Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Problem Linked To DDoS Attacks Gets Worse

Posted by Soulskill on from the i-blame-the-schools dept.

itwbennett writes "The percentage of devices on the Internet that are configured to accept DNS queries from anywhere — what networking experts call an 'open recursive' or 'open resolver' system — has jumped from around 50 percent in 2007 to nearly 80 percent this year, according to research sponsored by DNS appliance company Infoblox. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers, said Cricket Liu, vice president of architecture with Infoblox. Georgia Tech researcher David Dagon agreed that open recursive systems are on the rise, in part because of 'the increase in home network appliances that allow multiple computers on the Internet. ... Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.' What's worse, says Dagon, is that many of these devices do not include patches for a widely publicized DNS flaw discovered by researcher Dan Kaminsky last year."

69 comments

  1. For starters by sopssa · · Score: 2, Insightful

    Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

    1. Re:For starters by Anonymous Coward · · Score: 0

      Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?

    2. Re:For starters by Anonymous Coward · · Score: 2, Informative

      One reason is to cut the # of queries coming into the ISP's servers. The modem can be a local cache.

    3. Re:For starters by TheRaven64 · · Score: 4, Insightful

      Devices like this should only accept DNS requests from the local network (not from the Internet) and should, unless explicitly configured to perform recursive queries, forward them to the ISP's cache.

      --
      I am TheRaven on Soylent News
    4. Re:For starters by Runaway1956 · · Score: 1

      Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.

      GP should be aware that a variety of ills with internet connectivity are cured by having your own server - starting with the serious lag experienced when the ISP's server is screwed up somehow. I can send DNS queries halfway around the world, and get a response, faster than I can get answers from my local ISP's DNS server. I've often wondered if they have their server set up on a satellite - halfway to the moon.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:For starters by Architect_sasyr · · Score: 1

      Very very much the same. Of course, I can't customize the server on the box that's set up for me as easily as I can customize my own DNS server - but the results are about the same.

      Rubbish. Customisation aside, the open relay on the router is accessible on the outside, whereas one you set up on the inside has to have the ports forwarded through the NAT device on your average home LAN.

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    6. Re:For starters by Anonymous Coward · · Score: 1, Informative

      Why would a cable/adsl modem have an open recursive DNS server? There's not a single reason for that - either use your ISP's autodefined DNS servers, change them to something else or set up your own.

      They don't. What the article is trying to say is that many ISP's are now distributing routers either stand-alone or as a modem/router combo unit. Which are almost always set to the ISP's DNS servers and not just hanging wide open as the article is claiming. Hell, most of these don't have the capability to do more than support either a hardcoded DNS number, or auto-learn it from the cable company's CMTS. I have never seen one that will just take updates from 3rd party DNS, although there is a possiblity if the ISP's DNS is hanging open that it would pass along shoddy information.

      More FUD. For some reason I'm really not surprised.

    7. Re:For starters by socsoc · · Score: 1

      Far from the same. There is no need for a home router to be a DNS server to the outside, at most a repeater to the LAN from the ISP's DHCP assigned addys or for a customer with a bit more savvy, the IPs for OpenDNS.

    8. Re:For starters by Runaway1956 · · Score: 1

      "Well, setting up your own is the same as using the one that's set up for you in the box, wouldn't you say?"

      There is the GP's question that I responded to. In fact, the DNS server in my router is no different than the DNS server on my gateway machine - except for configuration. The major reason I disabled the server on the router, was so that I could more easily update the server, and so that I could more easily configure it.

      If I saw a reason, I could configure my firewall to allow queries to come in from the outside, in which case, my server would respond. What you really mean to say is, the server on the router is misconfigured if it responds to outside requests - and I would tend to agree with that.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    9. Re:For starters by turbidostato · · Score: 1

      "Why would a cable/adsl modem have an open recursive DNS server?"

      Why not? In fact, why any DNS over there shouldn't be opened to recursive searchs? I know why I don't want an opened resolver on my facilities and I know why buggy software shouldn't be opened to the Internet, but that is not what I'm asking.

    10. Re:For starters by Alnitak73 · · Score: 1

      Actually most routers don't have a fully recursive server - they have a "proxy" (or "forwarder").

      See my RFC 5625 for more details, and some explanation for why the router even has this feature. The short answer is that it's so that the router can give a consistent DHCP OFFER before it knows what the upstream DNS servers are. See also slides I presented at the IETF DNSOP working group last week: http://tools.ietf.org/agenda/76/slides/dnsop-5.ppt

      If the proxy is open on the WAN port then it'll forward all queries to the ISP's real recursive servers, and that's where the recursion happens. It may look as if the router's DNS proxy is recursive, but in most cases it isn't.

      The DNS query results from the ISP will go back up the DSL / cable line back to the router, which will then send then back down the line to the (probably spoofed) source IP address of the original request.

    11. Re:For starters by Alnitak73 · · Score: 1

      Very very much the same.

      Actually, not the same at all. The DNS proxy servers in most home routers are very buggy.

    12. Re:For starters by Alnitak73 · · Score: 1

      Umm, say what?!

      This is not FUD. The routers have DNS proxies in them. Some of those routers do the equivalent of "listen" on 0.0.0.0:53 and don't block queries arriving on the external interface.

      A small query sent to the router from the outside is then forwarded to the ISP's DNS server, which duly sends the answer back to the router, which the router then sends back to the original UDP source address, which was probably spoofed. That response packet can be much larger than the original request, and as far as the victim was concerned it was sent from your router!.

  2. is this a problem by hey · · Score: 2, Insightful

    Open DNS servers don't seem so bad to me.
    Like an open website -- OMG everyone can access it.

    1. Re:is this a problem by RiotingPacifist · · Score: 4, Informative

      1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
      2) I can use up all of your routers resources and then you can't lookup any sites yourself

      --
      IranAir Flight 655 never forget!
    2. Re:is this a problem by arielCo · · Score: 1

      Like an open website -- OMG everyone can access it.

      This is more like an open website running on IIS 4.0 because it's what it's built into the server.

      Only these devices do not auto-update - funny thing considering that their function requires being connected to the Internet. The only problem would be prompting for authorization.

      --
      This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
    3. Re:is this a problem by sopssa · · Score: 1

      There's also a DDoS possibility, since the remote computer can send a 50 byte message that results in the DNS server getting 4 kilobytes of data back to query it. DDoS'r does many of those and your network is filled with that crap.

    4. Re:is this a problem by TheRaven64 · · Score: 1

      No, more like an open proxy. This isn't about authoritative DNS servers responding to everyone (they do; that's what they're for) it's about DNS caches responding to queries from everyone (not just those on the local net), which wouldn't be so bad except that many of them are insecure.

      --
      I am TheRaven on Soylent News
    5. Re:is this a problem by iLogiK · · Score: 2, Insightful

      I'm not sure how the DNS flaw works, but I just thought of something (feel free to mod me down if this is stupid) If you were to target someone specifically that was using a router that supported auto-update, but it didn't update itself with a fix for the vulnerability yet, couldn't you possibly use the DNS flaw to fool it into getting the update from one of your servers? Meaning, you could get the router to do pretty much anything you want, and a router can do a lot of bad stuff.

    6. Re:is this a problem by commodore64_love · · Score: 1

      I don't understand. Are you saying you can hijack my DSL modem and make it point to your website, instead of my bank website? Does this flaw also affect traditional 33k or 56k dialup modems? Would swapping-out the hijacked modem for a new one eliminate this "hole"?

      Another semi-related question:

      If I swap my current DSL modem with the spare modem in my drawer, would that change my IP address?

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    7. Re:is this a problem by arielCo · · Score: 1

      Oh, oh, by "auto-update" I meant software updates. (Kids, that's what happens when you post without having had enough sleep).

      My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)

      --
      This post contains no rudeness or derision of any kind. All arguments are friendly. Terms and exclusions may apply.
    8. Re:is this a problem by mengel · · Score: 1

      Real dialup modems don't do anything nearly as smart as DNS.

      DSL "Modems" are really full-blown routers, and generally have NAT routing setup, and DNS and DHCP servers. So yes, they can be vulnerable to DNS cache poisoning, and then you'll get some Phisher-pholk's server instead of your bank's.

      --
      - "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
    9. Re:is this a problem by Anonymous Coward · · Score: 0

      My concern is that the software driving modems and routers is rarely updated, but they're standing between you and the wide, wild Internet. Sure they could check for new versions, but how do they prompt you for permission? (I think technically minded consumers would be a bit miffed if the manufacturer pushed patches behind your back)

      That's exactly how it works - they don't prompt the client, and they do phone home. Here's an example of an AT&T DSL modem doing it. (Ignore the fact that most of the people in the thread are thinking that the reason the poster's miffed is because of the blinking light, rather than why the light is blinking.)

      I noticed similar behavior in the modem's logs at http:/// (an-IP-address-associated-with-a-similar-device) /logs.htm , and proved that it was doing so unplugging the Ethernet cable from behind it (there's no way any traffic generated on my side was getting to the modem through an air gap!) before going away for a weekend. When I came back, the router had spontaneously started several sessions with the outside world for updates, and then shut them down a few moments later.

      And yeah, I was also miffed.

    10. Re:is this a problem by Anonymous Coward · · Score: 0

      I think the point is open clients, not servers.

    11. Re:is this a problem by socsoc · · Score: 1

      these can't be serious questions from someone with your username. if they are, ask your bff jill.

  3. Normal for security by Bentov · · Score: 1

    Open by default, instead of closed.

  4. Trying to make something from nothing. by danwesnor · · Score: 2, Insightful

    Yeah, but these devices are designed to name serve on the intranet, not the internet. Mine came with the default to ignore all traffic coming from the outside world.

    1. Re:Trying to make something from nothing. by Anonymous Coward · · Score: 0

      exactly... that's how all routers with DHCP/DNS servers work... this article is a farce.

    2. Re:Trying to make something from nothing. by icebraining · · Score: 3, Insightful

      No, they're not, according to the summary: "devices on the Internet that are configured to accept DNS queries from anywhere", "Almost all ISPs distribute a home DSL/cable device. Many of the devices have built-in DNS servers. These can sometimes ship in "open by default" states.'

      Just because yours is closed by default, doesn't mean all are.

      --
      Dilbert RSS feed
    3. Re:Trying to make something from nothing. by danwesnor · · Score: 2, Interesting

      OK, you're right, 1 of 1 is not enough to make an assumption. But of the 5 I've bought over the years from 3 different vendors, all 5 were shipped configured to accept DNS request from the intranet but block all requests of any type from the internet.

    4. Re:Trying to make something from nothing. by Sabriel · · Score: 1

      Just check that the manufacturer hasn't been stupid enough to ship it with a internet-accessible backdoor built in.

      Example: http://hardware.slashdot.org/hardware/04/06/05/1250244.shtml

    5. Re:Trying to make something from nothing. by Anonymous Coward · · Score: 0

      You're also assuming that the software has no flaws. Even if it's configured not to allow external DNS requests, that doesn't mean anything if the software is not respecting that configuration fully.

    6. Re:Trying to make something from nothing. by Alnitak73 · · Score: 1

      Yes, they're supposed to do this DHCP and DNS stuff on the LAN interface.

      What they're not supposed to do is respond to DNS queries received on the WAN interface. That's what the survey and article is about.

    7. Re:Trying to make something from nothing. by greed · · Score: 1

      Note the difference between "ones you've bought" and "ones provided by the cable Internet vendor".

      My experience has been, any software provided by an ISP is to be treated as worse than malware.

      Since I never used 16-bit Windows, I never understood "Internet Dialler" software that Windows users seemed to always install from their ISP... and was always the first thing in the way when trying to fix a busted system. But it has served to convince legions that ISP-provided software is necessary to get on the Internet. (Whereas even Windows 95 had enough stuff to dial a modem and set up PPP or SLIP. For non-PPPoE broadband--typically cable--you need no extra software on any Ethernet capable OS.)

      More recently, "Internet Security Suites" provided by ISP should be never installed. If found installed, it should be removed by re-formatting the system from read-only media. (Should of serious registry hacking, that's the only way to get rid of the stuff Bell Sympaticrap provides.)

      So I'm not surprised they ship modems or routers with "PWN ME!" as the default setting.

      Buying your own router immediately puts you in the top percentiles of "tech skill".

  5. Is that why Slashdot was down? by ironicsky · · Score: 1

    Slashdot got DDoS'd or Slashdotted?

    1. Re:Is that why Slashdot was down? by MickyTheIdiot · · Score: 1

      Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

    2. Re:Is that why Slashdot was down? by rvw · · Score: 1

      Does anyone else thinks it's funny that this story was posted while /. was showing "guru meditation" errors?

      No

    3. Re:Is that why Slashdot was down? by Anonymous Coward · · Score: 0

      It was. I even looked up the backend software linked to in that error page, but quickly lost interest after finding no references there to slashdot so they could plug their reliability.

  6. And in a prophetic twist of fate... by macraig · · Score: 1

    ... the RSS feed for this article fails to load!

    Error 503 Service Unavailable

    Service Unavailable

    Guru Meditation:

    XID: 1704629829

    Varnish

    1. Re:And in a prophetic twist of fate... by sopssa · · Score: 1

      You kids and your RSS feeds... That was on the whole site.

    2. Re:And in a prophetic twist of fate... by macraig · · Score: 1

      What's not to love about RSS feeds? It's like the Web for e-mail! :-) No blockage at the Web site proper, though... I clicked through to it from the feed immediately after, and not even so much as a pregnant pause.

    3. Re:And in a prophetic twist of fate... by macraig · · Score: 1

      I think there must have been a crack in the Varnish.

    4. Re:And in a prophetic twist of fate... by TheRaven64 · · Score: 1

      What's not to love about RSS feeds?

      Unlike the normal Slashdot front page, it is not possible to block stories by kdawson from the RSS feeds (or, wasn't last time I tried).

      --
      I am TheRaven on Soylent News
    5. Re:And in a prophetic twist of fate... by Hunter-Killer · · Score: 1

      Yahoo Pipes works acceptably for this task.
      Example: http://pipes.yahoo.com/pipes/pipe.info?_id=VsavzdaC3RGH9sTVrLQIDg

    6. Re:And in a prophetic twist of fate... by commodore64_love · · Score: 1

      >>>Guru Meditation:

      You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    7. Re:And in a prophetic twist of fate... by macraig · · Score: 1

      They weren't before my time, but I never laid a finger on anything branded Commodore, so the humor you see in it just confuses me! Maybe I should change my account to SinclairQL_love?

    8. Re:And in a prophetic twist of fate... by commodore64_love · · Score: 1

      "Guru Meditation" is the Amiga's version of a kernal panic, and dates back to 1985. That's why I thought you making some in-joke about that machine (or else the website owner was). The screen looks like this:
      http://en.wikipedia.org/wiki/Guru_Meditation

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    9. Re:And in a prophetic twist of fate... by macraig · · Score: 1

      Nice funny story about the origins of it. I'm sure the homage must make a few old Commodore coders feel warm and fuzzy. Hey, did you edit the Trivia section to include the mention of the Varnish homage, or was it already there? Ah, wait, checking History... nope, it's actually been there for a while.

    10. Re:And in a prophetic twist of fate... by osu-neko · · Score: 1

      >>>Guru Meditation:

      You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

      God gods, that would be blazing fast. IIRC, my Amiga had a 7 MHz 68000.

      --
      "Convictions are more dangerous enemies of truth than lies."
    11. Re:And in a prophetic twist of fate... by jgrahn · · Score: 1

      >>>Guru Meditation:

      You're surfing the net from a Commodore Amiga? Isn't that 400 megahertz PPC processor kinda slow? ;-)

      That message got removed after Kickstart 1.3, when an Amiga had a 8MHz MC68000. Not that it matters -- the Amiga compensated for slow hardware with fast, well-written software.

  7. No-one is truly safe... by Anonymous Coward · · Score: 1, Interesting

    Cache poisoning is something you do by returning an answer to a DNS server that's doing a lookup on your behalf. Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf. What I can then do is bombard your router back with answers for your bank's web site being a different IP address so that when your router finally does the DNS lookup again at some point, the potential is there for it to accept MY answer for their site that will send you elsewhere and you'd never know it.

    This has NOTHING to do with having open ports because the issue is that your router asked another DNS server somewhere on the internet for a lookup - so its already waiting for a return answer... of which you can now attempt to provide it the wrong one. So if anything you DON'T have to be an open recursive DNS server to be attacked - all you have to be doing is a recursive query of which most if not ALL routers do as they do the lookup for you. Hence therein lies the issue... Oh and setup your own patched recursive DNS server that you now think makes you "safe"... odds are your router won't randomize the outbound ports that DNS is so you're back at square one again with this vulnerability

    1. Re:No-one is truly safe... by vlm · · Score: 1

      Lets say I was able to sniff your traffic and see that you go to your Bank's web site based on the last DNS query your router did on your behalf

      What makes it worse, is you don't need such a precision attack. You could have a botnet randomly bombard everyone with "somebankname.com" is 1.2.3.4, and eventually you'd get a hit. Hit rate too slow, get more bots...

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  8. Some better insight... by Anonymous Coward · · Score: 0

    Whether or not the DNS on your router is open externally to DNS matters not with this vulnerability. If you have a router that's doing recursive lookups for internal users - its awaiting an answer back from whomever it asked. If a hacker happens to flood your router with answers for a common DNS query such as Google or Yahoo - there's a good chance that it could poison the answer if your router/DNS happens to ask for that and it gets the port number right... not impossible.

    That's the problem with this vulnerability. You don't have to be openly recursive to be poisoned - just doing recursive queries.

  9. Name and Shame by Midnight+Thunder · · Score: 1

    The problem I have seen is a mixture of ISPs which take years to react to anything and suppliers of these devices not taking responsibility and simply blaming it on the ISP. Because of this I would appreciate a role call of ISPs and hardware involved in this, so that we can either avoid them or get them to fix the problem.

    --
    Jumpstart the tartan drive.
    1. Re:Name and Shame by jerimiahf · · Score: 1

      You could not be any more wrong on this with that statement. The ISP is not the issue and the hardware is not the issue. If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.

    2. Re:Name and Shame by Alnitak73 · · Score: 1

      If you are to build a recursive DNS server and have it do recursive queries on the internet completely bypassing your Router and ISP's DNS setup - you are still vulnerable.

      Actually, only if you use NAT.

      If you have a fixed IP range internally and don't use any NAT then you can use the source port randomisation introduced on most servers after Kaminsky and remain very well protected against cache poisoning.

      The real problem is that if you're using NAT each outbound query will have (some of) its source header fields rewritten. So even if the internal recursive server properly picks a random source port, the NAT process in your router might de-randomise it.

      It's very common for NAT processes to just pick sequential source ports. The original source port sequence might go 53271, 1095, 37451, but the router might re-write that as 1024, 1025, 1026, ...

      This predictable source port selection algorithm leaves you back where we were pre-Kaminsky.

  10. Forget this... by Anonymous Coward · · Score: 0

    Forget this issue, many ISP have their DSL router's web config interface accessible from "anywhere" and many devices have hidden built-in super user which cannot be deleted or its passwd be changed. Here with my ISP, I can just scan an IP range, connect to any DSL router and change any setting I wish, no matter what the user's admin passwd for the router is. Then its trivial to change DNS and hijack sessions.

  11. How does one test for this vulnerability? by fragMasterFlash · · Score: 2, Interesting

    Several online tools were available to test for vulnerabilities on individual PCs back when Kaminsky discovered the sad state of DNS security. Is there a similar test for available for cable modems? How about a list of susceptible devices? I'd rather not put blind faith in my ISP to keep me out of harms way.

    1. Re:How does one test for this vulnerability? by Anonymous Coward · · Score: 0

      I am probably wrong so until some one confirms this take with less then a grain of salt.
      can't you just do a dig for google.com using your public IP address as the DNS server:
        If you get no response you are fine,
        If you get a response from your public IP address, then your running a would accessible DNS server,

      Change your settings or get a new device.

      Example: dig@ google.com

    2. Re:How does one test for this vulnerability? by Anonymous Coward · · Score: 0

      This would only detect weather you are open to the DoS attack.
      As already mentioned the cache poising issue is much more complicated.

      Also guessing your example command got cut:

      dig @ROUTER_IP dnsname

    3. Re:How does one test for this vulnerability? by jerimiahf · · Score: 1

      If you're familiar with Dig - you can use the commands found on this great article: http://www.cyberciti.biz/faq/dns-cache-poisoning-test/

  12. Source ? by dbcad7 · · Score: 1

    Ok, they list 2 ISP's as the leading "culprits".. in Spain, and France I guess.. then they go on to say something about DSL modems supplied with DNS servers ???.. what's that about ? really ? a DNS server on the modem ? .. a hard coded link to a DNS server maybe.. If your going to report a problem, then report a problem.. like the names of the manufacturers, models, and ISP's and give people something to look out for.

    --
    waiting for ad.doubleclick.net
    1. Re:Source ? by Tony+Hoyle · · Score: 1

      DNS cache proxies are common on cuonsumer routers.

      Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

      Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

    2. Re:Source ? by Alnitak73 · · Score: 1

      DNS cache proxies are common on cuonsumer routers.

      Actually most of them don't cache - mostly they just forward. Of the ones I've tested only Apple's Airports had a real cache in them.

      Of course almost universally these are set to block all requests from outside, so can't really be accused of causing a jump of open resolvers from 50% to 80% on their own.

      The increase is interesting, and unexpected. I do know of some brands that are open by default from the outside, but had hoped that the recent research and various realted RFCs might have reduced the incidence of this.

      Also any network running authoritative DNS will have an open DNS.. that's unavoidable - although you normally rate limit it with iptables to stop magnification attacks.

      The number of authoritative servers on the internet isn't that large, and certainly not on the scale of the problem that Wessels et al have found. It's these dumb proxies that don't have the rate limiting etc that are the problem.

  13. Dagon by jgrahn · · Score: 1

    Is it just, me, or does anyone else have an issue with the name "David Dagon"? I keep imagining the interview taking place with him sitting on a giant basalt throne off the New England coast, at low tide ...

    1. Re:Dagon by sudog · · Score: 1

      No, it's not just you. I see Dagon and I think Shadow Over Innsmouth, or Dagon (2001) every time. It would be cool to have a name like that.. sort of like being Fred Cthulhu, or Samson Yog-sothoth.

    2. Re:Dagon by SQL+Guy · · Score: 1

      And where does Cricket Liu fit in all this?

  14. Re:is this a problem NOT WITH A GOOD HOSTS FILE by Anonymous Coward · · Score: 0

    "1) If there is a flaw in the software, i can tell you DNS server that I slashdot is at 80.65.228.129 or that your bank resolves to my MITM attack site.
    2) I can use up all of your routers resources and then you can't lookup any sites yourself"     - by RiotingPacifist (1228016) on Sunday November 15, @09:38AM (#30105686)

    RP, that is why I use a custom HOSTS file & not only to blockout KNOWN "bad" adserves, maliciously coded sites or adbanners, and "botnet C&C servers" too, from reliable reputable lists but also for speed (more on that later & WHY/HOW (I use reliable lists for that, such as these HOSTS @ Wikipedia.com -> http://en.wikipedia.org/wiki/Hosts_file or those from mvps.org (a good one this one))

    I further populate my custom HOSTS file with up to date information in regards to all of those threats, via Spybot "Search & Destroy" updates (populates HOSTS and browser block lists), but also via sites like ZDNet's Mr. Dancho Danchev's blog -> http://ddanchev.blogspot.com/ or sites like FireEye -> http://blog.fireeye.com/ , stopbadware.org, & also SRI (just to name a few of my sources) & my HOSTS file incorporates ALL of the entries from the HOSTS files shown @ wikipedia (all duplicates removed via a Borland Delphi app I wrote to do so, and also change the default larger & SLOWER 127.0.0.1 blocking 'loopback adapter' IP address to either 0.0.0.0 (for VISTA/Windows Server 2008/Windows 7, smaller & thus faster than 127.0.0.1 default) or the smallest & fastest 0 "blocking 'IP ADDRESS'" (for Windows 2000/XP/Server 2003 which can STILL use it (& it was added in a service pack on Windows 2000, only on 12/09/2008 MS patch tuesday was it removed for VISTA onwards (& now all these "phunny little bugs" are showing up as FLAWS in this new NDIS6 approach via WFP as well in the firewall, which ROOTKIT.COM has stated (with code too no less on how it is done) -> http://www.rootkit.com/newsread.php?newsid=952 that it is EASIER TO UNHOOK (than was the design used in Windows 2000/XP/Server 2003))

    HOWEVER, to "CIRCUMVENT" THAT WHICH YOU NOTE? WELL - I use another "technique" called "hardcoding" an IP address to domainname/hostname in my HOSTS files, for my FAVORITE websites:

    This allows me to FIRST bypass any remote/external DNS lookups, which also would in theory @ least, make me "proofed" vs. DNS request logs by my ISP/BSP (especially since I use external DNS servers too, beyond my hardcoded favs in my HOSTS file because I can't ping & resolve the ENTIRE internet after all), making it harder for them to track me... sure, they could do a "reverse DNS lookup" via pings &/or traceroutes & the top level domain that does nothing BUT cache reverse DNS lookups does the rest, but that is harder to do, than looking up my URL requests via a log on a DNS server))

    ALSO, AS A "BONUS" in HOSTS FILES:

    It speeds you up, for one thing, & a buddy of mine says it has (verbatim quote) "DOUBLED MY SPEED ONLINE, BUT I VALUE THE SECURITY PART MORE", because he used to get over 200++ viruses a week, now? Only maybe 2 a years, & he is convinced it is largely due to the HOSTS file I send him weekly (he is my "lab rat #1" due to his previous infestation rate), & if that "anecdotal evidence" is not enough? See this then, from a published security guru on a respected site for it:

    ====

    RESURRECTING THE KILLFILE:

    (by Mr. Oliver Day)

    http://www.securityfocus.com/columnists/491

    PERTINENT EXCERPTS/QUOTES:

    "The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet particularly browsing the Web is actually faster now."

    "From what I have seen in my research, major

  15. how is this news by Anonymous Coward · · Score: 0

    apart from false advocacy for dnssec that will even simplify amplification attacks ?