sign in sign up
<<
Home , Domain Name System, Subdomain

The following paper was originally published in the Proceedings of the Fifth USENIX Security Symposium Salt Lake City, Utah, June 1995.

Using the System for System Break-ins

Steven M. Bellovin AT&T Bell Laboratories

For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. : [email protected] 4. WWW URL: http://www.usenix.org

Using the for System Breakins

Steven M Bellovin

smbresearchattcom

ATT Bel l Laboratories

Abstract recommendations to software develop ers and system

administrators

Throughout this pap er we fo cus on the problem

The DARPAInternet uses the Domain Name Sys

as it applies to Berkeleys remote login and remote

tem DNS a distributed database to map

shell services Wemention these sp ecically b ecause

names to network addresses and viceversa Using

they are ubiquitous and the source co de is read

a vulnerability rst noticed byPV Mo ckap etris we

ily available Almost certainlyany other network

demonstrate how the DNS can b e abused to sub

services that rely on host names for

vert system securityWe also show what to ols are

would b e vulnerable This probably includes vari

useful to the attacker Possible defenses against this

ous implementations of remote or networked le sys

attack including one implemented by Berkeley in re

tems

sp onse to our rep orts of this problem are discussed

and the limitations on their applicability are demon

strated

The Domain Name System

This paper was written in and was withheld

from publication by the author The body of the paper

The DNS is a distributed data base used to map

is unchanged even to the extreme of giving the size

host names to IP addresses and

of the as An epilogue has

viceversa The name space is divided intoase

been added that discusses why it was held back and

ries of zones based on syntactic separators p erio ds

whyitisnowbeing released

in domain names One or more servers contain the

hzone Secondary author authoritative data for eac

itativeservers p erio dically p oll the primary servers

Intro duction

for their zones if the data has changed they initiate

zone transfer op erations to refresh their databases

In an earlier pap er Bel we discussed a number of

Atany level a may delegate the authority

security problems with the TCPIP proto col suite

for a sub domain to a dierentserver Thus if there

Many of them turned on the abilityofanintruder to

is a server for a toplevel domain comitmay itself

sp o of the IP address of a trusted machine In real

contain the information for companies smallcom

ity though hosts extend trust to other hosts based

and smallercom but delegate the resp onsibilityfor

on their names not their addresses an attack er who

monolithcom to one or more of that companys ma

can sp o of a hosts name can ignore the more di

chines In fact servers for a domain need not and

cult problem of faking its IP address Some attacks

often will not reside within that domain

along just these lines were mentioned in the earlier

In general hosts that use the DNS maintain lo

pap er In resp onse to it PV Mo ckap etris disclosed

cal caches of the resourcerecords returned All re

to us a more devastating attack based on the Domain

source records contain a TimetoLive eld set by

Name System DNS Mo cb Mo ca Herein we

the creator at the end of that p erio d the cached

utilize his observationstoinvade selected machines

record must b e discarded and an authoritative

and demonstrate which other to ols aided the attack

server queried anew

Let us consider as an example the information for Section provides a brief overview of the DNS

zone smallcomasshown in Figure The server Section provides the details of some actual attacks

contains a numb er of resource records Perio ds at The names and IP addresses of the target hosts have

b een changed to protect the inno cent Section dis

There are many other DNS records than those describ ed

cusses defenses and shows why most of them are

here We are mentioning only those that provide information

necessary to understand the subsequent discussions limited in their scop e We conclude byproviding

ORIGIN smallcom

smallcom IN SOA serversmallcom ghuwssmallcom

Serial

Refresh

Retry

Expire

Minimum TimetoLive

IN NS server

IN NS servertinycom

server IN A

IN HINFO Smallic SmallIx

boss IN A

IN HINFO Smallic SmallIx

ws IN A

IN HINFO Smallic SmallIx

ws IN A

IN HINFO Smallic SmallIx

Define a salessmallcom

sales IN NS thinkersalessmallcom

IN NS ws

droidsalessmallcom IN A

IN A

Figure The zone smallcom

the end of some names indicate that they are abso tween the dierentnetworks

lute and not relativetothe ORIGIN eld An omit

Four hosts are dened within the domain server

ted name eld from a record indicates that the name

boss ws and ws According to the HINFO record

of the previous record should b e used And the ubiq

all of the hosts app ear to b e Small Incs own com

uitous IN eld indicates that the records b elong to

puters and op erating system

the Internet domain the DNS is capable of storing

A DNS query may request a record of a particular

information ab out many dierenttyp es of networks

typ esayanA recordor it may ask for all records

p ertaining to a given name A resp onse may con

The SOA record denes the Start of Authority for

tain just the answers desired a p ointer to the prop er

the zone Primarily a glue record it contains two

server if the information is not contained within this

hine that is the elds of interest to us here the mac

zone or an error indication if the record requested

denitive source of the information in the zone and

do es not exist

the electronic mail address in a variant form of the

p erson resp onsible Note incidentally that the SOA

If appropriate an answer mayalsocontain Ad

record also contains the minimum expiration time

ditional Information Supp ose a query were sent

for any resource records within the zone

to the smallcom server asking for the address of

crittersalessmallcom The reply would con

The NS records dene the authoritativename

tain not just the NS record for salessmallcom

servers for the domain smallcom Similar NS

but also the A record for that server

records must b e in the server for the com domain so

that inquiries may b e directed to the prop er place

In addition the parent domain must contain A ad

Inverse Mapping Domains

dress records for all servers for its sub domains This

is illustrated by the records for salessmallcoma

The records describ ed ab ove suce for forward

sub domain under separate administration

queries where the client has a machine name and

A host with more than one network interface will wishes to lo ok up the IP address However ordi

normally havemultiple A records asso ciated with it nary DBMSstyle inverse queries to map addresses

Such hosts are often but not always gateways b e into names do not work

The reason why is a bit subtle Certainly one chine History demonstrates that b oth p ossibilities

could ask any given server whichmachine corre are real

sp onded to the address Unfortu The attackers goal is to nd hosts that trust other

nately that server would b e unlikely to knowthe hosts using their names and to learn the names

answer Nor without more information could the of some of those trusted partners While random

client knowwhich server to query The DNS is a patterns of trust can and do exist a more fruit

distributed database with b oundaries delimited by ful approachistolookfortwo common patterns

host name syntax IP addresses contain no clues to hines each First in a cluster of timesharing mac

this organization of the machines is likely to extend blanket trust to

Instead inverse mappings are implemented bya the others Even if that do es not apply to the gen

separate parallel tree keyed by IP address To eral user p opulation it probably do es apply to the

systems programming and op erational stas Sec

mimic the structure of IP addresses and hence the

fashion in which they are assigned to administrators ond the attacker can lo ok for le servers and their

the individual bytes of the address are reversed A workstations The le servers sometimes trust their

standard sux is app ended to avoid name collisions clients serving as a source of extra CPU cycles Fur

with forward mappings Thus the addresstoname thermore if the clients are dataless they will fre

mapping for host wswhich has an IP address of quently trust an administrativemachine to p ermit

would b e handled by a server for zone software maintenance

inaddrarpa Its database with glue In the following examples we will assume that the

records omitted lo oks like this target organization has the following machines

Name IP Address Type

ORIGIN inaddrarpa

bullseyesoftyorg le server

IN PTR serversmallcom

ringersoftyorg workstation

IN PTR bosssmallcom

groundzerosoftyorg workstation

IN PTR wssmallcom

All are running some derivative of bsd or bsd

IN PTR wssmall com

suchas SunOS and all trust each other via

Each record contains only a p ointer to the forward

etchostsequiv les

mapping record Generallytheinverse mapping tree

The attacker whom we shall dub Cuckoo in honor

will reside on the same machine as the corresp ond

of Cli Stolls b o ok Sto is coming from machine

ing forward mapping tree but this is not a require

crackerrittsorg

ment Hosts with more than one address will have

The essence of the basic attack relies on the na

PTR records in more than one inverse mapping tree

ture of the addresstoname mapping As noted

ab ove this mapping uses an indep endent DNS

tree Assume that the inverse mapping record

Attack

for is changed from the correct

crackerrittsorg to ringersoftyorg When

Kids Do not try this at home This stunt

the attacker attempts to rlogin to bullseye it will

was carried out by trainedprofessionals

try to validate the name not the IP address

whoapart from knowing what they were

of the calling machine It do es this by call

doinghad the permission of the relevant

ing gethostbyaddr and passing it the address

system administrators

In a DNS environment that call

Our threat scenario assumes that the attacker has translates to a query for the record asso

complete control of a machine containing legitimate ciated with inaddrarpa This

primary servers for a DNS zone including the asso will of course retrievethePTR record shown ab ove

ciated inverse mapping tree That is he or she can Thus bullseye b elieves that its friend and neigh

make whatever changes are desired to the delegated bor ringer is trying to connect Thus the call is

p ortions of the name tree and suchchanges will b e accepted and the attack has succeeded

accepted as correct by other machines sub ject only Note the fundamental awwehave exploited

to the usual expiration dates We also assume the here There is no forced linkage b etween the

abilitytocontrol any TCP p ort numb ers on that ma twoDNS trees owned by Cuckoo rittsorg

chine including those that Berkeleys versions of the and inaddrarpaeven though they

Unix system regard as privileged The attacker may should contain complementary data Thus the lat

b e either a renegade system administrator or some ter tree can contain entries p ointing to hosts b elong

one who has successfully subverted a DNS server ma ing to Softies Inc

snmpnetstat bullseyesoftyorg public

Active Internet Connections

Proto RecvQ SendQ Local Address Foreign Address state

tcp bullseyesoftyorglogin bullseyesoftyorg ESTAB

tcp bullseyesoftyorglogin ringersoftyorg ESTAB

tcp bullseyesoftyorg bullseyesoftyorglogin ESTAB

tcp bullseyesoftyorg otherhostcom ESTAB

Figure Connection patterns via SNMP

tedious so wedevelop ed some extra to ols to help Filling in the Blanks

First we installed several instances of the pseudo

In order to mount the attack describ ed ab ove

network driver Bel not b ecause we needed its

Cucko o needs to know three things a target host

facilities but b ecause it gave us an easy waytoasso

name a user name to imp ersonate and a ma

ciate several new IP address with our machine with

chine trusted by the target host There are many

out installing any extra hardware This let us at

approaches p ossible all using a varietyofstan

tempt imp ersonations of several machines at once

dard to ols The following sequence whichwe ac

Slight mo dications to the global routing tables

k is tually used in our rst demonstration attac

courtesy of routedwere needed to route packets



illustrative We will start by assuming weknow

backtousWe also mo died rlogin to let us sp ec

the name of the target machine p erhaps from a

ify the lo cal host address and the lo cal user name

mail message or news article Next we use SNMP

thus avoiding the need for extra etcpasswd en

CDF to examine its TCP connection tables Fig

tries Our attacks b ecame this simple

ure That is apart from the miscellaneous con

xrlogin bullseyesoftyorg l bingo

nection to p ort on some other host the other

L user x

TCP activity represents uses of rlogin One con

nection is from ringer the others representthetwo

The appropriate PTR records were all created to

endp oints of an rlogin session from bullseye to it

gether of course

self This is an o dd circumstance and p otentially

quite revealing The finger command tells us more

Other Approaches

Figure

Twoentries indicate remote logins On ttyp

Some might ob ject that the p enetration describ ed

user random is connected from ringer And on

ab ove relied on SNMP a facility not often found on

ttyp bingo is connected from bullseye itself in a

hosts and on finger a service which sometimes

lo opback connection It seems likely that this repre

do es not give the name of the remote hosts For

sents user utilizing a dierent login rather than

tunately for the attacker there are other ways to

random doing so such a connection from random

gather the necessary data

would more likely have originated from ringerSo

One useful to ol is electronic mail Supp ose you

wehaveapossible rhosts le for bingo authorizing

wish to target someone who sentyou or a mailing

a lo cal user user when coming from host bullseye

list some electronic mail These days mail headers

We can also try for random coming from ringera

are often mo died to indicate that the senders ma

quickcheckwith finger shows a user of the same

chine is some gatew ay p erhaps a le server But the

name logged in there

Received or MessageId lines indicate the actual

The remaining steps are trivial We mo dify the

source of the mail Often that user will b e able to

PTR record for cracker appropriately create lo cal

rlogin to the apparent sending machineie the

login names user and random for ourselves and

le serverfrom the actual sending machine typi

use them to attempt an rlogin to the target ma

callyaworkstation

chine The attack succeeded on the second try it

Another useful to ol is the DNS itself it contains a

turned out that randoms connection was not preau

wealth of information The SOA record contains the

thorized

address of a privileged user and a machine containing

Actually the pro cedure outlined ab ove got a bit

data administered by that p erson That alone is a



useful pair to attack If that fails assume again that

The output you are ab out to see is real Only the names

and IP addresses have b een changed to protect the inno cent weknow a user name and a machine name The DNS

finger bullseyesoftyorg

bullseyesoftyorg

Login Name TTY Idle When Where

user User One co Fri

user User One p Mon unix

user User One p d Mon unix

user User One p Mon unix

user User One p Wed unix

random Amber Random p d Wed ringersoftyorg

bingo Bingo Scores p Wed bullseyesoftyorg

user User One p Fri unix

Figure Learning from the finger command

will tell us the IP address of that machine Gener the list of addresses returned is matched against

ally it will also p ermit a zone transfer to list the If the match fails a imp erson

other machines on that network Thus if we only ation attempt is agged In the general case this

know one machine name groundzerosoftyorg defense is easily countered To see how let us ana

but do not knowany other machines in that or lyze the transactions in terms of the DNS

kly learn that groundzero ganization we can

The gethostbyaddr call is as noted imple

is Next we try a zone transfer

mented by a DNS request for a PTR record The

request for inaddrarpa using any

server that supplies this PTR record is under

of a numb er of standard to ols If the zone trans

Cucko os control and may return false information

fer is rejected we only need to issue individual

The gethostbyname call requests A records ulti

queries to map a Class C network That gives us

mately from the server for softyorg whichisnot

the names of other machines on the same network

controlled by the attacker However in reality the

If were lucky the DNS entries for those machines

query do es not go immediately to that server rather

will include HINFO lines the mo del numb ers provide

it go es to the lo cal machines name server And

powerful clues as to whichmachines are le servers

that server has a whichmay b e p oisoned by

and which are workstations SNMPifavailable

Cucko o Sp ecically the DNS message containing

on the targets can also provide mo del numbers

the PTR record maycontain a b ogus A record in its

Further clues can b e sometimes b e found by use of

Additional Information eld The information in

finger which machines havemultiple users logged

this record will b e returned on any gethostbyname

in SMTP do es the machine run a mail server

call along with other presumably legitimate A

anonymous FTP workstations rarely oer the ser

records The name server for bsd do es not nor

vice servers sometimes do and Suns rpcinfo

mally include any A records when sending out PTR

what services are running It may not even mat

resp onses but the mo dication to makeitdosois

ter very muchsome organizations use the same

trivial The results of the change are shown in Fig

etchostsequiv le on all of their machines just

ure using Mo ckap etriss program

to simplify system administration

Note the very short timetolive elds the at

tacker do es not want these anomalous records stay

ing around where they mightbeobserved This is

Attempted Defenses

particularly necessary for the A record it mightbe

embarrassing if it were returned to a legitimate user

Avariety of defenses have b een tried or contem

seeking the address of bullseye

plated few are generally successful The rst

w It has b een suggested to us that additional in as develop ed byBerkeley when we rep orted this

formation elds b e scrutinized more carefully b efore problem some time ago It consists of mo dica

acceptance In the ab ove example there is little rea tions to rlogind and rshd to validate the inverse

son to include an A record with a PTRwould it help if mapping tree by lo oking at the corresp onding no de

the name server rejected it Again the answer is no on the forwardmapping tree That is if the

there are other apparently legitimate ways to intro gethostbyaddr call on address

duce b ogus A records For example one can often returns the name bullseyesoftyorg the server

p ersuade a host to do a lo okup for a in a will issue a gethostbyname call on that name and

dig x serverrittsorg

DiG x serverrittsorg

HEADER opcode QUERY status NOERROR id

flags qr aa rd ra Ques Ans Auth Addit

QUESTIONS

inaddrarpa type ANY class IN

ANSWERS

inaddrarpa PTR bullseyesoftyorg

ADDITIONAL RECORDS

bullseyesoftyorg A

Sent pkts answer found in time msec

FROM cracker to SERVER serverrittsorg

WHEN Tue Oct

Figure Returning an addtional A record when a PTR record has b een requested

sub domain of rittsorgsay foobarrittsorg daemon hence the attacker will not b e able to add

Such a query will prop erly b e answered bythe the Additional Information eld This to o can b e

server for domain rittsorg whichiscontrolled by countered In a variant analagous to one discussed

the attacker The resp onse will contain a list of the earlier the attacker can create an NS record for the

name servers for domain barrittsorg Those NS verse domain naming the imp ersonated machine in

records are of necessity accompanied by the corre as a secondary server in such cases the fraudulent

sp onding A records Nothing w ould prevent the in A record will b e sent along on zone transfer requests

clusion of bullseyesoftyorg and the corresp ond

Another layer of protection can b e provided if

ing fraudulent A record in this list

the target host uses a lo cal mapping table b efore

consulting the DNS For example some sites use

Attempts to p oison the cache of a primary or sec

Suns interface b etween Network Information Ser

ondary server for a domain do not work The stan

vice NIS nee YP and the DNS On such machines

dard name servers will reject up dates to zones for

the DNS is queried only if NIS do es not havethe

which they are authoritative Thus the attacker

answer Thus the inverse lo okup will retrievethe

cannot insert b ogus A records so the crosscheck will

b ogus PTR record since the address used is not in

detect the attack This prohibition is only reason

the lo cal host tables But the forward lo okupthe

able and not just for security reasons an authori

gethostbyname callwill b e satised by NIS with

tativeserver by denition p ossesses all p ossible data

out resort to the DNS and hence without retrieving

for its zone Attempts to up date the zone remotely

the p oisoned A record

are at b est naive



It must b e underscored that this defense do es not

In some environments this provides a reasonably

work at all if the attacker nds a target user com

strong defense Most rlogin and rsh requests do

ing in from a host not listed in the NIS database

come from the lo cal cluster of machines and it is

Conceptually it is analogous to the situation of au

precisely for these that the lo cal server is authorita

thoritative DNS servers the target host p ossesses

tive Nevertheless care should b e taken Caching



incorruptible lo cal information

only servers are not immune as they p ossess no au



thoritative data of their own Nor are authorita

In SunOS and later the crosscheck is implemented

in the gethostbyaddr subroutine thus all utilities reap the

tive servers when elding requests from outside their

b enets of increased securityHowever the message gener

zone if a host trusts another host not named in a

ated in case of a failure do es not indicate a p ossible secu

lo cal zone its name server cannot protect it

rity problem Judging from comments on assorted mailing

lists this p ossibility is not well known Furthermore there

The target is also in a somewhat stronger p osi

are rep orts that a bug in some versions causes frequenter

tion if it is a secondary server for the inverse map

roneous generation of this message thus lulling even alert

ping domain of the attacker In that case the PTR

administrators



record will b e retrieved from an unmo died name Security holes in NIS are b eyond the scop e of this pap er

Hardening DNS Servers the lo cal name serveractasasecondaryserver for

imp ortantneighb oring zones and thus p ossess au

It would b e very useful when tracking these and

thoritativeforwardmapping data In manyenviron

other problems if DNS server cache entries were

ments most remote login requests will come from a

tagged with their source Thus b ogus A records

very few other organizations one need not download

could b e tracked back Note that this is not just

all mapping information for the entire network Fur

a security issue p erio dically assorted newsgroups

thermore with current implementations suchsec

and mailing lists discuss why a DNS zone has b een

ondary servers need not b e ocial That is if

corrupted and how to purge the oending entries

deptacompanycom wished to b e a secondary server

The ability to trace the oending records to their

om domain it is not neces for the deptbcompanyc

source would help tremendously

sary for the administrator of the companycom zone

Preventing cache contamination is probably not

to create anynew NS records In most cases the zone

feasible If a server is not authoritative for a zone it

transfer will succeed and deptas domain server will



hasnowayofknowing whether or not Additional

p ossess correct data

Information records may b e trusted It do es no

A corollary to this is that cachingonly servers are

go o d to add authentication to DNS resp onses the

Bad They p ossess no authoritative data of any

attacks describ ed herein all come from the legiti

sort and are very susceptible to cache p oisoning

mate alb eit untrustworthy sources In some im

If DNS attacks arepossible no host should rely on

plementations it might b e feasible to restrict the

any cachingonly server for information All time

scop e of the cache Perhaps Additional Information

sharing machines within an organization and all le

records should b e used only when resolving partic

servers should p ossess denitive mapping informa

ular queries and then discarded That is harder

tion for the hosts within the organization This may

to do for NS records but the asso ciated A records

b e accomplished via NIS DNS secondary servers

could b e b ound to the name server denitions and

or other means This in turn implies that huge

not used for other purp oses Obviouslyany tinker

domainsthose encompassing entire campuses for

ing along these lines would result in a smaller less

exampleare probably a bad idea as far to o many

useful cache And that in turn would lead to more

machines would have to p ossess far to o much data

DNS queries p ossibly an unacceptable price

Logging and Auditing

Conclusions and Recommendations

As always prop er logging and auditing can b e sig

nicant aids in detecting DNS attacks For example

As wehave stated b efore Bel reliance on host

the antisp o ong co de added to rlogind and rshd

addresses or host names for authentication is funda

should inform the system administrator of such at

mentally awed The only real security inaninter

tempts The versions released by Berkeley inform

networking environment is cryptographic The Ker

the attacker alone Similarlyitwould b e useful if

b eros system Bry KN MNSS SNSNT

DNS servers logged attempts to up date authorita

is probably the b est choice to day though awed

tive zones This is not a trivial task as there are a

in places BM it is far b etter than the current

numb er of contexts in which it is legitimate to re

scheme

ceive lo callyknown data in Additional Information

If it is not p ossible to use cryptographic authenti

records but it might b e feasible As a rule of thumb

cation installation of Berkeleys x is mandatory

one should log any resp onses that not only refer to

Without it none of the palliative strategies de

a lo cal zone but also either attempt to add new

scrib ed b elowdoany good

records or to add contradictory information to ex

A rst cut at protection in such cases would b e to

isting records other than timetolive There will b e

restrict namebased authentication to hosts blessed

noise in the log even so esp ecially if some records

as it were by the system administrator Though

have b een changed but stale copies still exist else

there are other obvious security b enets the ad

where

vantage here is that the set of trusted hosts would

A second useful log would b e of all connection at

b e limited to those for which the lo cal machine has

tempts successful or not to rlogind or rshd These

authoritative name information Berkeleys latest

versions of rlogind and rshd supp ort this by p er



Do note though that some organizationsblock zone

mitting the administrator to disable use of rhosts

transfers from unapproved sites In anyevent p oliteness

les

would seem to dictate that deptbs administrator b e contacted

If this is not feasible an alternativeistohave rst

should include the remote host name the IP address Mor Trying to x the name table problem in

of course and the lo cal and remote user names stead of tackling the real issue is treating the symp

This le may b e audited oine to check for mis toms not curing a disease

matches b etween the host name and address Ob

Second it is by no means clear that the DNS is

viously suchchecks require great care lest they b e

the real source of the problem Rather the problem

sp o ofed by the same attack

arises b ecause the information necessary to compile

A more dicult detection measure would involve

any sort of hosttoaddress mapping scheme is of ne

comparisons of the forwardmapping data against

cessity distributed in nature The administrators

the inverse mapping data for the zone Presumably

involved are lo cated around the world None of the

a security organization could attempt random zone

usual mechanisms for transmitting up dates to a cen

transfers from various authorized servers and audit

tral site electronic mail telephone calls or even

the data retrieved It is unclear if suchmatches are

conventional pap er mail carry any strong authen

actually useful Apart from the obviousa clever at

tication a table compiler who blithely acts on all

tacker will not leave b ogus resource records around

up date requests can install p oisoned records almost

when not using theminverse mapping domains are

as easily as can a DNS administrator

notorious for their p o or qualityTo b e sure nd

Finally abandoning the DNS would leave un

ing such errors might justify the eort even apart

solved the problem it was originally meanttotackle

from security considerations Additionallyunusual

the sheer size of the host table By b est estimates

situations are often created delib erately to deal with

the Internet is comprised of more than ma

multihomed hosts or to create pseudohosts for sp e

chines neither the up date frequency nor the timely

cic services Detecting attacks amidst this sort of

distribution of new tables can b e handled by other

noise is quite hard

mechanisms

Giving Away Information

Acknowledgements

The astute reader will have noticed that the at

tack scenarios wehave presented relied on gather

We wish to thank the anonymous system adminis

ing trust data rst Put another waywe abused

trators who consented to have their system attacked

assorted standard services to learn which pairs of In addition they graciously installed test domains

hosts were worth attacking As wehave noted ear

new versions of rlogin and rshd and other les we

lier Bel any sort of information utility finger

requested to either facilitate or defeat new attempts

SNMP etcprovides a wealth of information to an

at p enetration

attacker System administrators should ask them

selves if the b enets of these utilities outweigh the

Epilogue risks

As noted this paper has been withheld by the author

Should the DNS b e Abandoned

for over four years Holding it back was not an easy

decision nor was eventual decision to release it For

In resp onse to rep orts of these problems some indi

both decisions we cite the external world as it has

viduals have suggested that the DNS b e abandoned

changed so has the outcome

in favor of a return to static host tables Wedonot

The paper was held backnot suppressed no ex

agree with this suggestion for several reasons

ternal agency appliedanypressure though there

First and foremost the problem here is not the

werecertainly others who were happy it was not

DNS it is inadequate metho ds of host authentica

published at the timebecause it described a seri

tion If strong ie cryptographic mechanisms were

ous vulnerability for which there was no feasible x

used p eople playing games with inverse mapping

The only choice would have been to give up entirely

records would b e notable solely for their nuisance

on namebased authentication a choice the industry

value At most some log les would need to b e en

was not able to make in

hanced to record IP addresses as well as host names

Attitudes and technology have changed sincethen Nor would abandoning the DNS solve the problem

For one thing many sites alr eady use rewal ls to of attacks that actually mimic the IP address of a

protect against such attack if an attacker cannot trusted host rather than simply its name Such at

open an rsh connection he or she cannot claim tacks are somewhat harder but the techniques have

a false origin for it The recent successful se b een published for some time See for example



quencenumber guessing attack has probably sealed Bry B Bryant Designing an authentication

the doom of namebased authentication over the In system A dialogue in four scenes Febru

ternet ary Draft

Cryptography is also moreaccepted Apart from

CDF J Case C Davin and M Fedor Simple

its direct use for authenticating connections there

network management proto col SNMP

are now proposals for cryptographic authentication

Technical Rep ort RFCInternet En

of the DNS itself EK That would beacomplete

gineering Task Force April Obso

defense against the cache poisoning attacks described

letes RFC Up dated byRFC

here DNS responses would be selfauthenticating

and forgedresponses would bedetected and dropped

EK Donald E Eastlake rd and Charles W

There has also beenaproposal for how name

Kaufman Domain name system proto col

servers can defend against cache contamination

security extensions Internet draft work

The concept is simple only use Additional Infor

in progress January

mation resourcerecords in the context in which they

KN J Kohl and B Neuman The ker

werereturned That is an A record that accompanied

b eros network authentication service

an MX recordwouldbeconsulted only when sending

V Exp eri

mail to that site It would not beused when a general

mental RFC Internet Engineering

address lookup was done or to conrm the names re

Task Force Sep

ceived via PTR records This and other enhancements

are described further by Vixie Vix

MNSS S P Miller B C Neuman J I Schiller

Arguably this paper should have been published

and J H Saltzer Kerb eros authentica

when written Death of the Net predicted lm

tion and authorization system In Project

at is an old refrain and the Net has now sur

Athena Technical PlanMITDecember

vivedpassword sniers and sequence number attacks

Section E

More to the point if morepeople had known of the

attack perhaps the solution describedabove would

Mo ca PMockap etris Domain names con

have been found sooner

cepts and facilities Request for Com

Final ly the secrecy may have been in vain Apart

ments Standard RFC Inter

from reports that this exact technique was usedby

ember net Engineering Task Force Nov

hackers many years agoand the reports are quite

Obsoletes RFC Up dated by

reliablethe paper leaked anyway We have seen it

RFC

on at least one Web server and fol lowup work by

Mo cb PMockap etris Domain names imple

en available for quite some time SS Schuba has be

mentation and sp ecication Request for

Comments Standard RFC Inter

net Engineering Task Force November

References

Obsoletes RFC Up dated by

RFC

Bel Steven M Bellovin Security problems

in the TCPIP proto col suite Com

Mor Rob ert T Morris Aweakness in the

puter Communications Review

BSD Unix TCPIP software Com

April

puting Science Technical Rep ort

ATT Bell Lab oratories Murray Hill

Bel Steven M Bellovin Pseudonetwork

NJ February

drivers and virtual networks In USENIX

ConferenceProceedings pages

NT B Cliord Neuman and Theo dore Tso

Washington DC January

Kerb eros An authentication service for

computer networks IEEE Communica

BM Steven M Bellovin and Michael Mer

tions Septemb er

ritt Limitations of the Kerb eros authen

SNS Jennifer Steiner B Cliord Neuman

tication system In USENIX Conference

and Jerey I Schiller Kerb eros An au

Proceedings pages Dallas TX

thentication service for op en network sys

Winter

tems In Proc Winter USENIX Confer



CERT Advisory CA January ence pages Dallas TX

SS Christoph L Schuba and Eugene H

Spaord Addressing weaknesses in the

domain name system proto col Masters

thesis Purdue University Depart

ment of Computer Sciences

Sto Cli Stoll The Cuckoos Egg Tracking a

Spy Through the Maze of Computer Es

pionage Doubleday New York

Vix DNS and BIND security is

sues In Proceedings of the Fifth Usenix

Unix Security Symposium Salt Lake

City UT To app ear