The Black Hat conference is taking place this week in Las Vegas, bringing together security researchers and academics from all over the world to discuss the most pressing information security issues. Among the many (overly) hyped vulnerabilities set to be revealed is one the researcher claims threatens the security of “millions” of home routers. And according to the researcher, OpenDNS is not a fix.

Since the vulnerability was first publicized, we’ve made several attempts to contact Craig Heffner, the researcher, and get more detail. We’ve phoned. We’ve emailed. We’ve contacted reporters who’ve spoken to the researcher and had their help connecting to the researcher. I’ve even Facebook messaged his coworkers. I haven’t had a single reply.

Why the aggressive outreach from us? Because we want to be a fix. We work hard to make OpenDNS a solution to the many problems system administrators and security pros face. In fact, our entire service was designed to address the problems you want it to address. The only information we have is that this deals with DNS Rebinding. Fortunately, OpenDNS has secured users from DNS rebinding attacks for a long time. But we don’t know what’s different about Craig’s new rebinding attack.

When Dan Kaminsky and his firm IOActive famously revealed a major DNS flaw at the very same conference a few years ago, OpenDNS by then had worked to ensure that our service was secure and not threatened by the vulnerability. When the Conficker virus gained traction and proved it posed a real threat, security firm Kaspersky Labs and OpenDNS quickly teamed to block the domains from resolving for OpenDNS users. This sort of cooperation by industry leaders, groups and companies is, in my humble opinion, exemplary. It’s absolutely in the best interest of Internet users as it reduces the window of vulnerability. And we’re always to happy to keep details of security issues secret, so the researcher can announce it without the risk of someone else stealing their thunder.

Could OpenDNS be a fix to the vulnerability said to threaten millions of home routers? Probably, but I can’t say since I have no information about how it works. All we know is that it has to do with DNS Rebinding attacks, which is a very old threat and is one we’ve done a great job of protecting users from in the past. Is OpenDNS a fix as-is already? Can’t say that either. It might be. Or we might have to tweak something. What I can say is that we have world-class engineers who are ready and willing to do whatever work possible to make OpenDNS a solution. But we can’t do that, because we don’t have the cooperation of the researcher.

In any event, at OpenDNS we believe in Responsible Disclosure. It’d be nice if Craig Heffner, the researcher in this case, believed in the same.

  • Jen

    I believe in opendns. Many of us support your cause and we do hope that Craig will respond responsibly.

  • Craig

    This guy also reckons that the NoScript add-on in Firefox doesn’t help either. He’s looking for publicity I reckon, and all will be revealed as hype.

  • Stan

    I bet Cisco is going to be pissed off, since his claim about the DNS rebinding was directed against Linksys.

    For his own good he better not be lying or I smell some lawsuits coming out.

    Either way, good on you for bringing this up David. I’m waiting to hear more news too.

  • Paul


    I’m not sure whether the assumption that NoScript cannot protect against this flaw was made before or after version 2.0 was released

    Georgio has added detection for WAN IP and added it to the ABE rules to protect against re-binding to the WAN ip that many routers will still respond to on the LAN ports.

    It will be interesting to see that final report from the conference on this issue.

  • Dave,

    In the security field, a lot of us have tried to get people away from using “responsible disclosure” rhetoric. When someone in your position says that phrase, it comes off as pretentious and loaded. You’re essentially saying “by refusing to respond to our correspondence, you are proving that you’re an irresponsible human being.”

    I know you don’t mean it that way, but that’s what it sounds like, and that’s what people see. “Coordinated disclosure” get the point across nicely, and is considerably less loaded.

    A lot of security researchers head into this week being very vague and dramatic. Intentionally so. Yes, a lot of it might be hype. Most of these folks will start by restating their hype on stage. This is followed by talk of how the vulnerability works, then a proof of concept is shown off or released to the public, and then techniques for defending yourself and others are discussed.

    Plain and simple: This attack can’t succeed if your router isn’t using a default password. A lot of home routers now ship with a unique administrator password — some of which may be easy to calculate from the Serial number or MAC address, but that’s non-trivial for a rebinding attack.

    In short, I’m pretty sure that the best defense against this has very little to do with further bastardizing the DNS standard.

  • Pingback: Internet Evolution - Jart Armin - Routing Hacking Takes Stage at Black Hat()

  • Pingback: Internet Evolution - Jart Armin - Router Hacking Takes Stage at Black Hat()

  • DOM

    well.. here we are again. you, the industry, asking us, the public, for advice… if i were in Craig’s shoes, I’d be a little apprehensive about giving you the proverbial fish, too. After spending God-only-knows-how long learning to fish for it. It’s been a long-standing Maxim in the hacking communities: Don’t tell your secrets to anyone, inspire them to discover them for themselves. and that’s what i thing Craig is doing here.

  • John

    C’mon people – this is ridiculous.

    Dave is clearly trying to ‘do the right thing’.
    Nobody can possibly know everything about everything, and enough has been stated about public/private cooperation.
    Let’s put your attitudes aside and cooperate – get your ‘l33t’ ego’s out of the gutter and be part of the help-side for a change. Bragging rights and extortion and ‘nyaah nyaah…look at me – I’ve got the industry by the balls’ do nothing to help solve these problems.
    If you call yourself a ‘researcher’ then do the right thing.
    Otherwise, you’re simply another punk cracker.

  • Kt

    “Don’t tell your secrets to anyone, inspire them to discover them for themselves”…really?

  • Ricardo
  • Ricardo

    Check some example code of this attack here:

  • Pingback: Protecting Your Router Against Possible DNS Rebinding Attacks | Trend Micro | Malware Blog()

  • Journeyman

    Ronald Regan was quoted as saying “There is no limit to what you can accomplish if you don’t care who gets the credit.” What’s appreciated about OpenDNS is it’s in a class of it’s own. That only comes from leaders with humility and sincerity. You and your team, David, are respected and revered and demonstrate daily your belief of the above mentioned quote. Hopefully Craig Heffner will come to be less concerned with being a hero and more concerned with becoming an ally.

  • Shawn

    This is an active discussion going on with a guy that claims to be Craig Heffner…

  • Pingback: Virus and Malware Removal Services in Dallas – Ft Worth Metro Area » Blog Archive » Protecting Your Router Against Possible DNS Rebinding Attacks()

  • Pingback: DDoS Wars « Odyssey()