Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Poisoning Hits One of China's Biggest ISPs

Posted by timothy on from the when-bad-childhoods-attack dept.

Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."

11 of 86 comments (clear)

  1. It's <iframe> by Anonymous Coward · · Score: 5, Funny

    is property of html, not Apple Inc.

  2. Since when by narcberry · · Score: 5, Funny

    Since when do I have to input my SSN to post to slashdot?

    --
    Modding me -1 troll doesn't make me wrong.
  3. As a Chinese Internet user... by gzipped_tar · · Score: 5, Interesting

    ... I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers. (Disclaimer here: I'm not saying the OpenDNS service is recommended for security. It's just a matter about reputation.)

    The Chinese ISPs has been known to use manipulated DNS records as a censorship measure, too. See here: http://slashdot.org/article.pl?sid=07/11/18/1824230

    --
    Colorless green Cthulhu waits dreaming furiously.
    1. Re:As a Chinese Internet user... by AnyoneEB · · Score: 5, Informative

      Because OpenDNS never had the flaw in the first place.

      --
      Centralization breaks the internet.
    2. Re:As a Chinese Internet user... by xenobyte · · Score: 5, Interesting

      It's not only China that have ISP's that manipulate DNS records... Here in Denmark for instance most ISP's voluntarily manipulate DNS for a whole list of domains known to host kiddie porn causing a redirect to a warning page. But they also censor the net by 'preventing access' to domains like allofmp3.com and thepiratebay.org which were 'banned' by Fodgedretten, a commerce-oriented court, based on bogus claims of extending danish jurisdiction to foreign-based websites (Russia and Sweden). Unfortunately nobody has yet filed an appeal of these verdicts, so they stand - unvalidated.

      Anyway, this censorship has caused most somewhat technically-oritented people to switch to other nameservers than those provided by their ISPs, usually OpenDNS but also private nameservers they trust. I use our company's which I run (and keep patched!) so I can circumvent the censorship.

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    3. Re:As a Chinese Internet user... by gzipped_tar · · Score: 5, Insightful

      This is a very good question. Frankly, I don't know. As I have said, I never trust OpenDNS out of security reasons. I use it for my desktop browsing, not for anything worthy enough to be protected. But I know from my own experience that some Chinese ISPs are seriously incompetent in managing security risks. I have seen some of their mistakes in securing their service so that I wouldn't trust them again. OTOH I know I have to buy their services to get online and put these rants here and that sound like a paradox. Maybe it is. Finally we have to trust somebody else. That's how we make our lives. I just chose to deal with one who has *already* made a bad reputation as little as possible.

      --
      Colorless green Cthulhu waits dreaming furiously.
    4. Re:As a Chinese Internet user... by TorKlingberg · · Score: 5, Informative

      OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

    5. Re:As a Chinese Internet user... by gzipped_tar · · Score: 5, Informative

      Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.

      For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient daemon to update my IP information to OpenDNS and things are working reasonably well so far.

      --
      Colorless green Cthulhu waits dreaming furiously.
  4. Re:Cyberparanoia by z0idberg · · Score: 5, Funny

    lol

    Can we check the IP origin of that last post please?

    *ring*ring*
    Badguy1: "Hello"
    Badguy2: "Hi its me, you ready to do this thing tonight?"
    Badguy1: "sure, dont forget to bring the stuff"
    *click*
    Badguy2: "hey did you just hear a click on the line?"
    Badguy1: "yeah! - do you think we are being tapped by the NSA?"
    Anonymous Coward: "No its not our style"
    Badguy1: "OK"
    Badguy2: "OK"

  5. It's a big flaw by ledow · · Score: 5, Interesting

    It's a big flaw. Someone big was bound to fall foul of it eventually. And to be honest, I can't say that I'm at all surprised. In fact, I'm expecting a lot more.

    I bet that there are still hundreds of large companies that are vulnerable worldwide and I bet that translates to hundreds of thousands, if not millions, of affected people. For instance, last time I checked the whole LGfL (London Grid for Learning) was vulnerable - and they provide DNS / Internet connectivity for every school in London (several million users, hundreds if not thousands of schools) with little alternative because they have been mandated as the recommended solution and thus all "interesting" content is in their private network.

    If they ARE still compromised (and several days after the release of the information, they were still showing up as vulnerable on all those DNS tests and today I got: Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32768), that's virtually every school, staff member and student in London (we're probably talking close on a million people because it includes Greater London Boroughs but I'm not sure of the exact figure) which are in trouble because they use the upstream DNS from LGfL as their basis.

    Have we heard anything through official channels? Nope.
    Does everybody just trust LGfL to do their job transparently? Yep.
    Have they done it? Apparently not.
    Have they even heard of it? I don't know, but there have been zero advisories, zero visible configuration changes, that I can see.

    Give it a few months, one of the students will download something and poison the whole of London's educational system and THEN maybe someone will bother to look into it.

    When I heard about this flaw, the first thing I did was check all upstream servers that either my servers or my own home computers use - my cheap ISP (PlusNet) had apparently fixed the issue before I'd even caught wind of the "there may be a DNS problem" posts on Kaminsky's blog. Every other one just seems to be dragging their feet.

  6. Re:Frosty Post!!1 by SensiMillia · · Score: 5, Informative

    In fact Frosty Post AC has a point.

    Chinese speakers (at least in Beijing) often use the word é£ä (neige) as a filler word; much in the same way as 'uh' or 'er' are used in the English language.

    For anyone with no understanding of the Chinese language will often be confronted by the words 'nigga, nigga' when walking on the streets of Beijing.