2008-08-04 10-32 Kaminsky DNS View & Black Hat Campaign Special
Greetings Black Hat / DEFCON visitors. I'm sorry to say we couldn't make it this year. But don't worry, we have not forgotten you! Actually, we have cooked up something special to offer for all you people with black hats, and you don't even have to be in Las Vegas to participate!
Jukke came up with a brilliant new view for Clarified Analyzer called the DNS Randomness View 1. It helps address the DNS vulnerabilities found and illustrated by Dan Kaminsky (be sure to catch his presentation at Black Hat). This issue has gathered a lot of press and it is actually now widely referred as the Kaminsky DNS flaw / bug / vulnerability / cock-up. So, we decided to name the view after Mr. Kaminsky (with his kind permission).
The Kaminsky DNS View monitors network traffic (either from a pcap file, or traffic captured by probes) and deducts the port and id deviations from the DNS flows. With this information it evaluates the IP addresses like this:
- Get all the DNS packets for host X and sort them by time. Check ports and transaction IDs
- Postprocess the port list: count the differences between consecutive port numbers (first query port 1000, second query port 1005, so the difference is 5)
Calculate standard deviation of the differences. Note, standard deviation, not sample standard deviation. We rather underestimate the deviation, although statisticians will now probably explode from sheer horror
Rank the hosts according to their deviations as described in https://www.dns-oarc.net/
-- jani 2008-08-04 11:26:57