I don’t think we’ve seen the full extent of this vulnerability just yet.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
BreakingPoint was not the target of the attack, they were just some of the many people that felt the impact of up-stream cache poisoning.
I look forward to see how the patching goes. Great post.
Should providers patch even if it severely disrupts DNS service?
Some of our busiest recursive servers slow down, puke, croak or otherwise get rude and obnoxious when patched.
http://marc.info/?l=bind-users&m=121726908015389
So patch & break or remain vulnerable?
–Mike
In the past couple of days I have seen AT&T DNS servers returning invalid responses for high-value sites such as eBay- and causing problems for some of my clients. I can’t say for sure they were compromised DNS servers, but the circumstantial evidence is pretty strong.