DNS Cache Poisoning Spreads Malware

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

April Fools Idea

[DarkHelmet]

Oh man, this article gave me an idea. Too bad it's a couple days late, or else it would have made a *great* april fools for the workplace here.

1. Change the company's DNS server here to map google.com to a private machine here on the network.
2. Create a frontend on the internal machines here that looks exactly like google.com
3. Map the internal IP addresses on the network to specific people here.
4. Inject specific "spooky" messages into the search results based on the IP address of the querying machine. Examples would be like: "How about looking at some pr0n, Mr. Bridges?" or "You really should have that bald patch looked at, sir."
5. April Fools! HA HA!
6. Look for a new job.

Oh well, you only live once.

Re:April Fools Idea

[Cruithne]

7. Profit!

Re:April Fools Idea

[antifoidulus]

You could always stick a google search in the goatse man's....text entry space....
shudders

Re:April Fools Idea

[mightypenguin]

I think one of the better net admin jokes on this date was using the swedish chef text filter on all webpages in certain sections of the my college's site :)

http://www.cs.utexas.edu/users/jbc/home/chef.html

Re:April Fools Idea

I did something very similar as a prank on my bosses birthday a few years back. I manually updated the HOSTS file on his laptop so that the domain of a very important client was pointing to one of our internal development servers. I then set up a special internal virtual host for the prank, and put up a faux copy of the real web site in question, with a bunch of "YOU'VE BEEN HACKED!!" messages all over the place.

My boss bought it hook line and sinker...it was fun for the whole family.

Re:April Fools Idea

[TimeTraveler1884]

7. Profit!

Whoever modded this "Redundant" needs thier head examined. Granted, it's only mildly funny, but it's not "Redundant". Uh, maybe because no one else had said it yet in response to the parent?

You moderators are so fickle. I will probably get modded down "-1 He's got a point, but I don't like it" for this post.

Re:April Fools Idea

[dAzED1]

the mod adjectives have needed to be changed for years. What do you do when someone isn't flamebait or trolling, they simply don't know what they're talking about? Mod them "overrated?" But what if they're only a 1 or 2? There are other problems. I generally have a pretty damn hard time modding most posts. I don't know how I spent as many points as I used to have.

Re:April Fools Idea

It got modded down because its not even mildly funny. It is, in the strictest sense, Redundant. How about a "-1 Whinging idiot" moderation?

Re:April Fools Idea

[Greger47]

On Slashdot it's redundant. We already subconciously add

3. Profit!
In Soviet Russia ... you!
Imagine a Beowulf cluster...

to all posts.

/greger

Re:April Fools Idea

I did JUST that a few years ago! (2 years I think)
I proxied everything to google and added a top result pointing to fake a wish stories with their name on them. (Google for 'fake a wish')

I still have the mod_perl handler code I used.

Re:April Fools Idea

[lucabrasi999]

Only old Koreans subconsciously add statements to posts.

Re:April Fools Idea

[afd8856]

I also had your problem. I've decided to give up on moderation and read slashdot at -1
There are a lot of interesting things to be said at that level, too :)

Re:April Fools Idea

I don't have a conscience, you insensitive clod!

Re:April Fools Idea

[nametaken]

Sounds very similar to a story I heard on April fools day. A guy modified just one guys hosts file at work to point requests for the company website to a server on his laptop. He then posted a terribly hacked version of the company page. The man came running to his cubicle, completely freaked out.

Re:April Fools Idea

[mirrorful]

Step 1 : Collect Underpants.....

Re:April Fools Idea

[10537]

It got modded down because its not even mildly funny.

It made me chuckle. Remember, "funny" is not an absolute; just look at Pauly Shore! (On second thoughts, don't; it might make you ill.)

It is, in the strictest sense, Redundant.

Tell me, which sense of redundant means "not funny"? Granted, none of the mod options really express the notion of "unfunny", and I suppose you could stretch a point by saying the comment wasn't needed, but that applies equally to 99.999% of the comments on /.

I'd always assumed "Redundant" was to be used when someone's repeated a comment that's already been made; as the comment in question was the first reply to the first post it in no way matches the criteria.

Re:April Fools Idea

Ha. I did that last year. But I modified the google search page to make it look like our company had been bought by google. It was a bit tricky to make the searchs work.

I was floored months later when I noticed a coworker was still hitting "proogle".

Re:April Fools Idea

[khendron]

Sounds vaguely like the MSN Search spoof at mymsnsearch.com, but with better cloaking technology.

An example

Re:April Fools Idea

[budgenator]

I never mod down a first post that's even remotely funny or on topic. Farther down, if somebody is clueless but apears to have read the article the worst they get is overrated. so when I get mod points RTFA or least have a clue!

Re:April Fools Idea

[CrackedButter]

http://artpad.art.com/gallery/?idh8ioqcxt0

Re:April Fools Idea

Are there really people who read at +something? About the first thing I did when I arrived here was starting to read at -1. It was pretty obvious that the funniest shit happens there.

Re:April Fools Idea

[Short+Circuit]

Sure. However, I tried it once, and discovered it wasn't work-safe. (Which is where I do the majority of my /. reading.)

Re:April Fools Idea

Might be that the 3. Profit!!! joke has been made so many times on Slashdot that it is implicitly redundant. Not an invalid point of view.

Re:April Fools Idea

[veg_all]

Too bad there'll never be another first of April.

Re:April Fools Idea

[stratjakt]

How about not modding it at all, and perhaps replying with correct information? You know, dialogue, the exchange of ideas and information.

I know you get a smug sense of self-satisfaction by just stamping "WRONG!" and wiping your hands of it, but that doesn't help anyone.

You don't have to use your points on the first posts you see.

Re:April Fools Idea

In Soviet Russia, noun verbs you. You sunk my battleship. Check-mate!

Re:April Fools Idea

[ginotech]

then you can't mod that article anymore.

Re:April Fools Idea

[sjames]

Just keep in mind, In Soviet Russia, a beowulf cluster profits by imagining 50 year old South Koreans pouring hot grits down your pants.

Re:April Fools Idea

[xv4n]

Too bad there'll never be another first of April.

You are beginning to scare me man. What else do you know?

Re:April Fools Idea

[artifex2004]

What do you do when someone isn't flamebait or trolling, they simply don't know what they're talking about? Mod them "overrated?" But what if they're only a 1 or 2?

This is where following the advice to concentrate on modding up, not down, helps. If you see stupidity/trollishness given +5, then by all means, push it back down. But in the meantime, other, valuable comments are lurking at +1 and +2, and probably deserve at least as much to be raised and seen.

Of course, I often skim at +3, when I'm not modding, so I'm biased :)

Re:April Fools Idea

This has been suggested in years past. However, this year, there's a new level you can go for. Google's new desktop search feature would add an extra layer of anxiety/humor if it were spoofed so that, when you serve up fake Google responses, you also show hits from tons of files in (non)existent directories on their computer.

Re:April Fools Idea

[CrackedButter]

I found this, I didn't do it.

Re:April Fools Idea

You're fired, clean out your desk.

Re:April Fools Idea

[10537]

But that's why it's funny!

Re:April Fools Idea

[Tibe]

I for one welcome our Russian-Korean mix, Beowulf clustered, 50 year old hot girl overlords.

Re:April Fools Idea

[Short+Circuit]

You're fired, clean out your desk.

I don't have a desk. My job is essentially being an on-demand answer guy for college students. Sometimes it's slow, sometimes I don't get a chance to sit down for an hour or so.

Students in the computer lab get ahold of me in one of three ways. Most of them raise their hands. Many of them use the network-based TutorCall to get assistance. A few of them get up and approach me.

Re:April Fools Idea

(im same AC that posted the fired crap)

That is becoming sorta my job too as of late, the owner of the company is expanding...employee-wise but not office space-wise, so i have no desk either, the only room i can call my own is the server room, and the only thing to sit on in there is a 5 gallon paint bucket (dont ask)..but i only have to be there 2 times a week just to 'be there', field questiosn on our new mortgage software (Encompass)..keep passwords etc...none of these people raise their hands...:(

Re:April Fools Idea

[dAzED1]

I know you get a smug sense of self-satisfaction by just stamping "WRONG!" and wiping your hands of it

really? Must be nice to know what everyone else is thinking. I'd get to Vegas if I were you; you could make a mint. Then go into politics, become head of the UN, and solve all the world's problems.

Re:April Fools Idea

[LiquidCoooled]

Those that don't receive subliminal statement hints via email.

IRC

[Wizy]

Anyone who has been on irc for over 8 years remembers when DNS cache poisoning first started showing up (about 97.)

This is a quote from the "IRC Operators Guide" written in 8/97:
"DNS spoofing is a relatively new hit these days on IRC. You'll generally find spoofs one of two ways - you're watching the connections (usermode +c) and an unusual hostmask appears, or a user reports one. The first thing to do is to get the user's IP address (/stats L nick), and check to see if the DNS lookup matches the IP address. If it doesn't, you know you have a spoof. With this information, you can KILL the spoof, and when it reconnects, see where the real host is and issue a K-line (which won't stop them from spoofing again, but will prevent them from signing on *without* spoofing). Some servers have the capability of D-lines, which allow you to ban by ip mask. A D-line will prevent the client from connecting at all, regardless of whether they try DNS spoofing or not. If the server supports the DLINE command, you can do /dline ipmask :reason."

It has been a well known problem since way back then and it has still not be dealt with in any real way.

Re:IRC

There are some things DNS implementors can do to protect against DNS cache poisoning. The best article about the subject is here.

internet rash

[Cruithne]

following a rash of active DNS poisonings

Damn internet rashes, they're the worst. Remember, dont surf without protecting your board. :/

colored alerts

[hey]

I am sooo glad that SANS uses colored alerts like "Homeland" Security. Its pretty tacky. I guess the first time I heard about it was in the orginal Star Trek. Nothing tacky there.

Re:colored alerts

[delta_avi_delta]

You know the British secret service use color coded bikini's for terror alert levels. Black-Special Bikini has got to be the coolest alert level around :)

Re:colored alerts

But, mister Rimmer sir, you do realize that it means changing the lightbulb...

Re:colored alerts

How do you know? It's not very secret if you're telling everyone... :)

Re:colored alerts

You're a retard. This is for the whole government/military. Secret service my arse.

More color-coded warnings?

[loqi]

I give it two years until the sight of a rainbow fills me with abject terror and confusion.

Re:More color-coded warnings?

. . . That's when we'll know the terrorists have won.

Re:More color-coded warnings?

[peragrin]

forget rainbow, wait till the perfect orange sunset, and run around screaming even mother nature knows terrorists are coming.

Re:More color-coded warnings?

[krf]

The rainbow already fills most republicans with abject terror and confusion.

Maybe that's why they invented that terror warning thing.

Re:More color-coded warnings?

[oneiros27]

Kryten: We must take action. Be bold, positive, decisive. I suggest we move from blue alert to red alert, sir. Cat: Forget red! Let's go all the way up to brown alert! Kryten: But there's no such thing as brown alert, sir. Cat: You won't be saying that in a minute. And don't say I didn't alert you!

Red Dwarf, Series 8, Episode 1.

Re:More color-coded warnings?

[mmkkbb]

*KABOOM*

Arrr, an attack! Matey, fetch me red shirt! Can't let the men see me bleedin' if I get hit! ...

*KABOOM*

Arrr, that was a close one! Fetch me brown pants too!

Re:More color-coded warnings?

Thank you. That was the funniest thing I've seen on slashdot in a while.

Re:More color-coded warnings?

[Fjornir]

RIMMER: Go to blue alert.
LISTER: What for? There's no-one to alert - we're all here.
RIMMER: I would just feel more comfortable if I know that we're all on
our toes 'cos everyone's aware it's a blue-alert situation.
LISTER: We all are on our toes.
RIMMER: May I remind you all of Space Core Directive 34124?
KRYTEN: 34124. "No officer with false teeth should attempt oral sex in
zero gravity".
RIMMER: Damn you both, all the way to Hades! I want to go to Blue Alert!
LISTER: Ok, ok.
.
.
.
LISTER: Too small for a vessel... maybe some kind of missile.
KRYTEN: It's impossible to tell at this range. Whatever it is, they
clearly have a technology way in advance of our own!
LISTER: So do the Albanian State Washing Machine Company.
RIMMER: Step up to red alert!
KRYTEN: Sir, are you absolutely sure? It does mean changing the bulb.
RIMMER: There's always some excuse, isn't there?

Re:More color-coded warnings?

Is there a *damn funny* moderation?

How does it happen?

[caluml]

I've not really looked into it, but how do you go about poisoning DNS?

Re:How does it happen?

There are a few ways. Off the top of my noggin:

• If your target DNS server is running Microsofts DNS server, on W2K SP 1 or 2 (this may have been patched, I dunno), you can poison DNS using an alias. It's simple. You have to have control of a zone (say realzone.com) and a DNS server. You create a zone on your dns server under the name you want to poison, say example.com. Your DNS server thinks it is authoritative for the example.com zone. Next you create a host record in example.com that points to a host you control. In your real zone (realzone.com), you create a CNAME record for a host like spoof that points to hostname at example.com, like www.example.com. Then you point your local stub resolver at the target DNS server (most DNS servers will resolve for anyone by default). When you try to lookup spoof.realzone.com, the target DNS server will find your dns server. Your dns server will see that spoof.realzone.com is a CNAME for www.example.com and look that up. Since it thinks it is authoritative for example.com, it will ask itself, and returh that IP address to the target DNS server. Now it is in the targets DNS cache. Anyone who tried to resolve www.example.com from that DNS server will get the IP address of the host you defined in the example.com zone. Spoof!.
• Another way is to sniff the traffic of the target DNS server and when it tries to resolve a host name, feed it the result of your choosing before the recursive query finishes. The first response wins, generally.

There are probably other ways, but it isn't hard.

The bottom line, DNS is an untrustworthy system.

Re:How does it happen?

[jon3k]

Unprotected DDNS (dynamic dns registration, Microsoft loves this one)

And also you can feed a slave server your own zone, based on the nameserver configuration, it will work (very rarely).

Re:How does it happen?

[Rolan]

Start by clicking the "HERE" in the article and, oh, wow, there's a whole report on how it happens!

Re:How does it happen?

>> If your target DNS server is running Microsofts DNS server, on W2K SP 1 or 2 (this may have been patched, I dunno), you can poison DNS using an alias. It's simple. You have to have control of a zone (say realzone.com) and a DNS server. You create a zone on your dns server under the name you want to poison, say example.com. Your DNS server thinks it is authoritative for the example.com zone. Next you create a host record in example.com that points to a host you control. In your real zone (realzone.com), you create a CNAME record for a host like spoof that points to hostname at example.com, like www.example.com. Then you point your local stub resolver at the target DNS server (most DNS servers will resolve for anyone by default). When you try to lookup spoof.realzone.com, the target DNS server will find your dns server. Your dns server will see that spoof.realzone.com is a CNAME for www.example.com and look that up. Since it thinks it is authoritative for example.com, it will ask itself, and returh that IP address to the target DNS server. Now it is in the targets DNS cache. Anyone who tried to resolve www.example.com from that DNS server will get the IP address of the host you defined in the example.com zone. Spoof! <<

My God, people are such idiots. How could something this elementary have gone unchecked all this time!

/Christ, I get bitter when people are smarter than me.
//Yes, I'm bitter a lot.
///Yes, I also realize this isn't fark.

Re:How does it happen?

[nixdix]

I've never heard of this being done, but it sounds like this exploit could be used to remove most banner ads for everyone. There is software which does this for your local machine, but this would have a global effect. It seems like someone could really hurt the purveyors of spyware and other things which require the machine to "phone home".

Re:How does it happen?

[PalmMP3]

The bottom line, DNS is an untrustworthy system.

I agree. Just goes to show how much that seven-year, overfunded, unnecessary government study really accomplished - "DNS is good", my ass.

Re:More reason to use Firefox

[lowrydr310]

I didn't think DNS servers needed web browsers.

If this is such a big deal...

[oldosadmin]

Then why haven't we hard about it before it got this serious?

I mean, isn't there a way to make people aware of stuff like that? I don't want some script kiddie seeing my google searches for pr0n.

Re:If this is such a big deal...

[Wizy]

We have. This has been a known problem since early 1997. It is well documented in the IRC community (admins and coders.)

Documents like this one from 1997: http://www.cs.rpi.edu/~kennyz/doc/unix/dns.spoof

Re:If this is such a big deal...

[Dionysus]

DJB has talked about it at least as far back as November 2001.
libresolv problems,talking about poissoning

Re:If this is such a big deal...

[TyfStar]

Do you remember when the Internet started being popular... and people said "I don't want to put my credit card information on the internet! It could be looked at and stolen!!"

DNS spoofing is how they'd get it. But no one ever wanted to really hear the G34K 5P34K for HOW they'd get it.. so everyone just said "well, I won't."

Only now you can't do anything without putting your ccard on the internet... so people stop saying "ohh.. they could get my number!" and think "hey... it's SSL, so it doesn't matter."

and .. from someone that has taken one of these classes (granted 2 years ago), it is true that it's difficult to get a number out of a bunch of seemingly randomized characters & numbers. I can't understand any of it...

I mean.. isn't DNS spoofing the basis for any other kind of stuff? Like the man-in-the-middle attack?

Or am I just getting all of it mixed up, as it's been so long since my class..? Someone that has a linux box (you know, the thousands of you that all have /. as your home page) clear this up, will you? how easy is it to DNS spoof, and what exactly can you do with it?

Re:If this is such a big deal...

[pyros]

Je ne parle pas francais.
talking about poissoning

So DJB was talking about distributing, and not fishing?

Re:If this is such a big deal...

This stuff has been on the SANS site for over a week, it's just now they increased the alert because no one was paying attention.

Re:If this is such a big deal...

"Then why haven't we hard about it before it got this serious?
I mean, isn't there a way to make people aware of stuff like that?"

If they have problems grokking malware and security in general, who do you think is going to be able to tell JQ Public about DNS cache spoofing? Five words that absolutely none of them understand! And, as you can see in the replies even here, the distinction between spoofing and poisoning can be almost missed.

How does this work?

[bcmm]

Is this done basically by taking over insecure DNS servers or is something more subtle involved, e.g. making comuters treat your machine as their DNS server instead?

Re:How does this work?

[Tony+Hoyle]

It's where you have an insecure server and someone manages to modify your zone file externally. It really shouldn't be possible any more... all dns servers ship secure by default, and any admin that makes such a configuration change should be fired on the spot.

Re:How does this work?

usually its done by flooding a dns server with carefully crafted false replys based on known previous requests from the server.

or by taking advantage of servers that listen to extra information that they really shouldn't listen to in a reply.

with both methods the aim is to trick the dns server into cacheing your false response for its clients.

Re:How does this work?

[Wizy]

Since the problem is over 8 years old, anyone still doing it should be SHOT on the spot so they dont find another job and do it again.

Re:How does this work?

[SPY_jmr1]

The DNS service might be secure, but what happens if the box is rooted...

if they fixed so that it's impossible to hack a box, and no one told me... Heads. Will. Roll.

Re:How does this work?

[Stuwee]

From memory, classic DNS poisoning goes something like the following:

1. Pick any DNS server which isn't authoritative for the domain which you wish to poison with the IP of your choosing. Something like your ISP's DNS server will work nicely.
   
2. Send a legitimate DNS request to the server for a domain which is authoritative under a server you are in control of, and which your choosen server (and any in-between it and your own server) won't already have in its cache.
   
3. When the request for the domain comes into your server, you have the sequence number which originated from your target DNS server. The idea with this sequence number is that your reply to the originating server contains the number, and hence the server knows which request is being replied to. Here is where the vulnerability comes in.
   Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
   
4. Next up, make a request to your target server for the domain which you want to take control of. For this to work, your target DNS server must send out a further request for this domain. Since you have an idea of the sequence number which has been sent out with this request, you can now start flooding the target DNS server with false replies.
   
5. The ultimate goal is that you will hit the correct sequence number with your false reply before the legitimate reply comes in, hence poisoning the DNS. Further requests to your target server within the record timeout (which you may specify yourself in your false replies, so they can last quite a while) will be replied to with a cached version containing your poisoned IP.
   
6. Watch the requests come in for the content to your own IP, serve up appropriately.
   

Re:How does this work?

[bcmm]

I've spoken so I can't mod, but thanks for the very clear explanation.

Sounds a bit like idle scanning; presumably the false reply packets appear to come from the authoritative server's IP address?

Re:How does this work?

[uberuber]

This is probably a stupid question but what the hell. Why is it so hard for the DNS server doing the request to look back at the source ip of the malicious server and see that its not the one it should be getting the reply back from and just ignore it?

Re:How does this work?

You can spoof UDP source addresses.

Re:How does this work?

..assuming youre not being ingress filtered...

Let's Kill The Golden Goose

[ackthpt]

Sure, internet click-thrus generate money, but when they get so invasive and destructive, they'll drive people way from the internet. I can't imagine any advertiser likes that idea.

Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.

Re:Let's Kill The Golden Goose

[DigiShaman]

If the UN controls the Internet, then you can bet your bottom dollar that the Internet as we know it will become fragmented. I can only imagine the horrors the consumer market faces with a bunch of AOL-Me-too networks/service.

Meanwhile, the educational system will be on threaded togeather on Internet2.

Re:More reason to use Firefox

[mboos]

It's the malware on the sites that the infected DNS servers redirect to.

Question

[Ryosen]

I've been using Opera for 6 years now and I'm a little confused.

What is "malware"?

Re:Question

[tomstdenis]

Malware would be the "bonus added value" that your younger_brother/sister/mother installed on your computer along with real_player/real_arcade/other_silly_program/etc.

Tom

Re:Question

[OnceWas]

Opera (or Firefox) isn't immune to phishing attacks. How would you know you're giving your banking info to a phony site that looks exactly like your own bank's login screen? Especially if the domain name is correct?

I assume SSL would catch some of this, but not all.

DNS poisoning is creepy, since it's browser/OS agnostic.

Re:Question

I thought you said you used Opera?

Re:Question

Believe it or not, you're actually running it.

Re:Question

You moron, this affects all browsers regardless.
Were talking about DOMAIN NAME SERVERS, the ones that resolve IP addresses and tell your browser where to go.
This has been a big problem lately, so much so that my ISP decided they had to lie to me about it two months ago when I pressed them on this issue.

Re:Question

In the case of opera, most phishing sites dont work. :)

Sadly, neither do most legitimate online banking sites. :(

/Opera user since v3

Re:Question

[Ryosen]

>>In the case of opera, most phishing sites dont work. :) Sadly, neither do most legitimate online banking sites. :(

My bank works just fine with Opera and has since v6, when they introduced the service. Granted, I don't have an animated paper clip to help me along with the arduous task of checking my balance, but that's the sacrifice that I am willing to make for a browser that works.

In Opera's defence, making a product that adheres to Web standards and doesn't encourage the continuing bifurcation and blatent disregard for standards that Microsoft's Internet Explore-Embrace-Extend-er does, isn't necessarily a bad thing.

The only sites that I have had any problems with are those that require ActiveX controls (which, I'm relieved to see, are becoming fewer) and extended JScript commands that are used to manage some dynamic menu effects which are mostly useless to begin with. If my dynamic menu scripts can work in all browsers, there's no reason why others can't, too. Well, other than ignorance and laziness...

Re:More reason to use Firefox

[bcmm]

I bet that malware is Internet Explorer-specific.

Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...


Idiot.

How to stop DNS cache poisoning

As a rather well known expert in the field of cybersecurity, I offer the following solutions (sans my standard $450/hr rate) -

Turn the lifetime of all DNS records to 0. This way they will not be cached, hence no poisoning issues

Upgrade everyone to BIND 9.0 - including Windows - and turn on crypto. This will add security so malicious users can connect and poison the DNS cyber buffer!

Implementing these 2 will solve 90% of problems. Free advice from a top security consultant at Foundstone. (you'd know my name)

Re:How to stop DNS cache poisoning

[Wizy]

Did you run the warez server? I know that guys name.

Re:How to stop DNS cache poisoning

0. Separate DNS Server and DNS Cache for better security as Djbdns. (my rate 1 beer/hr)

Re:How to stop DNS cache poisoning

[clickster]

"Free advice from a top security consultant at Foundstone. (you'd know my name)"

OK. I call bullshit. I spent 30 minutes looking through the Foundstone corporate directory and there is no "Anonymous Coward", "A. Coward", etc.

Re:How to stop DNS cache poisoning

[menscher]

If all DNS records had 0 lifetime, the load on the core DNS servers would cause them to melt. Nice if you want a DDoS, not so nice if you want the internet to work.

Ever heard of a monoculture? It's dangerous. That's the primary reason Microsoft has so many security issues. To guard against this, the DNS infrastructure of the internet is intentionally made to be heterogeneous. They use different DNS software on different operating systems as much as possible.

Top security consultant? Doubtful. More likely an AC trying (and failing) to impersonate someone with a clue.

Re:How to stop DNS cache poisoning

[MikeBabcock]

Running dnscache which is much more intelligent about how it handles cacheable data than BIND is high on my recommendations list.

Re:How to stop DNS cache poisoning

Hm.. Nice ideas.
But don't you think it's a bad idea to turn off DNS caching?
I'm running several small testing networks, and in a network with about 5 actively working Computers (profile: 3 "Windows email & surfers", 1 "Unix admin board"(frequent checks for few Hosts), 1 "P2P user" (randomly picked address lookups)) it's about 1 MB DNS traffic in an 8-hour day. multiply this with about 9 million (based on my estimate of the internet accesses in Germany), and you'll know why some Nameservers are happy modern routers have builtin DNS caches.

Re:How to stop DNS cache poisoning

[ebvwfbw]

You shouldn't charge so much for dated and misleading information. I just checked out a boatload of name servers and they are all not only running at 9.0, most of them at 9.2 or later. Not caching a domain like google is also bad advice. Someone more critical may even say unprofessional.

If you bothered to RTFA, you would also know that the problem is with Windows NT servers (that should have been taken offline years ago or upgraded to Linux) and Unix machines that were compromised (probably also not up to date). No upgrade in bind will help you on that one and NT is famous for being full of holes. Don't sweat it though, "experts" are dated quickly in this field.

Encourage people to keep their systems up to date, patched and watched would be better. Do integrety checking - like with tripwire. Check it every day. Even then you can still get burned, happens to the best of us.

Now, how do I get one of those fancy $450/hr jobs (No moving to Boston!)?

Re:How to stop DNS cache poisoning

[sloth+jr]

Moderators, wake up and mark parent down (or at least funny, or troll)!

Several severe reality problems with this "advice" (it's surely a troll, people - come on, "DNS cyber buffer?"):
While that's a sure fire way of killing cache poisoning for your own records, setting DNS TTL to 0 for all records *will* cause severe Internet Armageddon as the root DNS servers explode (client DNS servers would be screwed in short order as well).

Since DNS is a distributed system, run by admins clueful and otherwise, setting DNS TTL to 0 everywhere is not possible (short of owning every single DNS server out there).

Further, setting DNS TTL to 0 does nothing to prevent caching of records on your own DNS server (and serving it to your clients).

Re:How to stop DNS cache poisoning

Keep in mind that DJB's software is not free software. Keep in mind also that BIND 9 is quite secure (DJB users don't like this fact going around).

Re:How to stop DNS cache poisoning

[MikeBabcock]

I don't care how secure you think BIND 9 is -- I care that I can use dnscache and its logic is much more sound in how it handles reference data than BIND is. Proof is in the recent cache poisonings.

DNSSEC is a non-starter by the way, if you think that actually contributes to BIND 9's superiority -- until root servers have encryption, it won't matter. That said, there are much better ways to secure DNS data -- like encrypted links to said DNS servers with proven technologies; IPSec comes to mind.

Re:How to stop DNS cache poisoning

bind? are you high? djbdns for me buddy, bind is like minix...it needs to be eraticated...

Re:How to stop DNS cache poisoning

0 expiry, you GOT to be kidding? If you do this for a living, you really suck at it, I wouldnt recommend the use of Foundstone for security...BIND indeed....

Re:How to stop DNS cache poisoning

DJB's software is not free? I don't see any er requests for payment let alone the fact that the software is downloadable without charge.

Then there is the you can modify it and run it as you wish part. Without limitation too. Oh you mean you cannot redistribute it? That's hardly going to make it become non-free software.

http://cr.yp.to/softwarelaw.html

windowsupdate.microsoft.com?

[jfengel]

Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.

That's the reason I don't auto-update. I'll let it download the software but I'm waiting a few days before installing it. Hopefully in the intervening time somebody would say, "For the love of God please don't install update #77439245!"

Re:windowsupdate.microsoft.com?

Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.

Automatic updates that are not signed and verified will not install.

Re:windowsupdate.microsoft.com?

[Dejohn]

I believe that all Windows Update patches are digitally signed, so this spoof might be harder to pull of than it would initially seem

Re:windowsupdate.microsoft.com?

[slashkitty]

Windows updates use keys to identify real MS updates. They'd have to crack the key and do a DNS poisoning for there to be a problem.

Re:windowsupdate.microsoft.com?

[dAzED1]

they are. Hopefully someone will take the GP down a notch or 2 from "5-insightful" and up your retort a few notches from "1"

Its not just windowsupdate.microsoft.com that is prived - it's a little more sophisticated than that.

I'm not even a MS apologist...haven't used a MS product in many years (except when I'm forced to for work-related reasons)

Re:windowsupdate.microsoft.com?

[The+Bungi]

It's interesting that when Peter Torr brought up the issue of Mozilla not signing their packages he was massively flamed by all the retard fanboys, who of course got wind of his "criticism" from the ever-helpful Slashbork.

Shortly thereafter, Mozilla mysteriously started signing their packages.

I wonder who would have gottern flamed if someone had trojaned a few million Firefox users using this method. Ah well, we all know open source is perfect, so this type of speculation is pointless.

Re:windowsupdate.microsoft.com?

[QuantumRiff]

if the attacker is redirecting the windowsupdate.microsoft.com domain, wouldn't it be possible to redirect the domain for the CA that signs those packages? I'm certainly not very knowledgeable on signing and certs, but couldn't they just setup a cert-server running somewhere that says "yep, thats microsoft"?

Re:windowsupdate.microsoft.com?

[mborland]

I hope I can handle this question.

First, contrary to what some people think, to access a site with HTTPS which has a certificate, you do NOT contact the CA over the internet. This is because your browser already has the public key of that CA installed. The signature of the certificate you are shown by the real or fake site is verified/rejected not by looking something else up on the internet, but by performing cryptographic tests against that installed public key of the CA. This is not only an efficient process, it is much more secure (for the spoofing reasons you suggest).

That's if you're talking about SSL stuff. If you are talking about the digital signature of the file(s) from windows update, you're using a very similar approach. I don't know the details of Windows Update, but I'll bet there is a local public key or set of keys from MS that are used to check the signature...nothing to download or look up over the internet.

If I explained that rather poorly, I apologize. I just wanted to express that, contrary to what most people think, you do NOT use connections to the CA to verify a certificate.

Re:windowsupdate.microsoft.com?

[apt-get+dist-upgrade]

Mozilla also PGP signs their packages along with providing MD5 and SHA1 hashes for every release. For example, here is the U.S. English, win32 firefox's PGP signature, the signing key, and its MD5 and SHA1 hashes. Sadly, I don't see any direct links to this stuff anywhere on their main download page.

Re:windowsupdate.microsoft.com?

Judging by how hard it seems to be to crack the OS Authentication... How hard do you think it would be to crack the keys used by MS? This is MS we are talking about... Who needs standards when we can make our own stuff up?

Re:windowsupdate.microsoft.com?

[RGautier]

Of course, with SHA-1 weaknesses, that may not matter any more.

Re:windowsupdate.microsoft.com?

[CrossChris]

We just tried this "at home" on our internal network. It's trivial to forge "signatures" - there are going to be some fun M$ auto-updates in the near future!

Re:windowsupdate.microsoft.com?

[Vengeance_au]

Ok, so it validates based on what its recieved from the site that sends it and/or the domain name. But if I've spoofed the DNS, I can now perform a man in the middle attack by passing on the requests from the target machine to the valid site, then pass the responses back to your browser.

Voila, you have a valid SSL connection, nice little lock in your browser window, and I can;

updates.microsoft.com --> install files, updates, etc

www.diners.com, www.citibank.com, etc --> get all your banking details (for even more fun, continue the man in the middle attack and show them the real details, then after a few days do a mass login and transfer on all the logins you have grabbed)

Worst thing is, get a half decent botnet and the sites you have poisoned won't even notice they are being hit, as the IP addresses connecting to them will be nice and distributed.

Home Is Where the Heat Is

[Doc+Ruby]

Isn't this kind of attack on the global Internet exactly the kind of thing that Homeland Security's "Cybersecurity" department is responsible for stopping? What are we paying them billions of dollars, and suspending our liberties, to do? While we're at it, what's the difference between National security, Homeland security, and Defense? Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?

Re:Home Is Where the Heat Is

[Winterblink]

You want DHS to make sure your google surfing doesn't fill your computer with spam? You're actually more concerned about that than some terrorist blowing up a kindergarten or something? Your priorities are truly fucked.

Re:Home Is Where the Heat Is

[ladyeyes]

Do you really, really WANT the DHS folks setting standards for this type of stuff?

I know there's DNSSEC work going on in the IETF... Think NIST is involved (at least their IT Lab's annual report says they are). Anyone know how well this work is progressing?

Re:Home Is Where the Heat Is

[notthepainter]

The attacks on the WTC towers were not designed to kill people. Yes, they did do that, and an awful lot of people were killed.

The attacks on the WTC were an economic attack, and as such, were exceptionally successful. Witness how much has been spent in Afghanistan and Iraq since then. The attacks on the WTC towers were a liberty attack, and as such, were exceptionally successful.

If Osam bin Laden wanted to kill a lot of people, he could have found far better ways to do it, but that wasn't his goal.

Sadly, the present administration has played right into his hands. And that is sad.

Don't get me wrong, it is a tragedy that those people died. But that wasn't his goal.

So yes, one of the real jobs of the DHS is to protect the economy. Very odd that, but true nonetheless.

(and yes, I did lose a friend on the plane that went down in PA..., not that that would change my viewpoint.)

Re:Home Is Where the Heat Is

[jotok]

Er...

So are you complaining that they're not doing enough, or are you complaining that they're doing too much, or...?

I mean, exactly which liberties of yours which you believe have been suspended do you believe were done to enable DHS to micromanage civilian entities, so that you could slack off on your own responsibilities?

DHS does in fact promote practices for critical infrastructure to follow (e.g. the energy grid). They're not really concerned with Google, and your bank account is probably not an issue for National Defense/Security to deal with. Sorry.

Re:Home Is Where the Heat Is

[redheaded_stepchild]

Perhaps you missed the grandparent's point. Malware, viruses, and things like this DNS spoofing are (and should be regarded as) *gasp* terrorism. DHS was setup to defend our country against terrorism. So he has a valid point. I'm not saying that's all the Nazi SS...oops, I mean Homeland Security...need to worry about, but it's part of the overall picture.

Besides, just what do you think is going on in Iraq right now? Surely, no innocents are being impacted in any way by our colonialist empire building leadership. No, sir! Besides, they asked for it, right? We were FORCED to go to war with Iraq!

Truly sorry to have shattered your sheeplike illusions.

Re:Home Is Where the Heat Is

[stinerman]

If enough DNS servers get bad info, we may have a hell of a time getting most of the Internet back to a workable state.

Imagine the reprecussions for national security and the economy if people were spoofing the NYSE or other important data center that distributes information that many people rely on.

"Today the DJIA dropped 5,000 points, oil is trading at $200/barrel, etc."

Re:Home Is Where the Heat Is

>> Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?

Well, if everything goes according to plan.

<fingers crossed>

-W.

Re:Home Is Where the Heat Is

[99BottlesOfBeerInMyF]

You want DHS to make sure your google surfing doesn't fill your computer with spam? You're actually more concerned about that than some terrorist blowing up a kindergarten or something? Your priorities are truly fucked.

First, the person you are replying to said the cybersecurity group of the DHS. Second, their is more to this than spam, they are redirecting financial sites, e-mail, etc. Third, are you really afraid terrorists are going to blow up a kindegarten? I mean more people drown in buckets every year than are killed by terrorists. DNS poisoning is a real, ongoing threat. It is probably not a life and death situation (although with VOIP that is not necessarily ruled out) but at least it would be something more useful for them to do.

Note, it does not really matter in any case. From what I have heard the DHS can't even keep worms from compromising their own machines. Three people have resigned from the cybersecurity post each saying the job was impossible given the resources available. They're probably all running unpatched WinXP-SP1 boxes or something equally stupid.

Re:Home Is Where the Heat Is

[Doc+Ruby]

You obviously don't know what the "Homeland Security" job is, either. The Cybersecurity division doesn't have much of a mission in kindergartens. Of course that's obvious - you're just betraying your own personal paranoia hotbutton. Which is how the DHS scams us all into paying their way, without doing their jobs.

Re:Home Is Where the Heat Is

[Doc+Ruby]

Yes, I want the cops fighting crime. DHS is *all the Federal cops*. The FBI is DHS. So, yes, I want the FBI investigating these "known spammers", and jailing them before they cripple my country's economy. What do you prefer?

Re:Home Is Where the Heat Is

[Doc+Ruby]

We're not talking about "my bank account", except in the abstract: the US economy, which depends on the DNS system working. It's beset by organized criminals, who threaten the national infrastructure. What does that have to do with my responsibilities? The FBI's job is to catch and jail these criminals. Why are you defending their inert policies?

Re:Home Is Where the Heat Is

[Atzanteol]

The attacks on the WTC towers were not designed to kill people.

I have to say I pretty much stopped reading right there...

Re:Home Is Where the Heat Is

[ladyeyes]

I said "setting standards" and nothing about policing or enforcement.

Re:Home Is Where the Heat Is

[Doc+Ruby]

The "standards" I'm talking about are known as "the law", and no, I don't want DHS setting them - nor did I say I did. Though DHS seems to prefer that role, with the Patriot Act, its cohorts and successors.

DNSSEC is a tech solution to a tech problem. The FBI is a legal solution, or a mechanism of one, to a legal problem. We need better locks, as always, but we need the cops to catch the breakin artists, as always. I'm not spending billions on the IETF, though I think they're doing a pretty good job. I'm spending billions on DHS, along with the rest of my fellow taxpayers, and depending on them to do their job is increasingly ill advised.

Re:Home Is Where the Heat Is

[jotok]

Ok, point of information--you are saying DHS isn't doing enough? I'm confused because that doens't jibe with what you're saying about them restricting your freedoms.

As for "inert policies," let me ask you--have you any idea, really, what DHS's policies are? Or what they are doing?

It's not apparent to me that the DNS system is actually integral to our infrastructure. Just because you can't access your bank's website doesn't mean that they can't conduct business--or, more importantly, that vital services will be interrupted, nor that the military will be unable to conduct operations, nor the federal or state and local governments will be completely paralyzed. When it comes down to it, DNS is not all that essential to putting warheads on foreheads, sending out welfare checks, monitoring the power grid, or tabulating the vote on the Senate floor.

In the long run, of course, I will accept that repeated and widespread tampering with internet-accessible banking systems could decrease consumer confidence and lead to...what? It's not like they're crashing the stock market or something.

In the end, responsibility for not getting schwacked by the evildoers who populate the internet rests on the end user...not some government agency with a highly questionable justification for existence.

Re:Home Is Where the Heat Is

[Doc+Ruby]

I don't have the patience to explain the patently obvious: the DNS system is essential to the workings of the global Internet, without which the US economy would grind to a halt tomorrow. If you think DNS is just a way to check your bank account, or that the US economy depends solely on "putting warheads on foreheads", you've certainly got a lot to learn. Though you do seem to have learned a bit too much in the way of detestably bloodthirsty slogans.

So you really have no excuse for the same duality in DHS. They do too much kidnapping suspects without evidence, sending them hidden prisons for torture, practicing exceptions to every relevant right in the Bill of Rights. While doing too little to protect us from actual threats, like the massive attack on DNS currently under way. Kinda complex, huh? That's how smokescreens work. Just like the cupidity of your innocent little questions, designed to mask your apologies for that bankrupting, incompetent, keystone kop agency known as "Department of Homeland Security". As long as we're answering loaded question, how about you answer the question I originally posted: what's the difference between DHS, NSA, and DoD? To underscore, how come we're less safe than ever, with all that Washington work on security?

Re:Home Is Where the Heat Is

[dbIII]

Isn't this kind of attack on the global Internet exactly the kind of thing that Homeland Security's "Cybersecurity" department is responsible for stopping?

They've completely filled their breif - there are zero instances of "cyberterrorism", since you don't see any robots with bombs making demands about anything.

Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?

Yes. The lack of accountability is distressing, but the press has helped, and some acountability will probably happen before the next administration.

Re:Home Is Where the Heat Is

[jotok]

Ok, look, it takes you three back-and-forths before you answer the original question: Is DHS doing too little or not enough?

As for whether or not "the US economy" would grind to a halt without DNS...you really have no clue, have you? For it is obvious to anyone with any experience that very little--VERY little--of the infrastructure required to keep the country going requires the internet. Sorry, that's just the way it is, and if you knew anything about our industries you'd know that.

Likewise, you obviously have no clue how DHS is working, or trying to work, nor what the responsibilities of those government agencies (DHS, NSA, DOD) are. I'm not going to do your research for you; there's a reason why they have things like public libraries where you can read up on these things.

Finally...
I reiterate: maintenance and security of the DNS system is the responsibility of its users (e.g. those who own name servers and those who use their services...such as yourself)...not some government agency. The government mismanages EVERYTHING it touches, and you want them to control MORE? You're letting your politics get ahead of you--one second you slam DHS for being jackbooted thugs, the next second you're saying they need more authority? Please. Sort yourself out.

Re:Home Is Where the Heat Is

[DA-MAN]

I have to say I pretty much stopped reading right there...

Then why bother replying? Shoulda known Slashdot would come to this! People use to not RTFA and reply . . . it was only a matter of time before people here would reply without RTFP!!!

Re:Home Is Where the Heat Is

[Atzanteol]

To let the poster know that his credibility was destroyed in his first sentence. And that many people will probably ignore what he has to say as a result of that (or at least take his word lighly).

That's why.

Re:Home Is Where the Heat Is

[DotNM]

oil is trading at $200/barrel
This may become reality soon enough..... (or maybe the oil companies want us to think that?)

Your Sig

llamas feed upon themselves!!!

Re:Your Sig

[bcmm]

Well done. Plenty of people don't know where they come from. Someone even claimed to get no output, which seems very untrue.

On my computer, though, the majority of llamas are in strange sentences or compound words like "llamaboy" and I can't work out were they come from. Which is scary.

Re:Your Sig

[pyros]

llama is a really hard word to fart.

Re:Your Sig

[cayenne8]

"bash-2.05b# cat dev/mem | strings | grep -i llama"

That's pretty cool. How does this work?

Re:Your Sig

[hunterx11]

The same way cat /dev/mem | strings | grep -i cromulence works, I suppose.

Re:Your Sig

[NialScorva]

Most of them are probably related to the query itself-- command line args, bash history, grep's strcmp() and such.

I get a couple that might be from the a spell checker since I see "llama", "llamas", and "llama's" in close proximity. I also get "cuillamartin" from /etc/services and a spanish reference to stopping rmid.

Re:Your Sig

[bcmm]

You must use Linux or something similar (I don't know exactly which unixes this works on), since you tested this. Therefore, you grok the command line, unless this works on OS X. If so, go and find out how BASH handles redirection with pipes.

cat /dev/mem

Outputs the contents of the system's RAM, and maybe swap too (this is why you must be root, "#"; you wouldn't want everyone being able to see the passwords your web browser leaves in RAM).

| is just the character to send the output back into the next program.

strings

GNU strings filters out binary stuff that will just be boring and screw up your terminal and only outputs text. Run it on a compiled binary some time, it's interesting (specifically, find the copyright notice in Microsoft's telnet.exe :-).

grep -i llama

Grep is grep. RTFM. It outputs all lines of input containing a search term. The -i means be case insensitive.

Why it works:
If you're me, there is an awful lot of llama around because I use it alongside "foo" "bar" "temp" "fish" "badgerbadger" and "cheese" for files, variables, etc.

Otherwise, your browser loaded the word into RAM when you viewed this page, and your shell loaded it again when when you typed the command in.

Re:More reason to use Firefox

[bcmm]

And besides, there are plenty of cross-platform attack you could do with this.

Want a copy of a user's eBay cookie? (Ok maybe eBay doesn't save passwords this way but you get the point, lots of sites do. It's like phishing, but the computer believes it's genuine, not just the user).

simple

[tomstdenis]

Run Firefox on Gentoo as a non-root user on an AMD64 in 64-bit mode.

Nobody writes software [in binary only form] let alone viruses for that platform...

[Anyone know of a flash plugin that actually works in 64-bit mode? I've tried gflash and the default macromedia ones...]

Tom

Re:simple

No, as you said, there is no malware for that platform.

Re:simple

[fimbulvetr]

This is a DNS server issue, not a client issue.
Suppose you visit citibank.com often. citibank.com is at 192.168.0.1 (It's an example). If the dns server you normally query has been poisened, it could potentially give you 10.0.0.1 (that's an example too). 10.0.0.1 could be a quick 0 day citibank look alike setup in korea with the sole purpose of grabbing your username,password,acct number, etc.
The real citibank.com would never know that this happened, and there is a real chance the person who ran your dns server wouldn't know either.
There are no 10 minute preventative measures one could do to protect themselves on this one, outside of using a known good dns resolver. Even then, you have to know the the dns server the resolver uses is good...

Re:simple

[tomstdenis]

Except they wouldn't have a signed CA cert for citibank.com

And smart people should check the certificate before loging in.

Tom

Re:simple

[ArbitraryConstant]

Great. Except when the DNS server sends you somewhere where you can give up your credit card numbers, passwords, and other personal information. Unless SSL is employed, there's no practical way to know that you're going to the right site.

Re:simple

No need to use 64 bit technology. You'll be just as safe on an 8-bit Apple IIe. Nobody writes software for that either.

Re:simple

[fimbulvetr]

Except that there is nothing to say that the 0 day server would have to even offer the person encryption (So the person wouldn't be prompted for an invalid certificate).
Unless the person actually noticed the secure symbol missing from their browser, they would never know. I doubt many people notice this missing.
Even if they did notice the secure symbol missing, it's likely they would think to themselves "Well, maybe it only shows up AFTER I log in.", in a case like that, they'd be a little too late...

Re:simple

[gordon_schumway]

Except they wouldn't have a signed CA cert for citibank.com

Verisign.com etc. could be spoofed, too, so that a cert would appear valid...

Re:simple

Actually there is. If your trying to goto a site via SSL that has a valid and authorized certificate signed by a very public CA like Verisign or Thawte, then when your browser negotiates SSL, it will attempt to valdiate that the sites SSL certificate was propelry signed by a CA in your browser certificate store. Let's say the attacker is trying to get to citibank.com, unless the attacker has convinced that CA that they are in fact a valid and authorized citibank requester, they would be able to get a valid cert. Now the attacker could issue any old certificate they want to themselves and the users browser would pop a dialog stating the certificate was not signed by a known CA. If the user says yes at that point, well, they are screwed.

Re:simple

Wouldn't work; trusted CA certs are stored on the client. If the certificate presented by the site hasn't been signed by a trusted CA cert stored locally, you would get a warning indicating "the certificate has not been signed by a trusted authority" or similar.

Re:simple

[sqlrob]

Any malicious code downloaded could install a CA cert locally

Re:simple

That's your solution to a networknig problem? You're really either a not-so-subtle troll, you didn't even read the story summary, or you were raised on a diet of paint chips.* Try looking up "DNS caching" on Google sometime, if you can manage that much.

Re:simple

[ArbitraryConstant]

"If your trying to goto a site via SSL that has a valid and authorized certificate signed by a very public CA like Verisign or Thawte, then when your browser negotiates SSL, it will attempt to valdiate that the sites SSL certificate was propelry signed by a CA in your browser certificate store."

What part of "unless you use SSL" did you not understand?

Re:simple

[budgenator]

using a known good dns resolver.
That's the crux of the matter, any DNS server that excepts a CNAME for example.com, on a name server at evilhax04.com, when its looking up the name gottcha.evilhax04.com is never going to be known good; and at best be possibly good but probably not.

Re:simple

Running malicious code = 0wned, game over, thank you for playing.

Why not just write "Space dinosaurs could arrive and kill everyone" ?

Re:simple

[owlstead]

I once downed a valid client certificate + private key that contained no certificate extensions. MS (IE) trusts all certificates signed by this certificate, even though it is not a CA certificate. That means you will have to actively look at the certificate to make sure it is not a spoof, and understand X.509 extensions or recognize the server CA. The chance of this happening is close to zero. Man in the middle attacks made easy department. I don't know if MS has fixed this issue in the latest service packs, but as far as I know, the attack is still valid.

Re:simple

[sqlrob]

These sites are already installing malicious code.

A CA change is nice, simple, and currently unlikely to be caught by AV and other protection software, and yet help get the information for identity theft.

Re:More reason to use Firefox

I bet that malware is Internet Explorer-specific.

Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...

Yes, the malware is almost certainly designed to install via IE, not other (better) browsers.
Methinks the idiot here is the one who signed
his post "Idiot"

Re:More reason to use Firefox

[netcrusher88]

Well, yes, but I meant the malware on the sites redirected to. Obvoiusly, you can't avoid the DNS cache poisoning, so this would be annoyingly effective for phishing.

Djbdns - immune to DNS cache poisoning (?)

[bad_outlook]

Anyone using Djdns? I've set it up on my home network server running FreeBSD to provide dnscache for all my boxes within 192* and thus far it's working perfectly. From Djdns' security page, it says that it's impervious to DNS poisoning:

• "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."

  "dnscache is immune to cache poisoning."

Djbdns

While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.

bo

Re:Djbdns - immune to DNS cache poisoning (?)

[Tuqui]

The separation between DNS Server and DNS Cache is very clever. This is a point that even BIND must take care.

Re:Djbdns - immune to DNS cache poisoning (?)

Yes, djbdns is immune to cache poisoning (and pretty much any other attack that doesn't depend on any fundamental weakness of DNS itself).

It is also immune to buffer overflows and runs as a non-root user locked in a chroot. It also is EXTREMELY lightweight, has a much easier/automatable config format than BIND (in fact we wrote a front-end for BIND that uses the tinydns line-oriented format), and has predictable documented memory usage.

It has been this way for years.

Anybody who uses BIND or Windows DNS has only themselves to blame for problems like this!

Feel free to be smug.

Re:Djbdns - immune to DNS cache poisoning (?)

[JamesTRexx]

DJDNS? FreeBSD? 192.*? If you use 192.168.128.*, 192.168.64.* and 192.168.192.* at home you really are me.

*using all this at home for years now*

Re:Djbdns - immune to DNS cache poisoning (?)

[RedHat+Rocky]

NOTE:

This is only true as long is dnscache is either not setup in FORWARD_ONLY mode or is forwarding to servers that are safe from poisoning as well.

dnscache will accept whatever answers the forwarder gives out, IF and ONLY IF that is what you tell it to do.

Myself, I always setup dnscache to hit from the root up, I don't trust Joe ISP.

Re:Djbdns - immune to DNS cache poisoning (?)

[RedHat+Rocky]

As I stated earlier in this thread, dnscache can be poisoned if set in forward only mode and directed to a poisoned server.

In other words, it will let you shoot yourself in the foot, should you choose to do so.

Re:Djbdns - immune to DNS cache poisoning (?)

[bad_outlook]

Good points, I do not have FORWARD_ONLY set, and I am using the default DNS list in ../servers/@ that was in there when I installed. I am wondering if I should add my DNS servers from my ISP (Speakeasy) to the top of that list, or just leave them out altogether. Docs on multiple sites were not specific about this. Advice? Which is safer?

bo

Re:Djbdns - immune to DNS cache poisoning (?)

[bad_outlook]

Yep, it's a valid point, and thanks for it. So which would be better:

192.168.0.*
-or-
192.168.0/24

On my home network?

I guess best may be to list all IPs that need it, and nothing else:

192.168.0.2
192.168.0.3
192.168.0.4
192.168.0 .6
192.168.0.7

Would I just 'touch' each as a file name in ../ip/root directory?

Thanks!

bo

Re:Djbdns - immune to DNS cache poisoning (?)

[ldspartan]

Who do you trust more? The root servers, or speakeasy?

Hint: the answer is "root servers".

--
lds

Re:Djbdns - immune to DNS cache poisoning (?)

[suwain_2]

While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

I did the same for a while. However, I was always under the impression that it was bad practice to query the root servers directly.

My few dozen DNS lookups a day probably had a negligable effect, but tens thousands of people like me could be problematic.

Is this, in fact, regarded as poor practice, or is it considered acceptable to query the root servers directly?

Re:Djbdns - immune to DNS cache poisoning (?)

[greed]

I went through the same concerns. However, I was dealing with a slow and defective ISP's DNS, so it ultimately came down the fact that I simply could not "forward-first" to my ISP. (Now that I think about it, maybe this is why I never had any trouble with that ISP--quite unlike many of my friends. I simply routed around their incompetence.)

Keep in mind, your cache will keep things around for the TTL of the entry, which (just checked) is at least 900 seconds. The SOA record for "com." is set to expire after a week, and the TTL of the NS records is 2 days.

So, for anything in "com.", your server will cache it for at least 15 minutes; the records which establish what the REAL "com." nameserver is are good for 2 days; and it won't have to check back on who's authoritative for "com." for a week.

Frankly, misspelled GTLDs would probably generate more traffic from a small LAN.

Re:Djbdns - immune to DNS cache poisoning (?)

[nothings]

While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet.

That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee:

• Bugs outside of djbdns, such as OS bugs or browser bugs. (People could seize control of BIND 9.1 through an OpenSSL buffer overflow, but that was a bug in OpenSSL, not in BIND.)
• The vulnerability of DNS to forgery. (BIND's port reuse makes blind forgery much less expensive, but this is a quantitative difference, not a qualitative difference. The DNS architecture needs cryptographic protection.)
• Denial-of-service attacks. (BIND 9's fragility makes denial of service completely trivial; but an attacker can easily take down the Domain Name System without using any of BIND's bugs. The DNS architecture needs to be decentralized.)

Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page, which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.

Re:Djbdns - immune to DNS cache poisoning (?)

so will rm -rf ...your point is?

Where law fails to dissuade...

[erroneus]

...perhaps a lead pipe would.

The people who perpetrate this kind of thing are nothing short of criminals and these people are not being persued and prosecuted as they should be.

They need the crap beat out of them is what they need. I wonder if/when it will happen though...

The most frightening part...

[loopsandsounds]

If you read down the SANS presentation you come to this:

The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.

Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.

Re:The most frightening part...

The number of perfectly legitimate sites that don't keep their certificates current only teach people to click blindly click OK.

Heck, I had to flash my video BIOS a couple weeks back, and the installer from the hardware manufacturer had the wrong board ID in it. The manufacturer knows this, and includes in their instructions to just type 'yes' when the warning comes up. There was no hash or anything on the installer to verify that the contents were actually correct.

Warnings aren't any good if the people/code/site displaying them don't do it responsibly. Not sure what can be done about it, though.

But is it really there?

The full presentation of information up until this point can be found here."

But are you really really really sure that it is?

Re:More reason to use Firefox

[junkcode]

ah, yes... now, i just hope someone just doesn't say firefox "secures" you from dns-poisoning.

Treewalk

[BenWang]

For the longest time, I've been running Treewalk my Win32 machines, hence I guess I'm immune to this.

http://ntcanuck.com/

what...

[dAzED1]

what does that have to do with the article? Do you think fly-by-night, get-rich-quick, screw-the-world folks who sneak malware onto your system care about that?

And do you not think the internet will persist regardless, and will instead create another AOL type sub-internet (like China) with filtered content?

Re:what...

[dunng808]

I believe the parent's assumption is that the fund sorce is ignorent. For pay-per-click ads:

• The service provider offers a sweet sounding pay-per-click deal
• The advertiser signs up
• The service provider uses dirty tricks to enhance click volume
• Advertiser has inflated bill to pay, but has no idea anything bad has happened

The other big market is surf watching. In this case the malware records web visits. The agregated data is sold to businesses, for marketing evaluation. The purchasers have no idea any unethical means were used to gather the data.

The destructive nature of this activity is beginning to be common knowledge, and, like other forms of destructive behavior, businesses will take steps to avoid it.

That's when religious fundamentalists will move in and use the same tactics to assert their views. Maybe this is happening already?

DNS Cache Poisoning Spreads Malware

[chrisnewbie]

You dont have to have DNS poisonning to get redirected to another website or get altered search result.
Download my web search,kazaa,e-donkey and those crapy software that gives you all those neat(sucky) tools for searching the web,,,,just see what the results are when you search for something and it gives you weird asnwers...

OH wait Internet explorer's search engine does the same thing,,forgot to put it in unwanted crapy search engine.

Re:DNS Cache Poisoning Spreads Malware

The point here is that DNS cache poisoning works REGARDLESS of client. I know, I saw it happen on my Mac the other day.

cat syslog | grep named

[SamMichaels]

Have you done this lately? I've never seen so much nonsense, rejections, security denials, et al.

Re:cat syslog | grep named

[zaphod123]

No, but I have done this:
grep named /var/log/syslog

Re:cat syslog | grep named

[pe1chl]

He wanted to go for the "useless use of cat award"

Re:cat syslog | grep named

I tail logs all day and I use cat like that, it's habit. Why?

cat maillog.1 maillog | grep reject

So now you know.

Re:cat syslog | grep named

..lame..open up syslog.conf and add:
*.* -/dev/tty7

change tty7 to where you want it, no extra progs. no fuss no muss....(its ok i remember when i was still new to linux)

Re:cat syslog | grep named

shyte! you're right! there's a frikkin billion of them in there..

Funny How Easy this is to prevent

Damn, if only I had checked the "turn on security" box!!

From MSFT (http://support.microsoft.com/default.aspx?scid=kb ;en-us;241352)

NOTE: On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:

1. Open DNS Management Console by clicking Start, Programs, Adminstrative Tools, DNS.
2. Right click on the server name in the left window pane.
3. Choose Properties.
4. Choose the Advanced tab.
5. Place a check in the box "Secure cache against pollution".

Re:Funny How Easy this is to prevent

[51mon]

The daft thing is that Microsoft have been shipping DNS servers with this switched off for so long.

I can't even begin to conceive the mindset of the developers (or organisation) who thought "lets create a registry setting that switches on a widely accepted necessary security feature, and then defaults it to off", and keep doing this even through major revisions of the product (and service packs).

I mean people were even poisoning the Microsoft caches by mistake before it was done deliberately, but because it usually happened in reverse DNS lookups the admins didn't notice, or didn't have the clue to understand what had happened (and no doubt just rebooted and "fixed" the problem).

Bits of Microsoft are just badly broken, and their approach to the DNS protocols exhibits the worst aspects of "embrace and extend", although this particular fault is unrelated to the "embrace and extend" of DNS they have tried.

Re:Funny How Easy this is to prevent

[McSpew]

Damn, if only I had checked the "turn on security" box!!

From MSFT (http://support.microsoft.com/kb/241352/EN-US/)

How very wrong you are.

Win2k DNS automatically turns on "secure cache against pollution" in SP3+. Read about it at http://support.microsoft.com/kb/316786/EN-US/. Specifically, you're looking for this quote:

DNS cache pollution protection is enabled by default in Windows 2000 SP3 and later.

Win2k DNS servers with this feature turned on are STILL vulnerable. I know because my DNS servers are configured this way and I began to suffer from the DNS poisoning on Thursday of last week. It took me until Friday to get a real handle on what was happening. Slashdot ignored my submission of this story back then. They were too busy jerking around with April Fool's stories.

Re:Funny How Easy this is to prevent

[hal9000(jr)]

Win2k DNS servers with this feature turned on are STILL vulnerable.

How so?

Re:Funny How Easy this is to prevent

[McSpew]

How so?

I don't know how it's possible, and that's why I'm so frustrated that this story hasn't gotten wider traction by now. I'm running at least Win2k SP3 on all my DNS servers, and I've verified that the "prevent DNS cache pollution" setting is enabled, but I started seeing DNS cache poisoning last Thursday nonetheless. It continued on Friday until we blocked the offending poisoning-servers at our routers.

If everybody ignores this issue, then good luck holding Microsoft's feet to the fire about it.

Re:Funny How Easy this is to prevent

[httptech]

I replied to this in the newer thread you posted in, but I thought it would be worthwhile to mention here so as to prevent this from becoming a widespread rumor.

This morning I reproduced the cache poisoning scenario on a Win2K SP4 box and the "prevent cache poisoning" checkbox did stop the attack from working (I can provide you with packet captures and dig results from the tests I did with and without the protection enabled).

At this point it falls on you to obtain further evidence to back up your assertion that SP3 and SP4 are vulnerable, because all indications in my test suggest that they are not.

DNS is broken...

Everyone should just learn to remember IP addresses...my email is ac+NOSPAM@127.0.0.1

Re:More reason to use Firefox

[me+at+werk]

Of course it doesn't, yet.

Yes and no.

[jd]

It has been dealt with, at the specification level. DNSSEC has been around for a while and for the ultra-paranoid, you can always run IPSec tunnels between DNS servers.

The "no" part is that virtually nobody does this. All the protection in the world is useless if you don't use it. Further, the protections that do exist (such as those I mentioned) get redesigned a little too often, making wide-scale rollouts a real problem.

Routers are another key part of the infrastructure where there is plenty in place that COULD prevent poisoning, but where actual use in the "Real World" is limited. If DNS ever does improve, then scammers may well simply shift to poisoning router tables to achieve the same results.

The resources spent on producing quality and security are phenominal. The resources spent on actually putting these into practice can barely be detected with the best tunneling electron microscopes.

Re:Yes and no.

[MikeBabcock]

Opportunistic encryption (ipsec) enabled for all root DNS servers would be a nice start. Published keys, etc.

At least then we'd know the root data was from the roots.

You forgot.....

[isotope23]

I for One welcome.........

AC ???

Wait, hold on ... Anonymous Coward?! DUDE! I love your work, I read your posts all the time.

Re:AC ???

Hey! That guy's an impostor. I'm Anonymous Coward!

Re:AC ???

[dheltzel]

Hey AC, your self-adulation is getting to be a bit much!

Some of your other posts are pretty lame too, might want to rachet the back patting down just a bit.

ummm

[dAzED1]

do you realize that Star Trek used them because it has been standard practice for a long while? The election of the new Pope - every vote that doesn't pick someone will be signaled with black smoke. One that does pick someone will be signaled with white smoke. Smoke canisters demark certain types of activities. Green light means go, yellow means caution, red means stop. Color has been used as a quick way of alerting people for long before Star Trek.

Re:ummm

[budgenator]

Red smoke means Medical Emergency or Emergency, Red star-burst or flare at night is the same.

Re:ummm

[ArsenneLupin]

The election of the new Pope - every vote that doesn't pick someone will be signaled with black smoke.

Actually, this is no longer completely true. During the election of the last pope, the smoke for the successful election came out gray... (probably due to some leftovers of the chemicals used to color it black during the previous unsuccessful ballots).

In order to prevent a similar re-occurrence, it has been decided that in addition to the white smoke, the cardinals will ring the church bells to signal a successful election.

how big is this problem?

[msblack]

If this is such a big problem today, why aren't the folks on NANOG (North American Network Operators Group) discussing it?

Re:how big is this problem?

Actually they have been since 3/26.
http://marc.theaimsgroup.com/?l=nanog&m=1111875859 15504&w=2

Next phase : stealth ninja midgets

[88NoSoup4U88]

The bigger failure rate through email (come on, -some- people have wisened up over the years... right ? right ??), has caused the spammers to look for other ways, now taking it up to the DNS level.

I guess that when this is eventually blocked, and spammers -really- are out of ideas of what to do next, it's time for the ninja-midgets-phase :

A spammer will employ stealth ninja midgets (or clone them), that will roam around the world causing havoc by typing in their master's URL in your browser, while you're out to get a snack.

Re:We all know what's next

[jcaren]

Even ST has gone off this and tried to retrofit a "reed" alert.

No

[temojen]

The article is about DNS Cache poisoning, not DNS spoofing. In DNS cache poisoning you're effectively telling the victim's DNS server to query your (fake) server for all of a class of requests (ie *.com), instead of the one it should be querying. DNS spoofing only tries to fool reverse lookups.

Re:No

[Wizy]

The first spoofing tool I used on irc (EFNet) actually did cache poisoning. I know there are the tools that only did the reverse lookup spoofing. But the cache poisoning was done way back when. I believe (and I could be mistaken) that a guy by the name of johan wrote one of the first ones.

Yet another example of Windows messing up

[Paradox]

Ahh, Windows. People use it for servers too.

From TFA:

Basically, the UNIX-based stuff has been secure against cache poisoning
for quite some time, but there may always be a bug or design flaw that
is discovered. We are not quite sure why Microsoft left a default
configuration to be unsecure in NT4 and 2000. (Exercise to reader:
insert Microsoft security comment/opinion/joke here, but keep it to
yourself).

The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.

Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.

Re:Yet another example of Windows messing up

[Lehk228]

if you are truely paranoid you could resolve all your requests through two totally independant DNS servers and set your DNS server to flip out if it doesn't get a match.

Re:Yet another example of Windows messing up

[greed]

And if you got fed up with your ISP's DNS taking so long that all your clients kept timing out, you could just set up your own caching BIND or djbdns server pointing at a known-good set of root-servers.net.

Since you're too lazy to switch back, you're protected to this day... barring any BIND bugs anyway.

Bah!

I submitted this story on Friday, April 1st, but Slashdot was too damn busy with April Fool's pranks to publish it. It got rejected within minutes.

That's when I realized the Slashdot editors are more interested in peurile humor than in actually notifying their readers of important information that could save them headaches, time and money.

Protection against DNS Poisioning

[jdion]

Another thought would be to disable DNS Forwarding services. I understand the purpose of DNS is to distribute the service and pull resources off of the root servers, but if DNS servers are getting spoofed packets after querying the root DNS servers, then I think there is an even bigger problem that needs to be addressed.

SANS vs. the rest of the security community.

[tsu+doh+nimh]

Washingtonpost.com is running an interesting story about how SANS is really the only major player in the security community that is making any noise about this.

...(snip..)

...."But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks.

Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."

Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."

All of this may seem like an academic debate to those who claim to have been victimized by these attacks.

On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.

"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.

John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.

In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.

Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)

"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."

Re:SANS vs. the rest of the security community.

[jdion]

I have been discussing this topic with a couple collegues, and the last time we recalled the SANS security level raised to Yellow was right before each major worm release... i.e.: Blaster, Sasser Worm, etc...

http://isc.sans.org/infocon.php

Just food for thought.

Re:SANS vs. the rest of the security community.

[Fjornir]

...er...don't you mean it was raised because of the worm outbreaks?

Re:SANS vs. the rest of the security community.

[httptech]

I wrote this article about the source and motivations of the attack (also mentioned by the Washington Post blog), so SANS is not the only security organization talking about it. But there's a reason you're not hearing alarm bells all over.

Basically it comes down to this - the attack was used to hijack searches for pay-per-click engines. It was done in the most obvious way and got a lot of attention. If they had been smarter, they would only have redirected defunct sites instead of cnn.com and the rest of the .com TLD.

Now that the cat is out of the bag, people are watching for the traffic, so a second, more malicious attack probably won't see nearly as much success. So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Re:SANS vs. the rest of the security community.

[fimbulvetr]

That's an excellent article, thank you.

If they had been smarter, they would only have redirected defunct sites instead of cnn.com and the rest of the .com TLD.

Since the traffic to cnn.com is substantially higher than a typical defunct .com, isn't it expected that they would use cnn.com? I would assume that using a defunct domain would net them so few clicks (compared to cnn.com) that it would come close to negating the motivation to hijack at all. Just wondering...

Re:SANS vs. the rest of the security community.

[httptech]

The problem is, by hijacking high-traffic sites, they get noticed fairly quickly. Plus the servers they hacked to host their fake search engine could barely keep up with the load, making all the extra traffic futile.

If they had kept a lower profile they probably could have gotten away with the hijacking indefinitely - but these guys don't think long-term (fortunately for us). And it looks like they've stopped the hijacking for now, probably only due to the attention they've gotten in the press in the last week.

Re:SANS vs. the rest of the security community.

[Rolan]

The other organizations can stick their heads in the sand if they wish, but I've seen this first hand and am just glad that the people doing it art stupid. They very easily could have redirected banking sites to spoofed sites, etc and caused a lot more trouble than just redirecting to a single, obviously incorrect website.

Re:SANS vs. the rest of the security community.

[suwain_2]

"I'm grading this as hype until I see some independent support."

How is that different from saying, "I won't believe it until I become a victim?" This isn't a wild claim, it's a vulnerability that just isn't being enough for this guy to call it a serious problem.

Is it not a problem if there are no exploits (yet), but the vulernability is still there?

Re:SANS vs. the rest of the security community.

[McSpew]

So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.

Ah, but here's the rub: It's not fixed by a simple registry edit. Win2k SP3 and SP4 are "secure" by default. I'm running Win2k SP3 and SP4, and I was bitten by this. The MS articles I initially found about cache poisoning didn't mention that SP3 and SP4 are secured by default, so I went and inserted the registry setting and restarted my DNS servers. The next day, the poisoning was back. That was when I discovered that SP3 and SP4 are secured by default, and that was when I realized that this problem is more serious than most people realize.

I tried to publicize what I'd learned on Friday. I submitted the story to Slashdot, where it was rejected because it wasn't an April Fool's prank. I submitted it to Russ Cooper's NTBugTraq, where it disappeared into the ether. Imagine my consternation when Russ Cooper was quoted in today's Washington Post security blog saying that nobody was seeing it. I wrote to Russ immediately after seeing that quote and assured him that I was seeing it and I had posted to his list, but the post had not been approved by him.

I'm pissed off because very few people are taking this seriously and well-meaning people such as yourself are dismissing it as a minor vulnerability that's easily remedied with a registry edit. This attack is not remedied by inserting a registry entry and restarting the server--it affects servers that are supposed to be immune.

Re:SANS vs. the rest of the security community.

[httptech]

You probably would have been better off sending your findings to handlers@sans.org - you're the first person I've heard say that the fix doesn't work, and since SANS hasn't updated the information, I presume they haven't heard about it yet either.

Despite the fact that your experience contradicts MS and CERT-CC, I'm willing to accept the possibility that because the .com label in the Authority section is technically a subdomain of any .com domain they may be querying, the SecureResponses key doesn't reject it. This would be a fairly big deal (not too big, you realize, since most of the world doesn't use MS DNS servers) that would require some independent testing in order to convince MS to change their stance (and fix the problem for real).

Any chance you captured some of the traffic as it was occuring on your would-be immune servers? Because the poisoning attack from abx4.com is over now, so it will take a bit of work to recreate it in the lab without those servers to conveniently supply the test packets.

Re:SANS vs. the rest of the security community.

I don't know if this applies to 2000, it does exist in 2003.

In your DNS properties page.
On the forwarders tab.
Specify a trusted forwarder or several (4.2.2.4 as others have suggested).
Check the box to disable recursion.
Flush the cache.
This should cause your server to only resolve with the forwarders you've specified.

Re:SANS vs. the rest of the security community.

Here's a tip..DON'T USE MS DNS...what has to hit you for you to figure that out...in fact DONT USE MS for ANY service exposed to the net...its stupid..that shits for intranets...not internets...

Re:SANS vs. the rest of the security community.

[httptech]

Well, I spent the morning painstakingly simulating the cache poisoning attack on a Win2K SP4 machine. When the "prevent cache pollution" option is checked in the DNS server properties, it does indeed stop the attack from working.

So, unless you can provide a packet capture or reproducible scenario, I have to assume that your DNS settings are somehow configured to forward to a vulnerable server, or that the manual registry key edit reversed the checkbox setting on your properties tab. If you'd like to confirm your settings and follow up I'd be willing to look at it further. But as it stands, I have to agree with Microsoft's assertion that SP3 and SP4 are secured against this attack by default.

Re:SANS vs. the rest of the security community.

[McSpew]

You probably would have been better off sending your findings to handlers@sans.org

I did. They responded by posting that Win2k SP3+ was supposedly immune but that people with that configuration were reporting the poisoning.

Today's ISC update from SANS indicates they're closing in on the root cause. Apparently, MS DNS servers implicitly trust servers to which they forward. BIND 4 and BIND 8 don't scrub poisoning information when they respond to a forwarding server. DJBDNS and BIND 9 do scrub the data.

Re:SANS vs. the rest of the security community.

[McSpew]

I was forwarding to a server that was the source of my problem, as the article's at ISC now show. BIND v8, used by my ISP, isn't vulnerable to poisoning, but it does pass poisoned entries to servers that forward to it. Since Windows DNS trusts servers to which it forwards, it gets poisoned by the junk passed down from BIND 8.

There are two parts to this problem, and without both of them, this issue never would have arisen. The first is Microsoft's decision to ignore DNS cache security settings when forwarding. The second is BIND 8's decision not to scrub data it sends to servers that forward to it. Take either of those items out of this equation, and the problem I encountered can't happen.

I called my ISP, and they were most unsympathetic. At first, they denied having any role to play because it's a Windows problem and they don't run Windows. When I finally got them to understand, they said, "Well, you shouldn't be forwarding to us in the first place. Use the root servers. Duh!"

Okay, they weren't quite that dismissive. They didn't actually say, "Duh!" But the rest of it was pretty much what I was told. So I've turned off forwarding. I'm not so sure I'm going to stay with my ISP in the future, based on this nonsense.

Re:More reason to use Firefox

ah, yes... now, i just hope someone just doesn't say firefox "secures" you from dns-poisoning.

No, but putting entries in your /etc/hosts for sites you want to secure can..

At school

[elgatozorbas]

When I was young, I had a severe DNS poisoning at school, and the teacher allowed me to go home.

Re:At school

[Dogtanian]

When I was young, I had a severe DNS poisoning at school, and the teacher allowed me to go home.

Reminds me of those weird dreams you get where you leave one room through the door and end up in exactly the same room. Think about it.

Coder's need to know more about security....

[smd4985]

Every undergraduate CS program should integrate some secure coding standards. Something like this:

link

This is a Windows DNS problem only

[Peter+Cooper]

Yet another badly written /. submission. Was this submitted by a Microsoft fanboy or something? Check out the actual report and you find that the affected servers are.. "Windows NT4 and 2000 DNS servers" and those that run "Symantec gateway products." This is about as newsworthy as "Windows XP/98/2000/whatever has yet another gaping security hole."

This only sucks if you're using the default nameservers and are signed up with an ISP using shoddy insecure products.

Re:This is a Windows DNS problem only

You didn't read into SANS's report, they claim to have vaild reports of poorly configured BIND dns servers also being poisioned.

Brian Krebs of The Washington Post...

[latuZimZactly]

Wrote about this today in his blog:

http://blogs.washingtonpost.com/securityfix/

He provides some background and comments from companies effected by the attacks. And he offers some opposing views from SANS and Symantec Corp. on whether this is a serious concern or not.

Hey wait, you all forgot

While eating hot grits off Natalie Portman....

Re:Hey wait, you all forgot

Naked and petrified!

I've seen this

[benjamindees]

For months now, since at *least* the first of January. It's mostly been google.com, redirecting to some odd webpage, but not any of the ones listed.

I figured the problem is that I was pointing to an old DNS server for SBC. They won't give you the IPs of the new DNS servers unless you fire up their awful PPPoE program. We use Linux, and this incident has been an excuse to remove the last few Windows computers from the network. It'll probably also be an excuse to rid ourselves of SBC's horrendous services.

Re:I've seen this

[Gord]

I wonder if this explains why I've been getting ocassional 'SERVFAIL' messages back for google.com from my localnet dns resolver. Where quering via other dns resolvers and google directly has been fine at the same time.

It's happened at least half a dozen times in the last couple of weeks, queries for anything in google.com stop resolving and a clear out of the cache for google.com on the nameserver gets it going again.

If it happens again I'll investigate further to see what's actually been cached.

Google?

[baadger]

The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites.

Did a text search on the presentation. There is no mention of Google being targetted. Infact big G is only mentioned in the "What exactly is DNS cache poisoning?" section.

Welcome to /. where our Gmail is more important to us than our bank balance. :P

Re:Google?

Thats because i have more in my gmail than in my bank account :-p

Re:Admin vs User

[tokabola]

C.E.R.T. (Computer Emergency Response Team) is the agency you're thinking of. They probably have said lots about this and nobody listened. Just like when they warned people to use any browser besides Internet Explorer, yet if you go to any library and check the public access terminals, or into any government agency and check, you'll still see IE on ALL of them.

I myself don't want the US government (or any countries government) in charge of the internet - Governments can't be trusted not to abuse any authority they get. They always have, and until humans are much, much wiser than we currently are they will continue doing so.

Tommy

djbdns

I'm surprised at how few people have pointed out that djbdns is, and always has been, immune to this type of attack.

My DNS server is a soekris box (small form-factor machine) that runs djbdns off a RAM disk (loaded from a CF card).

Besides a UPS battery failure last year, the box has not been rebooted, had a high CPU load, run out of space (thanks, multilog!) or done anything other than it's job for several years now.

Why do people still torture themselves with BIND (or Windows *shudder*). Set up a little PC with FreeBSD, SSH only from the inside LAN, and djbdns. Nothing else. You won't have a single problem with it, and you don't even have to patch it.

Re:djbdns

Actually, BIND 9 is a complete rewrite of BIND and does not have the security issues that BIND 8 and 4 have. Basically, recent versions of BIND 8 and BIND 9 do create random DNS query IDs, which makes this kind of attack far more difficult (it would have been nice if DNS was designed with variable length query IDs back in 1983, but the Internet was a different place back then).

I really wish DJB advocates would realize that BIND 9 is not BIND 8 and below.

To DJB's credit, he has written The best article on DNS cache poisoning I have seen.

it's a month old!

[budgenator]

considering that Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
receiving reports... and one of the sites affected webmd.com (online medical advice) also processes tons of federaly protected (HIPPA) medical and dental claims, and that there are also

Financial Services
------------------
americanexpress.com (credit cards)
citicards.com (credit cards)
billpay.quickbooks.com (financial software/services)
adp.com (data processing)
hrblockemail.com (financial services)

involved it might have been nice if /. posted something arround the 5th of march instead of a month later. Cmdr Taco might not care if everbody knows about his Herpes med and Viagra addiction, but other people might.

Re:it's a month old!

[Abalamahalamatandra]

True, it's been in progress awhile (and, as a computer security professional, it's scary as all get-out, especially with most companies still using Internet Exploder and all the security risk just that entails), but the summary that was referenced in this article was posted in the last three or so days.

Bottom line is, if you're depending on Slashdot to keep you up-to-date on the latest security threats, you're not being too bright.

Re:it's a month old!

[budgenator]

Most medical and dental offices don't have anybody even resoanably astute in computers, not to mention computer security! I spend a lot of time chasing commet curser of the billing clerk machine

Poor, misunderstood IMDB.COM

Quoting the article:

imdb.com (online music database)

That might be news to the people who run imdb.com - it's the internet MOVIE database, not MUSIC database :).

FTA

[bitswapper]

"(Basically, the UNIX-based stuff has been secure against cache poisoning for quite some time, but there may always be a bug or design flaw that is discovered. We are not quite sure why Microsoft left a default configuration to be unsecure in NT4 and 2000. (Exercise to reader: insert Microsoft security comment/opinion/joke here, but keep it to yourself)."

mmphm...!

Re:More reason to use Firefox

[hey]

How about a plugin that listens to DNS lookups.
And when the time comes it can display popup that says: The last 2345 times www.yourbank.com was 111.111.111.111 but this time it is 222.222.222.222
are you sure you want to proceed. Possible DNS poisoning. YES / NO

But....

[The_Mystic_For_Real]

Can your subconcious run linux?

Re:But....

[Geek+of+Tech]

Yes. My subconcious is actually running a variant of Debian with GNU/Linux 2.6.11.5....

Now I'll be right back.... I have to run apt-get update on my mind...

Sebben Alert Level Update

[ewhac]

...the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings.

ATTENTION: ALERT LEVEL UPDATE. The authorities at SANS (Sebben-Affilliated Network Security) have issued this network alert update:

The DNS cache poisoning alert has been upgraded from "Yellow" to "Blackwatch Plaid." Repeat: DNS cache poisoning alert level is now at Blackwatch Plaid.

Available information does not yet justify a further upgrade to alert level "Moving Pictures."

And for everyone's safety and security, and to preserve our way of life, SANS is taking a drastic step and installing a network monitor. Just one. For safety, security, and omniscient, unblinking information gathering of everyone's activities.

:-),
Schwab

Re:Sebben Alert Level Update

[rsmith-mac]

This modified quote of course comes from the Adult Swim show Harvey Birdman: Attorney at Law, episode Blackwatch Plaid.

worst one;

[jafac]

When I directed my friends to locate Spybot Search And Destroy via Google, they got redirected to a software site that claimed to be Spybot Search and Destroy - but the software would not CLEAN infected systems unless you paid. What you end up installing, of course, just installs MORE spyware.

So when you point freinds to Spybot Search and Destroy, you've got to give them the actual download link.

Re:worst one;

there are hundreds of fake sites like these
this site lists the worst offenders

and this site has a hosts file that blocks them

regards
--AJS

Mods are on crack (or don't know much about DNS)

[don.g]

For goodness' sake, guys! +5 Funny, not +4 Interesting!

You'd think people would get suspicious when they read things like "poison the DNS cyber buffer", but that's probably expecting too much of the typical mod-point wielding slashdotter.

April Fools' hacks

Hey, for a good April Fool's hack, have a look at the site for the commune de Walferdange... Browse around a little bit, AFAIK, there are three easter eggs to be found... I wonder how long it will take until they discover them eggs (they've been in place since April 1st), and then how long it will take until they ditch IIS/ASP

Re:More reason to use Firefox

[menkhaura]

Yes.

What was written in that dialog again?

You sig is wrong.

[crovira]

Citizenship guarantees Service!
Questions Guarantee GITMO....
Amerika Uber Alles!

Re:More reason to use Firefox

[lowrydr310]

Don't know why you modded me flamebait. I misinterpreted the parent's comment. I thought the parent was implying that by using firefox, you won't be directed to fake sites (which isn't the case because the DNS server is the problem). After getting modded flamebait and reading some of the other comments, I now realize that the parent meant that by using firefox you greatly reduce your chances of getting malware from one of the redirected sites.

ISC Bind "view" on the hint zone

Does anyone having a working example of using the "view" configuration to restrict access to query the DNS cache to internal clients?

If you are an end-user

[danila]

If you become a victom of a DNS poisoning attack or if you want to avoid that in the first place, you can use a DNS server other than that of your ISP. For example, below are the names of Microsoft DNS servers (that can be expected to work reliably and be relatively safe):

DNS1.CP.MSFT.NET 207.46.138.20
DNS2.CP.MSFT.NET 207.46.138.21
DNS3.CP.MSFT.NET 207.46.138.126
DNS4.CP.MSFT.NET 207.46.245.230
DNS5.CP.MSFT.NET 64.4.25.30
DNS7.CP.MSFT.NET 207.46.138.14

The IP-addresses may change when Microsoft changes their DNS Architecture.

Re:If you are an end-user

[theendlessnow]

...For example, below are the names of Microsoft DNS servers (that can be expected to work reliably and be relatively safe):

DNS1.CP.MSFT.NET 207.46.138.20
DNS2.CP.MSFT.NET 207.46.138.21
DNS3.CP.MSFT.NET 207.46.138.126
DNS4.CP.MSFT.NET 207.46.245.230
DNS5.CP.MSFT.NET 64.4.25.30
DNS7.CP.MSFT.NET 207.46.138.14

The IP-addresses may change when Microsoft changes their DNS Architecture.

Update: Occasionally, when the IPs change, you will be temporarily using OpenBSD and ISC BIND and so the names might look like NS1.OSDL.ORG, then after awhile it will get switched back to our secure Windows infrastructure.

There may be a security reason for us to do this, but the good news is that we won't tell you if this is the case, thus preserving your corporate security status (in other words you can stay "GREEN" while the problem is worked on in secret!).

Re:If you are an end-user

I tend to use:

4.2.2.4

It's easier to commit to memory.

Re:If you are an end-user

[danila]

Thanks for the tip. I googled and here is a bunch of others. DNS server problems are somewhat common at many ISPs, so it's worth having these at least for a backup (although you probably don't need to remember more than 4.2.2.4 - if you can't access Verizon, chances are switching to another DNS server won't help you).

Verizon (Level3) Nameservers:
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

ORSC Public Access DNS Nameservers:
199.166.24.253
199.166.27.253
199. 166.28.10
199.166.29.3
199.166.31.3
195.117.6.2 5
204.57.55.100

Sprintlink General DNS:
204.117.214.10
199.2.252.10
204.97.212.10

Cisco
128.107.241.185
192.135.250.69

SpeakEasy Nameservers:
66.93.87.2
216.231.41.2
216.254.95 .2
64.81.45.2
64.81.111.2
64.81.127.2
64.81.79 .2
64.81.159.2
66.92.64.2
66.92.224.2
66.92.15 9.2
64.81.79.2
64.81.159.2
64.81.127.2
64.81.4 5.2
216.27.175.2
66.92.159.2
66.93.87.2

One way to solve this...

[djkoolaide]

is to start using secured, SIGNED encryption for every site. That way, you'll know if you are really on the site you think you're on.

Re:Admin vs User

[Doc+Ruby]

They don't have to be "in charge of the Internet", any more than they have to be "in charge of the US". How about the FBI catching these criminals?

BTW, though CERT is partially funded by DHS (among others), it is by no means an agency of the government. It is part of "a non-academic unit of Carnegie Mellon University".

And why not?

And all of those victims that click okay everytime they get an "invalid certificate" message.

Yahoo mail's "secure login" has an expired certificate.

The user slowly becomes inured to this kind of thing...

that will also stop those emails

i notice the same problem applies to emails i get advertising rude things so eventually that should work itself out too

Re:More reason to use Firefox -- Yeah

[gru3hunt3r]

DNS poisoning is not new. Using it for fraud is new. Defending against it (if you're Google) is difficult, but not impossible.

I swear -- Technical people need to stop addressing these problems with solutions that are technically elegant but unrealistic.
Yeah, lets secure all the nameservers on the Net! sure that'll work. Hell, we've only been doing DNS poisoning attacks for what? 12 years or so? hey well at least we finally got sendmail secure. Doh!

The only way we're going to be able to stop bad guys is to start having applications that use more than one protocol to verify integrity AND start building in stronger indepedent crypto behind the scenes making it much much much harder to spoof. You don't have to change the whole protocol stack we just need to share more information across protocols. Right now, when you compromise one protocol, you own the box. Aiiee!

I'm actually happy this happened -- because I've felt the Net needed a big overhaul for a while. My parents can't safely use the Internet, neither can yours. And all us gunslingers who could keep them safe are too busy securing our damn nameserver, and dealing with joe jobs to do anything about it. The solution requires a more comprehensive look at the problem.

If the bad guys are specifically targeting google with DNS poisoning, it's reasonable to assume it will undermine peoples faith in Google. (ATTENTION FLAMERS: YES, I am aware the request was hijacked long before it got to Google -- but the end user won't be because they don't have a clue what DNS stands for or how it works).

Seriously - your mom/dad would take away from an explanation of DNS hijacking was "Go to google, get a virus" (read the previous article posted earlier today about how people don't understand technobabble) ..

Does anybody else besides me find this whole thing incredibly ironic? People will see Google as being the problem, even though it's almost definitely Microsofts fault. Damn.. sucks to be Google. (Okay, yeah.. honestly i'd love to have Googlesque problems, but also the Googlesque resources to solve them!)

Anyway I think this sort of article hopefully illustrates to Google why they need to start promoting a secure browser WHICH isn't subject to malware attacks such as IE really is in their best interest -- and although it has a minimal cost impact to them, it has a huge long term impact to the net community. Honestly, I believe if Google offered a "safer" online experience -- i'd put my parents on it in a second, I think everybody here would too. I don't trust Yahoo, MSN, Ask Jeeves, etc. or any of those companies with the tender care of my parents Internet experience.

I say Google - rather than just "firefox", because if Google put Gbrowser on their homepage you know it'd have a 30% usershare virtually overnight -- maybe more. They install the google toolbar, it transmits information about where you're surfing to google -- BUT it also checks with Google to make sure you're at a "safe site" --

OKAY so you want a real example -- how about a simple one -- why not a modified robots.txt with an entry that included a list of the valid IP's for the SOA for your root domain for the next 30 days. Boom, they already pick up robots.txt -- BUT now they can authenticate that the DNS wasn't posioned using google toolbar. Sexy huh?

I've got lots of ideas like this -- there are probably 5 things sites could *OPTIONALLY* do, that merge application stacks -- but at the same time it would make it necessary for a phiser to compromise MULTIPLE hosts, across MULTIPLE protocols -- thereby making it *statistically* impossible.

(NOTE: If I seem brilliant it's only because i'm standing on the shoulders of Giants. I love how SPF uses DNS to authenticate mail servers -- it's non-intrusive, but an illustrative example of the types of solutions that we as a technical community need to solve problems)

0wn the H@04s

why doesn't someone 0wn the idiots who fixed this up?

Get the IPs and the times of the attacks and forward them to the FBI. Voila.

Fex ex tracking

[morcheeba]

A friend of mine was obsessively tracking a fed ex package of his and told us the progress of it a couple times a day. There happen to be a big hurricane happening, but it wasn't quite in the path of his package's travel. So, I wgett'ed (wgot?) fedex's site and made my own modifications. I just changed the hosts file on my friend's machine to point to my webserver. My friend watched his package get closer and closer, then looked in horror as it took a detour to florida. The next day it was in the fedex damaged package center, and we had to let him in on the joke.

smd4985 needs to know more about punctuation...

[EnglishTim]

There's no apostrophe required for the plural, moron!

link

Google Sponsored Ads for Firefox/Spybot are scams

[quokkapox]

Last week I recommended Firefox to one of my clients. He Googled for "firefox". First actual result would have correctly taken him to getfirefox.com, but he chose to click on the Sponsored Ad, which takes you to www.freedownloadhq.com - who offers "free Firefox downloads" for $19.95.

He said "Hey, I thought it was supposed to be free, but they're asking me for my credit card number!" He quickly realized it was a scam site, but many others will not.

Perhaps this is also what you friend did. I just googled for Spybot Search and Destroy, and the first sponsored ad is for noAdware.net which itself is spyware.

There's no incentive for Google to prevent this because they're making money. I wonder if slashdotters could nickel-and-dime the scammers to death. Firefox costs ~ $0.10, Spybot ~ $0.20. Let's try, firefox and spybot - click all the scam Sponsored Ads you see. Repeatedly if desired.

Johannes Erdfelt

[__aaijsn7246]

Johannes Erdfelt wrote the advisory that jizz, erect, etc. were based off of. Nice programs they were.

"poison the DNS cyber buffer!"

[dr.badass]

Turn the lifetime of all DNS records to 0. This way they will not be cached, hence no poisoning issues

Indeed, let us destroy the internet with advice we got from an AC on Slashdot! Talk about "nuking the site from orbit", yeehaw.

I know jack crap about DNS, and this didn't sound right. Thank god for clueless moderators!

Re:"poison the DNS cyber buffer!"

[cb69b]

the method sounds alot like idlescanning
http://www.insecure.org/nmap/idlescan.html

Sig comment...

That's right, I just showed you how to count 36 in binary...with my hands.

Ummm... don't you mean 132?

Re:Sig comment...

[loopsandsounds]

Nope...I meant "thumbs up" AND "FU". Argh just when you think you had it figured out. The sig used to be "witty phrase goes here"

DON'T CLICK LINK

[suwain_2]

Don't click that link! I clicked it and got a really nasty porn site.

Re:DON'T CLICK LINK

[PalmMP3]

Really? Cool! I didn't know that 127.0.0.1 automatically brings up your "My Pictures" folder! ;-)

Study shows it could be much worse...

[Timothy1965]

A group of researchers at Cornell looked at the DNS poisoning problem (article here) and found that

• many names were vulnerable to DNS poisoning because they depended on lots of nameservers. Some names in some country-code TLDs, like the Ukraine, were depending on 600+ nameservers.
  
• some key nameservers controlled a large portion of the namespace. Compromise one of those nameservers, and you can hijack a lot of domains.
  
• some crucial names were not protected well. For instance, fbi.gov could be hijacked!
  

Easy way to get on the FBI's most wanted list. You try to hijack fbi.gov, and you'll end up on the most wanted list even if you fail.

DJB Says

[illuminatedwax]

I told you so!

Time to stop running BIND and Windows, people.
djbdns is easier to set up by leaps and bounds, anyway.

if your running a decent sized network

you may as well run your own recursive resolver and have complete control

also you can make the local resolver act as authoritive for any domains you like. usefull for redirecting stuff or for internal names etc.

Use a HOSTS file for high traffic sites?

[nixdix]

It may be a bit of a "nuclear option", but you could always code addresses for google, yahoo, imdb, etc. sites which receive a lot of traffic in a HOSTS file. This can be especially useful for sites where you are especially concerned...the address of your online banking for instance. One downside is that you can only associate one IP address to a name in a HOSTS file as far as I know and a site like google will have several. Then there is the obvious potential problem of the site changing it's IP (although I doubt google does it very often).

Re:Google Sponsored Ads for Firefox/Spybot are sca

[fuzzybunny]

Shitty trick. But that said, googling for Firefox gives me a ton of legitimate links, including to mozilla.org, some Firefox evangelism pages, and loads of other "real" sites.

The only sponsored link I get is to the download.com Firefox download page. Did someone bitch Google out? Do they respond to this sort of thing?

Re: Google Sponsored Scam Ads for Firefox/Spybot

[quokkapox]

Yup, strange. Hours after my earlier message, googling for firefox again there are now four Sponsored Links: one legit (download.com) and three scams:

FreeDownloadHq.com/Firefox

www.FreeDownloadZone.com/Firefox

www.MP3Advance.com

We are maybe just hitting different google datacenters which have slightly different configurations of which ads to serve.

I think people just have to learn that the sponsored links can be risky and are NOT necessarily relevant to their query.

Why not check two different DNSs servers?

[funvill]

Why not check two different DNSs servers?
I never you my slandered ISPs DNS servers anyways, it might take a little longer but its safer

funvill.com

State the Truth

[triso]

Why don't the authors come out and say it: this is mostly a Windows' problem, again.

My credit card number

[happymedium]

I still don't see how the credit card company could be irresponsible enough to have LOST it, or just how this "Slashdot" recovery service works, but my browser says I'm at www.americanexpress.com, so here goes...the number is...

Re: Google Sponsored Scam Ads for Firefox/Spybot

[fuzzybunny]

That makes sense--I'm coming from a Swiss IP (but going to google.com, not .ch) -- accessing from a .uk IP via nph-proxy on a box there, I get download.com (legit) and freedownload.com (not legit.)

Didn't realize that Google targeted its ads based on source IP, but it does make sense.

Re:More reason to use Firefox -- Yeah

[QAPete]

While I'm disgusted at this whole DNS poisoning crap (I've personally seen two exploits at two different locations today using different DNS servers), I echo your thoughts, gru3hunt3r. This sort of attack, once refined, can bring down the entire internet (for some ISPs, it has). More attention needs to be paid to how to secure this incredibly precious resource than is spent on crap politial 'issues' like how to regulate cable/satellite programming (here in the US), and a myriad of other useless pursuits. Perhaps when enough businesses lose enough money, we'll get the technical focus that we need to improve our internet performance and security. Frankly, I'm sick of fixing and securing my entire cadre of friends' and families' PCs, as well as my work servers and PCs, against the latest script kiddie attack. Pete

Re:Admin vs User

[tokabola]

Interesting, I was talking about aother group who is commonly referred to as CERT. Apparently they are US-CERT to be precise, I didn't know about the Carnagie Mellon group so I simply didn't think to add the US part

In fact, the Carnegie site directly references the US CERT site. I wouldn't be suprised if the Carnegie CERT was the brains behind the stuff on the US CERT site, US CERT certainly is a government agency and even has the .gov tld to "prove" it (like that really means much, I'm sure Verisign would sell me a .gov domain if I bribed, er, paid them enough)

I stand, perhaps not fully corrected, but certainly better informed. Thanks, Doc. I'll try to remember to double check my acronyms in the future.

Tommy

You forgot...

[game+kid]

...the "oh, wait..." part.