Skip to content ↓ | Skip to navigation ↓

Two students from the Technion – Israel Institute of Technology, Roee Hay and Jonathan Kalechstein, have discovered a critical vulnerability in the widely used DNS Protocol BIND software which could allow attackers to redirect users to malicious or spoofed websites.

“We were very surprised to find a loophole in the protocol,” said Kalechstein. “We reported it to the authorities responsible for its implementation, they responded that they were unaware of this problem, and added that they will replace the algorithms in the next software version release.”

The students made the discovery while competing at at the Laboratory of Computer Communication & Networking in the Faculty of Computer Science at Technion, which ultimately won the faculty wide competition for the Amdocs Best Project Contest.

“We devised an attack on DNS, a protocol that is one of the cornerstones of the Internet, and we identified a weakness in one of its implementations,” said Hay. “The DNS protocol has been around for several years and has been investigated by researchers from all over the world. We knew in advance that the chances of finding a loophole in the software would be very small, but we like challenges.”

DNS, short for the Domain Name System, is one of the most basic of all Internet protocols, allowing Internet users access to a decentralized database that lets computers translate the names of specific websites into the actual IP addresses, the foundation for browsing the web.

“During the resolution of name to IP address, DNS servers look for the server storing the corresponding IP address. The weakness that the students found allows hackers to compel a DNS server to connect with a specific server chosen out of a set of potential servers,” explained Dr. Gabi Nakibly.

“If that server is controlled by the attacker, that DNS server will receive a false IP address. This type of cyber attack gives hackers an advantage, by causing computers to ‘talk’ with network stations that they alone control without being able to detect the occurrence of the fraud.”

Read More Here…