Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Poisoning Hits One of China's Biggest ISPs

Posted by timothy on from the when-bad-childhoods-attack dept.

Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."

86 comments

  1. Re:Frosty Post!!1 by Tubal-Cain · · Score: 1, Funny

    I'd like to buy a vowel. A.

  2. Re:Frosty Post!!1 by Anonymous Coward · · Score: 0

    I know. They're always nagging me.

    Or maybe you mean Noggers?

  3. It's <iframe> by Anonymous Coward · · Score: 5, Funny

    is property of html, not Apple Inc.

  4. Cyberwar by religious+freak · · Score: 1

    Odd, just a little probe from the NSA?

    Whenever attacks target specific countries, I wonder.... Yeah, I guess I'm feeling a little paranoid tonight.

    --
    If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
    1. Re:Cyberwar by Devil's+BSD · · Score: 1

      I get what you're driving at. A communications blackout can mean only one thing - invasion!

      --
      I'm the Devil the Windows users warned you about.
  5. Real Player exploits? by dohzer · · Score: 2, Funny

    It's a good thing nobody uses Real Player these days, isn't it!

    1. Re:Real Player exploits? by das_magpie · · Score: 1

      Yeah, shame flash is so popular though.

    2. Re:Real Player exploits? by Ethanol-fueled · · Score: 1

      Wait...if you run a firewall and that protects you, then shoudn't they be more protected because they have a great firewall?

    3. Re:Real Player exploits? by Anonymous Coward · · Score: 0

      it'd have to be a really great firewall to protect you from stuff on the same side of it as you.

  6. Since when by narcberry · · Score: 5, Funny

    Since when do I have to input my SSN to post to slashdot?

    --
    Modding me -1 troll doesn't make me wrong.
    1. Re:Since when by AndroidCat · · Score: 0, Redundant

      You have a nuclear submarine? Dang, I knew I should have paid more attention to those surplus sales!

      --
      One line blog. I hear that they're called Twitters now.
    2. Re:Since when by SleptThroughClass · · Score: 1

      Since when do I have to input my SSN to post to slashdot?

      Ever since you mistyped http:///.

  7. And what is M$ doing? by BhaKi · · Score: 2, Funny

    It's busy trying to paint a picture that the whole problem is only with BIND, not with DNS protocol and in particular not with M$ DNS.

    --
    The largest prime factor of my UID is 263267.
    1. Re:And what is M$ doing? by Anonymous Coward · · Score: 0

      Except that they released a patch for it and it crashed every MS dns server we have..... I shouldn't say crash, the DNS.exe service was running but it would not answer queries. Had to roll back. I sure am glad I am not a MS admin.......

  8. Cyberparanoia by Anonymous Coward · · Score: 0

    I doubt it. It's not the NSA style.

    1. Re:Cyberparanoia by z0idberg · · Score: 5, Funny

      lol

      Can we check the IP origin of that last post please?

      *ring*ring*
      Badguy1: "Hello"
      Badguy2: "Hi its me, you ready to do this thing tonight?"
      Badguy1: "sure, dont forget to bring the stuff"
      *click*
      Badguy2: "hey did you just hear a click on the line?"
      Badguy1: "yeah! - do you think we are being tapped by the NSA?"
      Anonymous Coward: "No its not our style"
      Badguy1: "OK"
      Badguy2: "OK"

    2. Re:Cyberparanoia by ksd1337 · · Score: 1

      Not following the rules of the Constitution is not the "style" either, but it looks like that went out of fashion.

    3. Re:Cyberparanoia by Das+Modell · · Score: 1

      Yeah. The NSA sends Sam Fisher.

    4. Re:Cyberparanoia by Hal_Porter · · Score: 1

      That has almost happened

      http://news.bbc.co.uk/2/hi/programmes/panorama/6476207.stm

      These guys were actually bugged discussing and eventually dismissing the possibility that MI5 was bugging them.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    5. Re:Cyberparanoia by jonaskoelker · · Score: 4, Informative

      I know you're just trying to be funny, but allow me still to (hopefully) educate some of your readers.

      If anyone was wiretapping and using reasonably well-designed equipment, you wouldn't hear clicks, since clicks can be avoided. I think "high-impedance circuitry" was the phrase used to justify that claim.

      Also, if the wiretappers are playing by the rules, you can just press C on your phone (or play back two tones with the corresponding frequencies but less amplitude than your phone does) to shut down the recording equipment at the other end.

      Source: Matt Blaze, http://www.usenix.org/events/lisa05/tech/mp3/blaze.mp3, http://www.usenix.org/events/lisa05/tech/.

      Interesting to know, if you plan on being wiretapped. What's also interesting to know is that wiretapping equipment is (usually) illegal to posses, yet can be bought from law enforcement agencies on ebay :)

    6. Re:Cyberparanoia by Saint+Gerbil · · Score: 0, Offtopic

      that drunken bum ?!

  9. As a Chinese Internet user... by gzipped_tar · · Score: 5, Interesting

    ... I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers. (Disclaimer here: I'm not saying the OpenDNS service is recommended for security. It's just a matter about reputation.)

    The Chinese ISPs has been known to use manipulated DNS records as a censorship measure, too. See here: http://slashdot.org/article.pl?sid=07/11/18/1824230

    --
    Colorless green Cthulhu waits dreaming furiously.
    1. Re:As a Chinese Internet user... by QuantumG · · Score: 2, Interesting

      So what makes you think OpenDNS were not the first DNS servers attacked?

      That's what I'd do.

      --
      How we know is more important than what we know.
    2. Re:As a Chinese Internet user... by AnyoneEB · · Score: 5, Informative

      Because OpenDNS never had the flaw in the first place.

      --
      Centralization breaks the internet.
    3. Re:As a Chinese Internet user... by the_denman · · Score: 2, Interesting

      the theory being that OpenDNS is more likely to keep their servers up to date then some of the ISP's name servers

    4. Re:As a Chinese Internet user... by MavEtJu · · Score: 1

      I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers.

      If you were really worried about it you would run your own resolving-server on your machines.

      --
      bash$ :(){ :|:&};:
    5. Re:As a Chinese Internet user... by xenobyte · · Score: 5, Interesting

      It's not only China that have ISP's that manipulate DNS records... Here in Denmark for instance most ISP's voluntarily manipulate DNS for a whole list of domains known to host kiddie porn causing a redirect to a warning page. But they also censor the net by 'preventing access' to domains like allofmp3.com and thepiratebay.org which were 'banned' by Fodgedretten, a commerce-oriented court, based on bogus claims of extending danish jurisdiction to foreign-based websites (Russia and Sweden). Unfortunately nobody has yet filed an appeal of these verdicts, so they stand - unvalidated.

      Anyway, this censorship has caused most somewhat technically-oritented people to switch to other nameservers than those provided by their ISPs, usually OpenDNS but also private nameservers they trust. I use our company's which I run (and keep patched!) so I can circumvent the censorship.

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    6. Re:As a Chinese Internet user... by gzipped_tar · · Score: 5, Insightful

      This is a very good question. Frankly, I don't know. As I have said, I never trust OpenDNS out of security reasons. I use it for my desktop browsing, not for anything worthy enough to be protected. But I know from my own experience that some Chinese ISPs are seriously incompetent in managing security risks. I have seen some of their mistakes in securing their service so that I wouldn't trust them again. OTOH I know I have to buy their services to get online and put these rants here and that sound like a paradox. Maybe it is. Finally we have to trust somebody else. That's how we make our lives. I just chose to deal with one who has *already* made a bad reputation as little as possible.

      --
      Colorless green Cthulhu waits dreaming furiously.
    7. Re:As a Chinese Internet user... by TorKlingberg · · Score: 5, Informative

      OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

    8. Re:As a Chinese Internet user... by gzipped_tar · · Score: 5, Informative

      Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.

      For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient daemon to update my IP information to OpenDNS and things are working reasonably well so far.

      --
      Colorless green Cthulhu waits dreaming furiously.
    9. Re:As a Chinese Internet user... by jhol13 · · Score: 1

      known to host kiddie porn

      "known" or "alleged"?

      "to host" or "picasa" (or hacked sites)?

      "kiddie porn" or "gay porn"?

      In Finland they use same method and the black list is extremely idiotic (and most likely illegal - unfortunately government refuses to do anything about it).

    10. Re:As a Chinese Internet user... by Lennie · · Score: 1

      And check your NAT didn't screw up your source-port-randomisation.

      --
      New things are always on the horizon
    11. Re:As a Chinese Internet user... by Anonymous Coward · · Score: 1, Insightful

      They redirect www.google.com, not google.com. If this were news to me and I went to check your claim, I'd find that you lied and your criticism would not just be ineffective but counterproductive. Apart from that you're right though. Nobody should use OpenDNS.

    12. Re:As a Chinese Internet user... by 3p1ph4ny · · Score: 2, Interesting

      I always hear people on Slashdot bitching about OpenDNS. Apart from running my own resolver, what are my other options?

    13. Re:As a Chinese Internet user... by Anonymous Coward · · Score: 1, Insightful

      There are other public DNS servers, but since DNS is currently an unauthenticated protocol, it is all a matter of trust. If you care enough about DNS to avoid your ISP's servers, you should run your own recursive resolver. It's not hard.

    14. Re:As a Chinese Internet user... by Anonymous Coward · · Score: 0

      "kiddie porn" or "gay porn"?

      Looking to do some personal research?

    15. Re:As a Chinese Internet user... by rrohbeck · · Score: 1

      OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

      Which causes my VPN (Nortel) not to work. DNS lookups to Intranet domains only work if they fail properly on the primary network adapter so they are tried on the virtual adapter. With OpenDNS all Intranet names are resolved to the same (OpenDNS I assume) IP address unless I change the DNS server ordering manually each time I connect.

      --
      thegodmovie.com - watch it
    16. Re:As a Chinese Internet user... by Anonymous Coward · · Score: 0

      "OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine." - OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

      Barring ANY other solutions that may present themselves via others' suggestions? You CAN "override" this, via using a custom HOSTS file (see %Windir%\system32\drivers\etc & in that subfolder/subdirectory, lies the HOSTS file & you can 'hardcode' a correct IP to URL equation there, which will/should override ANYTHING coming from ANY DNS server)

      You also MAY have to use this registry hack (easily done), to set the order of preference as to which of the 3 (HOSTS file, Local DNS cache, & DNS server) the IP stack refers to, first, for said IP to URL equation satisfaction:

      http://support.microsoft.com/kb/139270/EN-US

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
      "LocalPriority"=dword:00000005
      "HostsPriority"=dword:00000006
      "DnsPriority"=dword:00000007
      "NetbtPriority"=dword:00000008

      (LOWER NUMBERS HERE = GREATER PRIORITY)

      As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)

      APK

      P.S.=> The beauty of this is simple: It's NOT only "restricted to Windows" & in fact, began its 'life' in *NIX, so this type of arrangement/solution can work if you're a *NIX user too (barring the registry stuff up there, it's the same format for their HOSTS files as they are on Windows)... apk

  10. Olympic DNS poisoning by syousef · · Score: 2, Funny

    Someone's decided to make DNS poisoning an Olympic sport. Obviously the only place to do it at the moment is China.

    I've got images in my head of a broken toothed Chinese geek running around Beijing with an EEE PC and a Linksys wireless router hooked to a 12V SLA battery, lights a-blinking, instead of the Olympic torch. Thank goodness the Olympics are about to end.

    --
    These posts express my own personal views, not those of my employer
  11. Re:It's by i.of.the.storm · · Score: 2, Insightful

    Haha, I guess it's kind of become reflex now to capitalize anything coming after an i.

    --
    All your base are belong to Wii.
  12. Suck it! by CaptSaltyJack · · Score: 0, Flamebait

    Ahh well, I just chalk it up to payback for all those Chinese hackers out there committing SQL injection attacks and other types of breaches. How's it feel, jackasses?

  13. Re:Frosty Post!!1 by AmishElvis · · Score: 1

    *whoosh* watch more South Park

  14. It's a big flaw by ledow · · Score: 5, Interesting

    It's a big flaw. Someone big was bound to fall foul of it eventually. And to be honest, I can't say that I'm at all surprised. In fact, I'm expecting a lot more.

    I bet that there are still hundreds of large companies that are vulnerable worldwide and I bet that translates to hundreds of thousands, if not millions, of affected people. For instance, last time I checked the whole LGfL (London Grid for Learning) was vulnerable - and they provide DNS / Internet connectivity for every school in London (several million users, hundreds if not thousands of schools) with little alternative because they have been mandated as the recommended solution and thus all "interesting" content is in their private network.

    If they ARE still compromised (and several days after the release of the information, they were still showing up as vulnerable on all those DNS tests and today I got: Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32768), that's virtually every school, staff member and student in London (we're probably talking close on a million people because it includes Greater London Boroughs but I'm not sure of the exact figure) which are in trouble because they use the upstream DNS from LGfL as their basis.

    Have we heard anything through official channels? Nope.
    Does everybody just trust LGfL to do their job transparently? Yep.
    Have they done it? Apparently not.
    Have they even heard of it? I don't know, but there have been zero advisories, zero visible configuration changes, that I can see.

    Give it a few months, one of the students will download something and poison the whole of London's educational system and THEN maybe someone will bother to look into it.

    When I heard about this flaw, the first thing I did was check all upstream servers that either my servers or my own home computers use - my cheap ISP (PlusNet) had apparently fixed the issue before I'd even caught wind of the "there may be a DNS problem" posts on Kaminsky's blog. Every other one just seems to be dragging their feet.

  15. Snapview by Anonymous Coward · · Score: 0

    On patch Tuesday MSFT did release a fix for Snapview:
    http://support.microsoft.com/kb/955439

  16. Re:Frosty Post!!1 by SensiMillia · · Score: 5, Informative

    In fact Frosty Post AC has a point.

    Chinese speakers (at least in Beijing) often use the word é£ä (neige) as a filler word; much in the same way as 'uh' or 'er' are used in the English language.

    For anyone with no understanding of the Chinese language will often be confronted by the words 'nigga, nigga' when walking on the streets of Beijing.

  17. iDon't Like It by OldMiner · · Score: 2, Funny

    "iFrame"? Lower-case i, uppercase next letter? How odd. It's "inline frame", normally all caps ('IFRAME') or all lower-case ('iframe'). "iFrame" makes it sound like some new Apple-branded house support structure with built-in Internet-something.

    --
    You like splinters in your crotch? -Jon Caldara
    1. Re:iDon't Like It by Anonymous Coward · · Score: 0

      it's caps-agnostic, so you can spell it iFrAmE or IFramE or ifraME if you really want and it's still correct.

      of course then someone would be wondering what an ifra was and why the hell there's a Millenium Edition of it.

  18. check your server by the_denman · · Score: 4, Informative

    It may be a good idea to check your DNS server to see if it is vulnerable. Dan Kaminsky has a tool that shows vulnerability on his blog.

    1. Re:check your server by chap_hyd · · Score: 1

      these things make me paranoid of trusting any DNS server, as many ISPs are yet to patch their DNS servers. so i got my own personal dns on the xp box http://treewalkdns.com/ . now it feels much safe

  19. Re:Frosty Post!!1 by Anonymous Coward · · Score: 0

    Whoosh indeed.

    Twit.

  20. unanimous multi-polling? by reiisi · · Score: 4, Interesting

    Check our own ISPs name servers, openDNS's name servers, and we need a third independent name server pool.

    Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

    Of course, I'm talking about DNS pools as if they already exist. But they should.

    Interactions that need to be secured should also use independent multiple polling before exchanging tokens. Financial institutions, for instance, should keep their own private supernetwork, such that the customer queries their local branch to start login, then queries two other bank-owned check servers, to make sure the branch IP is what the bank says it should be. This would require dedicated browsers, but that's really a given. It's time to quit giving popular browser M, I, or E our credit card numbers to play with. The convenience is not worth it.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
    1. Re:unanimous multi-polling? by Anonymous Coward · · Score: 1

      Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

      Fails to work with DNS-based load balancing. Next idea, please.

    2. Re:unanimous multi-polling? by totally+bogus+dude · · Score: 3, Interesting

      Anything that's important will be using SSL, so even if someone does hijack your bank's DNS entries your browser will warn you that their certificate isn't signed by someone you trust. The only real worry is from typos or bad links, which is why it's recommended practice to never click links in emails to go to sites that you're going to have to log in to, but rather to use a bookmark or type and check the address yourself.

      As for the "check against lots of different servers" idea, there's three main problems.

      1. If the "pools" are very independent of each other (i.e. different management) then it just makes DoS attacks against certain sites very easy (get in the pool, behave for a while, then start serving nonsense results for www.example.com - voila, anyone using your server to verify addresses will reject that domain).

      2. If the pools are under the same management, then they're very likely to be running the same software version on the same platform under the same firewall protection, etc. So an attacker may need to compromise some more servers, but they're all identical.

      3. For your financial institutions example, how does the browser know which "check servers" to use? You can't rely on a single reply from one of their authoritative servers, since you don't trust them. If you ask a bunch of other servers, then you're trusting all of them not to be trying to DoS the site in question (and also not to be poisoned themselves).

      I guess you could be intending that each bank supplies a browser for use with its website, but then you take a lot of the convenience out of using online banking; in particular, cross-platform support would be a problem.

    3. Re:unanimous multi-polling? by OriginalArlen · · Score: 2, Interesting

      The only real fix available now for the fundamental vulnerability is DNSSEC. There's an excellent doc up on ISC's site called DNSSEC in Six Minutes for those who read bothered to read Kaminsky's actual presentation (especially the last 40 or so slides on subtle ways security systems like SSL break when you can't trust DNS), put that together with the ten hour exploit for patched servers, and realised we're not out of the woods yet by a long chalk...

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    4. Re:unanimous multi-polling? by Joseph_Daniel_Zukige · · Score: 2, Informative

      Yeah, and I'm not sure how to fit dyndns.com's services into this idea, either.

      But certificates are not really appropriate for DNS when you're just surfing, even if Verisign hadn't trashed the current authorization space. Not unless ISPs start making server certificates part of their basic package. (In the end, everyone is going to have their own web server to take messages and host bulletin board/blogs.)

      Certificates can only work vertically (hierarchically) within an organization. In public, certificates have to function peer-to-peer to have any real meaning at all. (Witness that huge clot in your browser cert cache.) Identity doesn't work by remote.

      It may be that this multiple polling scheme is only useful for secure connections

    5. Re:unanimous multi-polling? by Joseph_Daniel_Zukige · · Score: 2, Informative

      ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

      1. I'm talking about pools as in, your ISPs main and backup DNS servers are one pool. The openDNS servers you can choose to reference form another pool. The third pool would be like openDNS, but managed separately.

      The servers within the pool regularly check each other and flag and sequester rogues. When a client gets a mismatch, it would report that mismatch to all three pools, and the pools would send messages around to all servers to unwedge their caches for that IP address.

      If the pools don't end up in agreement, that IP gets effectively DOSsed until a human admin can clear it.

      Rogues in one pool would have to somehow gang up with rogues in each of the other pools to defeat the agreement requirement.

      (Yeah, I need to think this out some more, but that's the general idea.)

      2. Of course not under the same management.

      3. Yes, each bank supplies a dedicated browser for its own customers, which means most people would have one browser for each bank they use, in addition to the general purpose surfing browser. Not a big deal, you can get cross platform browsers with most of the necessary functionality as library classes in Java and Perl, and probably other languages.

      The most time intensive part of the implementation is generating either the list of one-time passwords or customer certificate that the customer takes home with the browser install mini-CD.

    6. Re:unanimous multi-polling? by totally+bogus+dude · · Score: 1

      ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

      Why can't you trust your bank if your bank can't trust you? My bank has an SSL certificate which does a reasonable job of ensuring that when I connect to online.westpac.com.au, I'm connecting to a server operated by Westpac, and not some other server that my hijacked DNS is mistakenly pointing me to, and that someone on a router between me and my bank isn't eavesdropping. It's unnecessary for my bank's server to trust me at this point; they trust me after I supply my customer number and password over the encrypted connection.

      Yes, ideally there'd be more security than that, e.g. an RSA token and/or a client certificate. If I did have a certificate, I presume it would have been given to me by the bank either in person or via the post. Regardless, a username and strong password are "good enough" if you know that a) your own system is secure and b) you really are talking to the server you think you're talking to.

      The servers within the pool regularly check each other and flag and sequester rogues.

      What exactly do they check each other for? Every possible hostname? Every hostname they've ever looked up? Every hostname of popular sites? Every hostname for every financial institution that pool operator happens to know about?

      When a client gets a mismatch, it would report that mismatch to all three pools, and the pools would send messages around to all servers to unwedge their caches for that IP address.

      This seems troublesome. Either we verify with all the other pools that we really do have a mismatch whenever a client alerts us, in which case we make it really easy for people to DoS us and/or the other pools; or we don't verify it and just flush our caches, which makes it really easy for clients to DoS us and/or the DNS servers of the target site. The latter seems like it would make it much easier to poison caches as well, seeing how if your attempt fails you can just tell the servers to drop their cached records and make another lookup. Granted you have to poison a lot more servers at the same time, but you also greatly reduce the time between retries.

      Yes, each bank supplies a dedicated browser for its own customers ... you can get cross platform browsers with most of the necessary functionality as library classes in Java and Perl, and probably other languages

      Right, and you really think each bank (or even your particular bank) is going to supply a secure and accessible browser for every OS you want to use? Of course not. There's a lot of online banking interfaces that don't work properly in anything other than Internet Explorer, blissfully ignorant of the other 20%+ of browser market share.

      I grant that this is technically possible, but it's just not realistic. Banks aren't browser vendors. Besides which, if a bank is going to issue their own special software for banking, why would they make a web browser and not a custom app? If the industry went this way, then I absolutely 100% guarantee you that we'd end up with a whole bunch of poorly designed custom applications with really crappy security that relies on obscurity more than anything else. I'm so confident that this would happen, I'd put money on it.

      Yeah, I need to think this out some more, but that's the general idea.

      Certainly. The following issues come to my mind immediately:

      1. Why would anyone who is capable of setting up a pool of such servers (or a single server in the pool) with all this special code be incapable of applying patches to prevent their DNS servers from having their cache poisoned in the first place? You're creating a very complex system in order to solve a problem which is already pretty much solved by much simpler means (better randomization). The only reason this article

    7. Re:unanimous multi-polling? by Anonymous Coward · · Score: 0

      God, not another self-confessed poorly thought out solution.

      Have you actually been paying attention to this issue since it was brought up ORIGINALLY in 2003? All these (stupid) idea's were brought up and shut down faster than you can say 'oi'.

    8. Re:unanimous multi-polling? by reiisi · · Score: 1

      Well, I have to admit, the unanimous polling is probably overkill for web surfing, and overkill usually opens more holes. And it is all too easy to try to fix the social engineering vulnerabilities.

      You know the websites you visit regularly by pattern recognition, and "trust systems" have to be able somehow to take advantage of what the user knows. Maybe it would be better to provide an alternate opinion function. Press a button and your surfing browser asks two other DNS servers, preferably separately managed, for a lookup of the name, and compares the IPs. Perhaps it also checks who owns the IPs, so that big sites can still load balance without using exotic tricks. (And that leaves us with Akamai as a potential trouble spot, but I would assume that Akamai and Apple (for instance) should be able to arrange so that only IPs owned by Apple respond to requests for Apple's servers.

      Still only advisory, but meaningful to humans. I guess, if we're going that far, it would be reasonable to also query a public cert for the domain name at the same time. But our current certificate infrastructure is sorely lacking, both in administration and in fundamental structure.

      We don't want to go to Verisign when checking a domain name certificate, we want to go to the domain registrar. (Note that I say "domain name certificate". That's not a certificate to shop by.)

      Under normal operation, the current clot of certs in the browser tells you only that the cert you're looking at is trusted by someone in the clot. That's upside down. Checks done in the background put the user to sleep. You shouldn't care until you care, and when you care, that's when the check should be done, and that's when the entire trust chain should be presented, along with the dns and IP chain.

      Where did this idea that the general purpose browser should be used for secure transactions come from? Hmm? (Okay, I'm poisoning the well here, but there is some bad sales engineering going on here.)

      You don't send the bus driver to the bank for you.

      With todays personal computer systems, it would be better to have the financial transactions done on completely separate hardware, really. I'm thinking of an electronic wallet, so to speak, that you plug into your ethernet hub. You set the sale up on your surfing browser, the shop gives you a ticket number and a url to log into with your electronic wallet, you plug the electronic wallet in, type in the url and the sales number, and the wallet does the certificate exchanges, etc. And queries you one last time to okay the transaction by hand, just so you can think again before you commit the money.

      But I don't like the idea. Too hard to keep people from trying to combine that with the cell phone. (Already something like that in use here in Japan, vulnerable like a dog to fleas.) Also too easy for governments to try to pull it into the tax system.

      Dedicated browser -- Sure, they use standard parts. They have a master at your office, and when you go in to set up your account, both you and the bank officer digitally sign a pair of certificates. Probably mix a scan of the physical signatures on the paperwork into one part of the digital signatures. The bank's hardware generates the keys (Just like it owns the credit card it gives you, it owns the key it gives you.) It installs those certificates and your key, encrypted, into the dedicated browser with the initial list of IP addresses for the servers. Then it burns the dedicated browser (probably a java app) into a CD.

      You take the CD home after hearing a short lecture about it not being safe to use the browser on any machine you don't know is clean. That lecture is given at the same time as the short lecture about not letting others use your credit cards or your checks.

      (That last step is where it all falls apart. I know. Well, that, and, as you say, the temptation that all financial institutions' market departments will have to add bells and whistles.)

      Why should banks go through this kind of thing? Well, the proce

      --
      Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
    9. Re:unanimous multi-polling? by totally+bogus+dude · · Score: 1

      Press a button and your surfing browser asks two other DNS servers, preferably separately managed, for a lookup of the name, and compares the IPs. Perhaps it also checks who owns the IPs, so that big sites can still load balance without using exotic tricks.

      If a user suspected a site was fake, they wouldn't be providing it their credentials in the first place. If they don't suspect it's a fake, why would they ask for a second (or third) opinion?

      I would assume that Akamai and Apple (for instance) should be able to arrange so that only IPs owned by Apple respond to requests for Apple's servers.

      This seems... impractical. In order for an organisation to fully leverage Akamai's network, they'd have to pay for at least one dedicated IP address at every major ISP in the world. Maybe when the whole internet is on IPv6 that could be viable, but you'd still need some highly scalable way of authoritatively identifying who "owns" which IP address. I'm pretty sure the ARIN and APNIC and RIPE (etc.) WHOIS servers would melt if every DNS lookup also resulted in a ownership database query.

      Checks done in the background put the user to sleep.

      This I completely disagree with: checks done in the background are what prevents users from falling asleep at the wheel! Do you seriously believe that you could teach every internet user how to verify that a DNS and IP address chain is legitimate? If so, why are there hundreds of thousands of compromised systems out there whose owners either don't know or don't care that they're spewing garbage on to the internet 24x7? Even if we do somehow achieve this utopian enlightenment of even a significant minority of internet users, do you seriously believe that people will routinely do a full, serious check every single time they access a secure site? Even though 99% of the time everything checks out fine?

      That's important to remember. The attack won't come when you expect it; it will come on an ordinary day when you're not on the look out for suspicious activity. This is why it's absolutely imperative that security verification does not require an alert user to consciously and conscientiously verify the identity of the site every single time they access it. Forcing people to do this just leads to complacency, because 99% of the time everything is legit and you're just wasting their time. You need a system that can detect the 1% of the time when things seem a bit suspect, and at that point enlist the aid of a human.

      Where did this idea that the general purpose browser should be used for secure transactions come from?

      Economic realities, I suppose. Where did this idea that a bank will be able to produce a "banking application" that's some kind of Fort Knox come from? What's the incentive? If forced to do this, the bank will produce something that is "good enough" to make their customers feel like the bank is taking security seriously, while minimising the cost of producing it. It will be an exercise in security theatre. You might improve this by legislating that banks must provide an application that meets certain requirements (which is why I said "if forced to do this"), but I have my doubts whether this would actually work. Or you could let the banks sell their application at a profit, but I'm not sure that'd work: consumers would largely opt for the cheapest options they can find.

      Even if all this does actually somehow work, it's now tremendously expensive to do anything secure over the internet. All this cost might be acceptable for large financial institutions, but why are they the only ones deserving of "proper" security?

      With that in mind, can you see why you and the bank shouldn't really trust each other without a certificate exchange? That does rely on you to refrain from exposing your certificate

      I don't see that a certificate exchange is necessary. After all, your certific

  21. Just trying to help. by rts008 · · Score: 0, Offtopic

    First, thanks for the comments (this one and above). If I had mod points, I would have given you +1 insightful.
    After all, how much more insightful is good information from someone directly affected by something we are discussing? Quite a bit more insightful is the answer!

    Now to the reason for my reply.
    When I was stationed in Germany for the US Army (I live in Oklahoma, USA), I always appreciated corrections to my spoken German language attempts. Most of the time the encounter would turn into a mutual learning session for both of us...the German I talked to would help me with my German skills, and wanted (and received) my help with his English skills. It was a great learning experience for me.

    That is the intention of my reply. I have edited your post below for corrections in English grammar. If this has no interest for you, then disregard the rest of the post.

    No harm=No Foul!

    "This is a very good question. Frankly, I don't know. As I have said, I never trust OpenDNS due to(or you can use 'becuase of' in place of 'due to') security reasons.

    *new paragraph=change of subject, or focus on subject*
    I use it for my desktop browsing, not for anything worthy enough to be protected. But I know from my own experience that some Chinese ISP's(the apostrophe as applied here seems to be debatable, but was proper usage when I went to school) are seriously incompetent in managing security risks. I have seen some of their mistakes in securing their service so that I wouldn't trust them again.

    *new paragraph-see reasons above*
      OTOH I know I have to buy their services to get online and put these rants here,(added comma to 'end' current focus and enable a slight redirect to the sentence) and that sound like a paradox. Maybe it is. Finally we have to trust somebody else. That's how we live (replaced 'make' with 'live') our lives. I just chose to deal with one who has *already* made a (removed 'bad')reputation as...
    there are many option here:
    1. ...the lesser of two evils. (pessimistic outlook)
    2. ...the better one. (more optimistic)
    3. ...the best person currently able to do the job. (most optimistic)"

    I apologize if I have over stepped my bounds here, I only meant to help.

    I like to hear from those outside of the USA, so your post has been good for my learning experience.

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  22. Just a warm-up by Ant+P. · · Score: 3, Interesting

    If they were trying to do damage to china, wouldn't they have simply redirected everyone to anti-government propaganda sites instead?

    1. Re:Just a warm-up by abirdman · · Score: 2, Insightful

      They're not trying "to do damage to China," they're trying to enlist more computers into botnets to spread email that sells fake \/iaGrA pills and penile enhancements to stupid people, and possibly to redirect unwitting browsers to ad-sponsored pages. It's motivated by Greed! It's the new (inter)nationalism, and unfortunately it knows no national boundaries.

      --
      Everything I've ever learned the hard way was based on a statistically invalid sample.
  23. Re:It's by ChoboMog · · Score: 3, Informative

    It may be like a reflex now, but at least the "iFrame" name is derived from what it actually is (an Inline Frame) and not just a letter stuck somewhere as part of a marketing or branding gimmick.

  24. J.E.E.E.E.E.E.E.E. h.a.a.a.a.a.a.a.a.a.a.a.a da by Anonymous Coward · · Score: 0

    Yippe Eye Oh Eye Ay Yippie Eye Ay

    Axis of evil gets it in its axis

  25. The Internet != The intarwebs by incubuz1980 · · Score: 1

    "Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet."

    I would have expected more from CNet. I guess thats what the internet is now: "The Web".

  26. Re:Frosty Post!!1 by Wonko+the+Sane · · Score: 1, Interesting

    Obviously some moderator never has never seen this.

  27. Run your own caching resolver by sega01 · · Score: 1

    Just run your own caching resolver if you don't 100% trust any local ones. I use Unbound and choose not to worry about which external DNS server is "safer", and give myself (overall) faster resolves in the process.

  28. I don't suppose it was... by davidbrit2 · · Score: 1

    ...lead poisoning, was it?

    Thank you, thank you, I'll be here all week.

  29. Patch or profit (the eternal question) by I+cant+believe+its+n · · Score: 1

    1. Buy gold
    2. Poison huge ISP DNS, redirecting to various sites with extreme info on chemical warfare
    3. ???
    4. Profit

    ... that is: Sell your gold after teh GW upgrades public "terrist" threat level.

    --
    She made the willows dance
  30. Re:It's by Anonymous Coward · · Score: 0

    TFS was trying to be impartial. They forgot to mention Mozilla though.

  31. Re:It's by AndGodSed · · Score: 1

    Btw - what does the "i" have to do with apple anyhow?

    --

    Seven Days with Ubuntu Unity

  32. Redirected? by Shotgun · · Score: 1

    So we know there is an exploit and it is being redirected to a website...but no one in law enforcement can determine where that IP is located? They're running the scam out in the public, for cripes sake. It's not even like the old shell scam on a card table, where you had to have compatriots looking around the corners for policmen on foot patrols. These scammers have their card tables set up in front of the precinct office.

    Yes it is a hole. Yes it needs to be fixed. But would the perps be that difficult to trace down and prosecute?

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
  33. Re:Frosty Post!!1 by multisync · · Score: 1

    Obviously some moderator never has never seen this

    Yeah, and he sure taught you a lesson by modding your explanation of the first post Offtopic.

    How dare you point out his ignorance!

    --
    I don't care why you're posting AC
  34. CNC Network sucks by Anonymous Coward · · Score: 0

    Although CNC's DNS server has been poisoned, but the network are so slowly that the virus/malware background downloading failed after half an hour...

  35. Re:It's by i.of.the.storm · · Score: 1

    I knew that. The whole iLine of products is really annoying to me. Same goes for eMachines, and I have to admit the whole K thing with KDE apps is kind of annoying too. But KDE is still better than GNOME, flamewar go! *ducks*

    --
    All your base are belong to Wii.
  36. Re:Lymric by Anonymous Coward · · Score: 0

    That's offensive to me!

    I demand that you correct your egregious and offensive error, and spell it "limerick" as it should be.

    Not to mention that a limerick should officially be 5 lines long.

    And you don't have to be Chinese to pee in someone's Coke. I work in a restaurant ;)

  37. certificate just a very strong password? by reiisi · · Score: 1

    Get back, troll.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
    1. Re:certificate just a very strong password? by totally+bogus+dude · · Score: 1

      Okay, I forgot one important property of certificate-based authentication: even if you present your certificate to a hostile party, they can't use it to pretend to be you. That and mutual authentication pretty much negates phishing as an attack vector altogether, whether it's via social engineering, DNS spoofing or some other method of covertly hijacking communications between two parties. The only way to interfere with such a transaction would be to compromise the security of either the user's computer or the server. Or I guess you could try to recreate the user's private key through brute force, but that seems impractical enough to be a nonissue.

      So taken together with your acknowledgement that the unanimous polling is probably overkill for web surfing we can conclude that a) "unanimous multi-polling" doesn't really solve anything (and certainly not the attacks this article is about) and b) we already have the tools necessary to provide a very strong level of protection for secure transactions over the internet.

      This veered far away from "fix DNS spoofing", so to get it back on track:

      We really need some way to detect the poison and purge it and notify users and admins that the poisoning happened.

      Well there's some variations of your proposal that seem simpler. For example, what if the resolver sent its resolution requests to all the name servers for a particular domain, and only accepted the response if they all matched? Now an attacker has to simultaneously poison at least 2 responses. To up the ante, the resolver could additionally request another trusted resolver to also resolve it, which would also do the same thing. So now there's at least 4 responses you have to simultaneously poison, without requiring client-side changes or multiple independent pools.

      This still results in any sites which return different responses for different requests suddenly disappearing from the internet though, which I don't think is an acceptable price to pay.

      A simpler way to mitigate the problem would be to have your resolver cap the TTL. This limits the maximum amount of time your cache can be poisoned for, requiring attackers to continually re-poison it. This alone might make the cost:benefit ratio low enough to make it not worth doing.

      Ultimately, I still think the long-term solution for the majority of resolvers is to detect and block people who are trying to poison their caches. While many won't be in a position to do this currently due to IP spoofing, that is a problem that really ought to be fixed anyway -- DNS poisoning is hardly the only abuse made possible by IP spoofing. The only ones who really can't protect themselves from this are public resolver operators like OpenDNS, as ISPs should be preventing their customers from sending packets from IP addresses which weren't assigned to them. Unfortunately many don't, and many that do only do it at their borders rather than on customer's individual links, so their resolvers are likely vulnerable to attacks from their clients.

  38. already corrected? or?... by atomicskate · · Score: 1

    the only example on Websense is concerning "gogle.cn". I've just tried a nslookup using CNC DNS (and even with CT DNS) and nothing is wrong... so either, CNC has corrected its DNS (for this specific domain), either...

  39. Re:It's by badkarmadayaccount · · Score: 1

    FluxBox rulz! *ducks lower*

    --
    I know tobacco is bad for you, so I smoke weed with crack.