Ten Percent of DNS Servers Still Vulnerable

maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."

Re:Admins - Take some initiative!

[Bi()hazard]

The fix in question here is available. The BIND webpage has a scary warning box on the right with details. Everyone should be upgrading to the new version.

But it's not surprising that there's still vulnerable servers out there. In fact, I'm surprised the total is so low. Aside from the few admins who just aren't doing their jobs, these kinds of things often run into bureaucracy. In many organizations, upgrades have to be thoroughly tested before release and there's standard schedules for patch cycles. An admin who wants to simply stick a new version of something on the production server may be told to wait until approval comes. That could take a while. And occasionally you'll have some crappy system that doesn't work well with the new software, and they're stuck rolling back until the problem is solved.

I had a friend who worked at a small ISP that had some serious security issues. The guy who should have been patching things "resigned"-something to do with the smell of pot lingering in his office. Anyways, the position went vacant for a little while and the task fell to the two new interns, my friend and another girl. Coincidentally they were both young women and had no experience relevant to the job, proof of quality hiring practices. To make a long story short, the (not terribly large) customer database got hacked and the company was sued. The owner, who had been heavily in debt already, vanished completely. Naturally the whole thing went down in flames and my friend didn't even get a reference out of it.

Most of you are probably sitting there thinking this story is too outlandish to be true. Haha, well, this is the internet so you never know what to trust, but you know there's places out there where things just aren't done the way they're supposed to be. It's shocking what goes on, and there will always be vulnerable servers around.

Getting it down to the numbers in the article this quickly is actually pretty good. The real lesson here is that you need to insulate yourself from the fools who won't take responsibility. Always assume 10% of the internet is out to get you, because they probably are. Hey, I don't even want to think about what 10% of slashdotters would want to do to me.