Dan Kaminsky, uncharacteristically, was not looking for bugs earlier this year when he happened upon a flaw at the core of the Internet. The security researcher was using his knowledge of Internet infrastructure to come up with a better way to stream videos to users. Kaminsky’s expertise is in the Internet’s domain name system (DNS), the protocol responsible for matching websites’ URLs with the numeric addresses of the servers that host them. The same content can be hosted by multiple servers with several addresses, and Kaminsky thought he had a great trick for directing users to the servers best able to handle their requests at any given moment.
Normally, DNS is reliable but not nimble. When a computer–say, a server that helps direct traffic across Comcast’s network–requests the numerical address associated with a given URL, it stores the answer for a period of time known as “time to live,” which can be anywhere from seconds to days. This helps to reduce the number of requests the server makes. Kaminsky’s idea was to bypass the time to live, allowing the server to get a fresh answer every time it wanted to know a site’s address. Consequently, traffic on Comcast’s network would be sent to the optimal address at every moment, rather than to whatever address had already been stored. Kaminsky was sure that the strategy could significantly speed up content distribution.
It was only later, after talking casually about the idea with a friend, that Kaminsky realized his “trick” could completely break the security of the domain name system and, therefore, of the Internet itself. The time to live, it turns out, was at the core of DNS security; being able to bypass it allowed for a wide variety of attacks. Kaminsky wrote a little code to make sure the situation was as bad as he thought it was. “Once I saw it work, my stomach dropped,” he says. “I thought, ‘What the heck am I going to do about this? This affects everything.’”
Kaminsky’s technique could be used to direct Web surfers to any Web page an attacker chose. The most obvious use is to send people to phishing sites (websites designed to trick people into entering banking passwords and other personal information, allowing an attacker to steal their identities) or other fake versions of Web pages. But the danger is even worse: protocols such as those used to deliver e-mail or for secure communications over the Internet ultimately rely on DNS. A creative attacker could use Kaminsky’s technique to intercept sensitive e-mail, or to create forged versions of the certificates that ensure secure transactions between users and banking websites. “Every day I find another domino,” Kaminsky says. “Another thing falls over if DNS is bad. … I mean, literally, you look around and see anything that’s using a network–anything that’s using a network–and it’s probably using DNS.”
Kaminsky called Paul Vixie, president of the Internet Systems Consortium, a nonprofit corporation that supports several aspects of Internet infrastructure, including the software most commonly used in the domain name system. “Usually, if somebody wants to report a problem, you expect that it’s going to take a fair amount of time for them to explain it–maybe a whiteboard, maybe a Word document or two,” Vixie says. “In this case, it took 20 seconds for him to explain the problem, and another 20 seconds for him to answer my objections. After that, I said, ‘Dan, I am speaking to you over an unsecure cell phone. Please do not ever say to anyone what you just said to me over an unsecure cell phone again.’”