IOActive researcher Dan Kaminsky discovered the bug earlier this month. The attack code was released Wednesday by developers of the Metasploit hacking toolkit, headed by the infamous HD Moore.

By exploiting this vulnerability, an attacker can redirect an ISP's users to a malicious phishing server every time they try to visit a legitimate Web site. The patches released through various vendors should protect from the threat, but it may be a rush for some.

Understanding the Root of the Threat

The threat emerges from two different issues with the DNS protocol, according to McAfee Avert Labs. DNS primarily uses UDP packets to send questions and receive answers. The client will accept any packet as an answer to its question on three conditions: the packet is coming from the DNS server, the source and destination ports match the destination and source ports of the question packet and, most importantly, the transaction ID and question match its question.

"An attacker can spoof such an answer packet as long as he can pretend to be the DNS server and also guess the source port and transaction ID (the destination port is usually 53)," said Ravi Balupari, a security researcher at McAfee Avert Labs. "The attacker also needs to make sure his spoofed answer packet reaches the client before the actual answer packet from the legitimate DNS server."

Complicating matters, when a DNS server replies to a question, it can also include additional information in the answer to make future processes more efficient. Combining the answer packet spoof with the additional information makes the story more interesting because it makes exploitation easier.

In reality, Balupari said, a large number of attempts are required to guess the source port and the transaction ID of a DNS question before the victim's PC receives a legitimate answer from the DNS server. But other attacker strategies can help shorten the guesswork.

"If an attacker is successful in predicting the source port and transaction ID, and also inserts the additional information into the spoofed answer packet with the DNS servers pointing to the IP of his evil DNS server, he can control the traffic directed for bob.com domain," Balupari said.

Impacts of the DNS Patch

Andrew Storms, director of security for nCircle, a network security firm that works with companies like ESPN, Safeway and Archer Daniels Midland, said the impact of this patch on the enterprise is enormous.

"Everything that uses DNS needs to be patched; desktop PCs, servers, routers, switches, firewalls and mainframes, and every vendor [like] Cisco, Sun, Microsoft and Apple," he said. "Basically, this patch impacts the entire network from soup to nuts."

Because of the importance and prevalence of DNS in every infrastructure, implementation of a patch on this scale would normally be a lengthy, careful process, Storms explained. But due to the massive scale involved in this patch, there is a significant risk that the patch could cause an unacceptable level of downtime.

"Now that the exploit code has been released, many companies that simply cannot patch inside a small timeframe are redirecting their attention to workarounds and secondary risk-reduction methodologies, such as deployment of entirely new DNS servers for Internet DNS queries or temporary outsourcing of DNS to ISC," Storms said.