The Dan Who Blackholed the World
Posted on | December 2, 2008
Wired magazine has the story of Dan Kaminsky’s discovery of a gaping security flaw in the Internet’s DNS architecture:
Then last January, on a drizzly Sunday afternoon, he flopped down on his bed, flipped open his laptop, and started playing games with DNS. He used a software program called Scapy to fire random queries at the system. He liked to see how it would respond and decided to ask for the location of a series of nonexistent Web pages at a Fortune 500 company. Then he tried to trick his DNS server in San Diego into thinking that he knew the location of the bogus pages.
Suddenly it worked. The server accepted one of the fake pages as real. But so what? He could now supply fake information for a page nobody would ever visit. Then he realized that the server was willing to accept more information from him. Since he had supplied data about one of the company’s Web pages, it believed that he was an authoritative source for general information about the company’s domain. The server didn’t know that the Web page didn’t exist—it was listening to Kaminsky now, as if it had been hypnotized.
When DNS was created in 1983, it was designed to be helpful and trusting—it’s directory assistance, after all. It was a time before hacker conventions and Internet banking. Plus, there were only a few hundred servers to keep track of. Today, the humble protocol stores the location of a billion Web addresses and routes every piece of Internet traffic in the world…
Kaminsky froze. This was far more serious than anything he could have imagined. It was the ultimate hack. He was looking at an error coded into the heart of the Internet’s infrastructure. This was not a security hole in Windows or a software bug in a Cisco router. This would allow him to reassign any Web address, reroute anyone’s email, take over banking sites, or simply scramble the entire global system. The question was: Should he try it?
The vulnerability gave him the power to transfer millions out of bank accounts worldwide. He lived in a barren one-bedroom apartment and owned almost nothing. He rented the bed he was lying on as well as the couch and table in the living room. The walls were bare. His refrigerator generally contained little more than a few forgotten slices of processed cheese and a couple of Rockstar energy drinks. Maybe it was time to upgrade his lifestyle.
DNS, as the article notes, is not glamorous, but nearly all of us depend on it.
