Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Cache Poisoning Spreads Malware

Posted by timothy on from the cold-hard-cache dept.

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

7 of 314 comments (clear)

  1. Let's Kill The Golden Goose by ackthpt · · Score: 5, Insightful
    Sure, internet click-thrus generate money, but when they get so invasive and destructive, they'll drive people way from the internet. I can't imagine any advertiser likes that idea.

    Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.

    --

    A feeling of having made the same mistake before: Deja Foobar
  2. Djbdns - immune to DNS cache poisoning (?) by bad_outlook · · Score: 5, Insightful
    Anyone using Djdns? I've set it up on my home network server running FreeBSD to provide dnscache for all my boxes within 192* and thus far it's working perfectly. From Djdns' security page, it says that it's impervious to DNS poisoning:

    • "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."

      "dnscache is immune to cache poisoning."

    Djbdns

    While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.

    bo

    --
    bad_outlook
    --
    Is this vague enough for you?
  3. The most frightening part... by loopsandsounds · · Score: 5, Insightful

    If you read down the SANS presentation you come to this:

    The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.

    Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.

    --
    I was throwing you the 48, but you made me switch to the 132.
  4. Re:How does it happen? by jon3k · · Score: 4, Insightful

    Unprotected DDNS (dynamic dns registration, Microsoft loves this one)

    And also you can feed a slave server your own zone, based on the nameserver configuration, it will work (very rarely).

  5. Yet another example of Windows messing up by Paradox · · Score: 4, Insightful
    Ahh, Windows. People use it for servers too.

    From TFA:
    Basically, the UNIX-based stuff has been secure against cache poisoning
    for quite some time, but there may always be a bug or design flaw that
    is discovered. We are not quite sure why Microsoft left a default
    configuration to be unsecure in NT4 and 2000. (Exercise to reader:
    insert Microsoft security comment/opinion/joke here, but keep it to
    yourself).


    The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.

    Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.

    --
    Slashdot. It's Not For Common Sense
  6. I've seen this by benjamindees · · Score: 3, Insightful

    For months now, since at *least* the first of January. It's mostly been google.com, redirecting to some odd webpage, but not any of the ones listed.

    I figured the problem is that I was pointing to an old DNS server for SBC. They won't give you the IPs of the new DNS servers unless you fire up their awful PPPoE program. We use Linux, and this incident has been an excuse to remove the last few Windows computers from the network. It'll probably also be an excuse to rid ourselves of SBC's horrendous services.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  7. Re:More reason to use Firefox -- Yeah by gru3hunt3r · · Score: 4, Insightful

    DNS poisoning is not new. Using it for fraud is new. Defending against it (if you're Google) is difficult, but not impossible.

    I swear -- Technical people need to stop addressing these problems with solutions that are technically elegant but unrealistic.
    Yeah, lets secure all the nameservers on the Net! sure that'll work. Hell, we've only been doing DNS poisoning attacks for what? 12 years or so? hey well at least we finally got sendmail secure. Doh!

    The only way we're going to be able to stop bad guys is to start having applications that use more than one protocol to verify integrity AND start building in stronger indepedent crypto behind the scenes making it much much much harder to spoof. You don't have to change the whole protocol stack we just need to share more information across protocols. Right now, when you compromise one protocol, you own the box. Aiiee!

    I'm actually happy this happened -- because I've felt the Net needed a big overhaul for a while. My parents can't safely use the Internet, neither can yours. And all us gunslingers who could keep them safe are too busy securing our damn nameserver, and dealing with joe jobs to do anything about it. The solution requires a more comprehensive look at the problem.

    If the bad guys are specifically targeting google with DNS poisoning, it's reasonable to assume it will undermine peoples faith in Google. (ATTENTION FLAMERS: YES, I am aware the request was hijacked long before it got to Google -- but the end user won't be because they don't have a clue what DNS stands for or how it works).

    Seriously - your mom/dad would take away from an explanation of DNS hijacking was "Go to google, get a virus" (read the previous article posted earlier today about how people don't understand technobabble) ..

    Does anybody else besides me find this whole thing incredibly ironic? People will see Google as being the problem, even though it's almost definitely Microsofts fault. Damn.. sucks to be Google. (Okay, yeah.. honestly i'd love to have Googlesque problems, but also the Googlesque resources to solve them!)

    Anyway I think this sort of article hopefully illustrates to Google why they need to start promoting a secure browser WHICH isn't subject to malware attacks such as IE really is in their best interest -- and although it has a minimal cost impact to them, it has a huge long term impact to the net community. Honestly, I believe if Google offered a "safer" online experience -- i'd put my parents on it in a second, I think everybody here would too. I don't trust Yahoo, MSN, Ask Jeeves, etc. or any of those companies with the tender care of my parents Internet experience.

    I say Google - rather than just "firefox", because if Google put Gbrowser on their homepage you know it'd have a 30% usershare virtually overnight -- maybe more. They install the google toolbar, it transmits information about where you're surfing to google -- BUT it also checks with Google to make sure you're at a "safe site" --

    OKAY so you want a real example -- how about a simple one -- why not a modified robots.txt with an entry that included a list of the valid IP's for the SOA for your root domain for the next 30 days. Boom, they already pick up robots.txt -- BUT now they can authenticate that the DNS wasn't posioned using google toolbar. Sexy huh?

    I've got lots of ideas like this -- there are probably 5 things sites could *OPTIONALLY* do, that merge application stacks -- but at the same time it would make it necessary for a phiser to compromise MULTIPLE hosts, across MULTIPLE protocols -- thereby making it *statistically* impossible.

    (NOTE: If I seem brilliant it's only because i'm standing on the shoulders of Giants. I love how SPF uses DNS to authenticate mail servers -- it's non-intrusive, but an illustrative example of the types of solutions that we as a technical community need to solve problems)