Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNS Poisoning Hits One of China's Biggest ISPs

timothy posted more than 6 years ago | from the when-bad-childhoods-attack dept.

Security 86

Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."

cancel ×

86 comments

Sorry! There are no comments related to the filter you selected.

Frosty Post!!1 (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24701199)

China is full of N_ggers

Re:Frosty Post!!1 (1, Funny)

Tubal-Cain (1289912) | more than 6 years ago | (#24701259)

I'd like to buy a vowel. A.

Re:Frosty Post!!1 (-1, Offtopic)

EdIII (1114411) | more than 6 years ago | (#24701473)

Hmmmm. I'd like to solve the puzzle.... :)

Re:Frosty Post!!1 (1, Interesting)

Wonko the Sane (25252) | more than 6 years ago | (#24702819)

Obviously some moderator never has never seen this [wikipedia.org] .

Re:Frosty Post!!1 (1)

multisync (218450) | more than 6 years ago | (#24705425)

Obviously some moderator never has never seen this

Yeah, and he sure taught you a lesson by modding your explanation of the first post Offtopic.

How dare you point out his ignorance!

Re:Frosty Post!!1 (0)

Anonymous Coward | more than 6 years ago | (#24701265)

I know. They're always nagging me.

Or maybe you mean Noggers [wikipedia.org] ?

Re:Frosty Post!!1 (1)

AmishElvis (1101979) | more than 6 years ago | (#24701793)

*whoosh* watch more South Park

Re:Frosty Post!!1 (0)

Anonymous Coward | more than 6 years ago | (#24701965)

Whoosh indeed.

Twit.

Re:Frosty Post!!1 (5, Informative)

SensiMillia (217366) | more than 6 years ago | (#24701899)

In fact Frosty Post AC has a point.

Chinese speakers (at least in Beijing) often use the word é£ä (neige) [sheik.co.uk] as a filler word; much in the same way as 'uh' or 'er' are used in the English language.

For anyone with no understanding of the Chinese language will often be confronted by the words 'nigga, nigga' when walking on the streets of Beijing.

It's <iframe> (5, Funny)

Anonymous Coward | more than 6 years ago | (#24701277)

<iframe> is property of html, not Apple Inc.

Re:It's (2, Insightful)

i.of.the.storm (907783) | more than 6 years ago | (#24701657)

Haha, I guess it's kind of become reflex now to capitalize anything coming after an i.

Re:It's (3, Informative)

ChoboMog (917656) | more than 6 years ago | (#24702475)

It may be like a reflex now, but at least the "iFrame" name is derived from what it actually is (an Inline Frame) and not just a letter stuck somewhere as part of a marketing or branding gimmick.

J.E.E.E.E.E.E.E.E. h.a.a.a.a.a.a.a.a.a.a.a.a da (0)

Anonymous Coward | more than 6 years ago | (#24702527)

Yippe Eye Oh Eye Ay Yippie Eye Ay

Axis of evil gets it in its axis

Re:It's (1)

AndGodSed (968378) | more than 6 years ago | (#24704737)

Btw - what does the "i" have to do with apple anyhow?

Re:It's (1)

i.of.the.storm (907783) | more than 6 years ago | (#24708835)

I knew that. The whole iLine of products is really annoying to me. Same goes for eMachines, and I have to admit the whole K thing with KDE apps is kind of annoying too. But KDE is still better than GNOME, flamewar go! *ducks*

Re:It's (1)

badkarmadayaccount (1346167) | about 6 years ago | (#24791321)

FluxBox rulz! *ducks lower*

Re:It's (0)

Anonymous Coward | more than 6 years ago | (#24703437)

TFS was trying to be impartial. They forgot to mention Mozilla though.

Lymric (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24701285)

Me Chinese, me play joke.
Me go pee-pee in your Coke.

Re:Lymric (0)

Anonymous Coward | more than 6 years ago | (#24710739)

That's offensive to me!

I demand that you correct your egregious and offensive error, and spell it "limerick" as it should be.

Not to mention that a limerick should officially be 5 lines long.

And you don't have to be Chinese to pee in someone's Coke. I work in a restaurant ;)

Cyberwar (1)

religious freak (1005821) | more than 6 years ago | (#24701287)

Odd, just a little probe from the NSA?

Whenever attacks target specific countries, I wonder.... Yeah, I guess I'm feeling a little paranoid tonight.

Cyberparanoia (0)

Anonymous Coward | more than 6 years ago | (#24701451)

I doubt it. It's not the NSA style.

Re:Cyberparanoia (5, Funny)

z0idberg (888892) | more than 6 years ago | (#24701505)

lol

Can we check the IP origin of that last post please?

*ring*ring*
Badguy1: "Hello"
Badguy2: "Hi its me, you ready to do this thing tonight?"
Badguy1: "sure, dont forget to bring the stuff"
*click*
Badguy2: "hey did you just hear a click on the line?"
Badguy1: "yeah! - do you think we are being tapped by the NSA?"
Anonymous Coward: "No its not our style"
Badguy1: "OK"
Badguy2: "OK"

Re:Cyberparanoia (4, Informative)

jonaskoelker (922170) | more than 6 years ago | (#24703005)

I know you're just trying to be funny, but allow me still to (hopefully) educate some of your readers.

If anyone was wiretapping and using reasonably well-designed equipment, you wouldn't hear clicks, since clicks can be avoided. I think "high-impedance circuitry" was the phrase used to justify that claim.

Also, if the wiretappers are playing by the rules, you can just press C on your phone (or play back two tones with the corresponding frequencies but less amplitude than your phone does) to shut down the recording equipment at the other end.

Source: Matt Blaze, http://www.usenix.org/events/lisa05/tech/mp3/blaze.mp3 [usenix.org] , http://www.usenix.org/events/lisa05/tech/ [usenix.org] .

Interesting to know, if you plan on being wiretapped. What's also interesting to know is that wiretapping equipment is (usually) illegal to posses, yet can be bought from law enforcement agencies on ebay :)

Re:Cyberparanoia (1)

ksd1337 (1029386) | more than 6 years ago | (#24701543)

Not following the rules of the Constitution is not the "style" either, but it looks like that went out of fashion.

Re:Cyberparanoia (1)

Das Modell (969371) | more than 6 years ago | (#24701563)

Yeah. The NSA sends Sam Fisher.

Re:Cyberparanoia (0, Offtopic)

Saint Gerbil (1155665) | more than 6 years ago | (#24703017)

that drunken bum ?!

Re:Cyberwar (1)

Devil's BSD (562630) | more than 6 years ago | (#24702021)

I get what you're driving at. A communications blackout can mean only one thing - invasion!

Real Player exploits? (2, Funny)

dohzer (867770) | more than 6 years ago | (#24701289)

It's a good thing nobody uses Real Player these days, isn't it!

Re:Real Player exploits? (1)

das_magpie (1149995) | more than 6 years ago | (#24701477)

Yeah, shame flash is so popular though.

Re:Real Player exploits? (1)

Ethanol-fueled (1125189) | more than 6 years ago | (#24701493)

Wait...if you run a firewall and that protects you, then shoudn't they be more protected because they have a great firewall?

Re:Real Player exploits? (0)

Anonymous Coward | more than 6 years ago | (#24702089)

it'd have to be a really great firewall to protect you from stuff on the same side of it as you.

Since when (5, Funny)

narcberry (1328009) | more than 6 years ago | (#24701365)

Since when do I have to input my SSN to post to slashdot?

Re:Since when (0, Redundant)

AndroidCat (229562) | more than 6 years ago | (#24701809)

You have a nuclear submarine? Dang, I knew I should have paid more attention to those surplus sales!

Re:Since when (1)

SleptThroughClass (1127287) | more than 6 years ago | (#24705517)

Since when do I have to input my SSN to post to slashdot?

Ever since you mistyped http:/// [http] .

And what is M$ doing? (2, Funny)

BhaKi (1316335) | more than 6 years ago | (#24701371)

It's busy trying to paint a picture that the whole problem is only with BIND, not with DNS protocol and in particular not with M$ DNS.

Re:And what is M$ doing? (0)

Anonymous Coward | more than 6 years ago | (#24705091)

Except that they released a patch for it and it crashed every MS dns server we have..... I shouldn't say crash, the DNS.exe service was running but it would not answer queries. Had to roll back. I sure am glad I am not a MS admin.......

As a Chinese Internet user... (5, Interesting)

gzipped_tar (1151931) | more than 6 years ago | (#24701495)

... I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers. (Disclaimer here: I'm not saying the OpenDNS service is recommended for security. It's just a matter about reputation.)

The Chinese ISPs has been known to use manipulated DNS records as a censorship measure, too. See here: http://slashdot.org/article.pl?sid=07/11/18/1824230 [slashdot.org]

Re:As a Chinese Internet user... (2, Interesting)

QuantumG (50515) | more than 6 years ago | (#24701611)

So what makes you think OpenDNS were not the first DNS servers attacked?

That's what I'd do.

Re:As a Chinese Internet user... (2, Interesting)

the_denman (800425) | more than 6 years ago | (#24701789)

the theory being that OpenDNS is more likely to keep their servers up to date then some of the ISP's name servers

Re:As a Chinese Internet user... (5, Insightful)

gzipped_tar (1151931) | more than 6 years ago | (#24701825)

This is a very good question. Frankly, I don't know. As I have said, I never trust OpenDNS out of security reasons. I use it for my desktop browsing, not for anything worthy enough to be protected. But I know from my own experience that some Chinese ISPs are seriously incompetent in managing security risks. I have seen some of their mistakes in securing their service so that I wouldn't trust them again. OTOH I know I have to buy their services to get online and put these rants here and that sound like a paradox. Maybe it is. Finally we have to trust somebody else. That's how we make our lives. I just chose to deal with one who has *already* made a bad reputation as little as possible.

Just trying to help. (0, Offtopic)

rts008 (812749) | more than 6 years ago | (#24702261)

First, thanks for the comments (this one and above). If I had mod points, I would have given you +1 insightful.
After all, how much more insightful is good information from someone directly affected by something we are discussing? Quite a bit more insightful is the answer!

Now to the reason for my reply.
When I was stationed in Germany for the US Army (I live in Oklahoma, USA), I always appreciated corrections to my spoken German language attempts. Most of the time the encounter would turn into a mutual learning session for both of us...the German I talked to would help me with my German skills, and wanted (and received) my help with his English skills. It was a great learning experience for me.

That is the intention of my reply. I have edited your post below for corrections in English grammar. If this has no interest for you, then disregard the rest of the post.

No harm=No Foul!

"This is a very good question. Frankly, I don't know. As I have said, I never trust OpenDNS due to(or you can use 'becuase of' in place of 'due to') security reasons.

*new paragraph=change of subject, or focus on subject*
I use it for my desktop browsing, not for anything worthy enough to be protected. But I know from my own experience that some Chinese ISP's(the apostrophe as applied here seems to be debatable, but was proper usage when I went to school) are seriously incompetent in managing security risks. I have seen some of their mistakes in securing their service so that I wouldn't trust them again.

*new paragraph-see reasons above*
  OTOH I know I have to buy their services to get online and put these rants here,(added comma to 'end' current focus and enable a slight redirect to the sentence) and that sound like a paradox. Maybe it is. Finally we have to trust somebody else. That's how we live (replaced 'make' with 'live') our lives. I just chose to deal with one who has *already* made a (removed 'bad')reputation as...
there are many option here:
1. ...the lesser of two evils. (pessimistic outlook)
2. ...the better one. (more optimistic)
3. ...the best person currently able to do the job. (most optimistic)"

I apologize if I have over stepped my bounds here, I only meant to help.

I like to hear from those outside of the USA, so your post has been good for my learning experience.

Re:As a Chinese Internet user... (1)

MavEtJu (241979) | more than 6 years ago | (#24701799)

I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers.

If you were really worried about it you would run your own resolving-server on your machines.

Re:As a Chinese Internet user... (1)

Lennie (16154) | more than 6 years ago | (#24702445)

And check your NAT didn't screw up your source-port-randomisation.

Re:As a Chinese Internet user... (5, Interesting)

xenobyte (446878) | more than 6 years ago | (#24701801)

It's not only China that have ISP's that manipulate DNS records... Here in Denmark for instance most ISP's voluntarily manipulate DNS for a whole list of domains known to host kiddie porn causing a redirect to a warning page. But they also censor the net by 'preventing access' to domains like allofmp3.com and thepiratebay.org which were 'banned' by Fodgedretten, a commerce-oriented court, based on bogus claims of extending danish jurisdiction to foreign-based websites (Russia and Sweden). Unfortunately nobody has yet filed an appeal of these verdicts, so they stand - unvalidated.

Anyway, this censorship has caused most somewhat technically-oritented people to switch to other nameservers than those provided by their ISPs, usually OpenDNS but also private nameservers they trust. I use our company's which I run (and keep patched!) so I can circumvent the censorship.

Re:As a Chinese Internet user... (1)

jhol13 (1087781) | more than 6 years ago | (#24702397)

known to host kiddie porn

"known" or "alleged"?

"to host" or "picasa" (or hacked sites)?

"kiddie porn" or "gay porn"?

In Finland they use same method and the black list is extremely idiotic (and most likely illegal - unfortunately government refuses to do anything about it).

Re:As a Chinese Internet user... (0)

Anonymous Coward | more than 6 years ago | (#24705555)

"kiddie porn" or "gay porn"?

Looking to do some personal research?

Re:As a Chinese Internet user... (5, Informative)

TorKlingberg (599697) | more than 6 years ago | (#24701911)

OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

Re:As a Chinese Internet user... (5, Informative)

gzipped_tar (1151931) | more than 6 years ago | (#24702011)

Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.

For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient [sourceforge.net] daemon to update my IP information to OpenDNS and things are working reasonably well so far.

Re:As a Chinese Internet user... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24703073)

They redirect www.google.com, not google.com. If this were news to me and I went to check your claim, I'd find that you lied and your criticism would not just be ineffective but counterproductive. Apart from that you're right though. Nobody should use OpenDNS.

Re:As a Chinese Internet user... (2, Interesting)

3p1ph4ny (835701) | more than 6 years ago | (#24704491)

I always hear people on Slashdot bitching about OpenDNS. Apart from running my own resolver, what are my other options?

Re:As a Chinese Internet user... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24704655)

There are other public DNS servers, but since DNS is currently an unauthenticated protocol, it is all a matter of trust. If you care enough about DNS to avoid your ISP's servers, you should run your own recursive resolver. It's not hard.

Re:As a Chinese Internet user... (1)

rrohbeck (944847) | more than 6 years ago | (#24709863)

OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

Which causes my VPN (Nortel) not to work. DNS lookups to Intranet domains only work if they fail properly on the primary network adapter so they are tried on the virtual adapter. With OpenDNS all Intranet names are resolved to the same (OpenDNS I assume) IP address unless I change the DNS server ordering manually each time I connect.

Re:As a Chinese Internet user... (0)

Anonymous Coward | more than 6 years ago | (#24714271)

"OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine." - OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

Barring ANY other solutions that may present themselves via others' suggestions? You CAN "override" this, via using a custom HOSTS file (see %Windir%\system32\drivers\etc & in that subfolder/subdirectory, lies the HOSTS file & you can 'hardcode' a correct IP to URL equation there, which will/should override ANYTHING coming from ANY DNS server)

You also MAY have to use this registry hack (easily done), to set the order of preference as to which of the 3 (HOSTS file, Local DNS cache, & DNS server) the IP stack refers to, first, for said IP to URL equation satisfaction:

http://support.microsoft.com/kb/139270/EN-US [microsoft.com]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008

(LOWER NUMBERS HERE = GREATER PRIORITY)

As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)

APK

P.S.=> The beauty of this is simple: It's NOT only "restricted to Windows" & in fact, began its 'life' in *NIX, so this type of arrangement/solution can work if you're a *NIX user too (barring the registry stuff up there, it's the same format for their HOSTS files as they are on Windows)... apk

unanimous multi-polling? (4, Interesting)

reiisi (1211052) | more than 6 years ago | (#24701969)

Check our own ISPs name servers, openDNS's name servers, and we need a third independent name server pool.

Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

Of course, I'm talking about DNS pools as if they already exist. But they should.

Interactions that need to be secured should also use independent multiple polling before exchanging tokens. Financial institutions, for instance, should keep their own private supernetwork, such that the customer queries their local branch to start login, then queries two other bank-owned check servers, to make sure the branch IP is what the bank says it should be. This would require dedicated browsers, but that's really a given. It's time to quit giving popular browser M, I, or E our credit card numbers to play with. The convenience is not worth it.

Re:unanimous multi-polling? (1)

Anonymous Coward | more than 6 years ago | (#24702197)

Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

Fails to work with DNS-based load balancing. Next idea, please.

Re:unanimous multi-polling? (2, Informative)

Joseph_Daniel_Zukige (807773) | more than 6 years ago | (#24703941)

Yeah, and I'm not sure how to fit dyndns.com's services into this idea, either.

But certificates are not really appropriate for DNS when you're just surfing, even if Verisign hadn't trashed the current authorization space. Not unless ISPs start making server certificates part of their basic package. (In the end, everyone is going to have their own web server to take messages and host bulletin board/blogs.)

Certificates can only work vertically (hierarchically) within an organization. In public, certificates have to function peer-to-peer to have any real meaning at all. (Witness that huge clot in your browser cert cache.) Identity doesn't work by remote.

It may be that this multiple polling scheme is only useful for secure connections

Re:unanimous multi-polling? (3, Interesting)

totally bogus dude (1040246) | more than 6 years ago | (#24702243)

Anything that's important will be using SSL, so even if someone does hijack your bank's DNS entries your browser will warn you that their certificate isn't signed by someone you trust. The only real worry is from typos or bad links, which is why it's recommended practice to never click links in emails to go to sites that you're going to have to log in to, but rather to use a bookmark or type and check the address yourself.

As for the "check against lots of different servers" idea, there's three main problems.

1. If the "pools" are very independent of each other (i.e. different management) then it just makes DoS attacks against certain sites very easy (get in the pool, behave for a while, then start serving nonsense results for www.example.com - voila, anyone using your server to verify addresses will reject that domain).

2. If the pools are under the same management, then they're very likely to be running the same software version on the same platform under the same firewall protection, etc. So an attacker may need to compromise some more servers, but they're all identical.

3. For your financial institutions example, how does the browser know which "check servers" to use? You can't rely on a single reply from one of their authoritative servers, since you don't trust them. If you ask a bunch of other servers, then you're trusting all of them not to be trying to DoS the site in question (and also not to be poisoned themselves).

I guess you could be intending that each bank supplies a browser for use with its website, but then you take a lot of the convenience out of using online banking; in particular, cross-platform support would be a problem.

Re:unanimous multi-polling? (2, Informative)

Joseph_Daniel_Zukige (807773) | more than 6 years ago | (#24704445)

ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

1. I'm talking about pools as in, your ISPs main and backup DNS servers are one pool. The openDNS servers you can choose to reference form another pool. The third pool would be like openDNS, but managed separately.

The servers within the pool regularly check each other and flag and sequester rogues. When a client gets a mismatch, it would report that mismatch to all three pools, and the pools would send messages around to all servers to unwedge their caches for that IP address.

If the pools don't end up in agreement, that IP gets effectively DOSsed until a human admin can clear it.

Rogues in one pool would have to somehow gang up with rogues in each of the other pools to defeat the agreement requirement.

(Yeah, I need to think this out some more, but that's the general idea.)

2. Of course not under the same management.

3. Yes, each bank supplies a dedicated browser for its own customers, which means most people would have one browser for each bank they use, in addition to the general purpose surfing browser. Not a big deal, you can get cross platform browsers with most of the necessary functionality as library classes in Java and Perl, and probably other languages.

The most time intensive part of the implementation is generating either the list of one-time passwords or customer certificate that the customer takes home with the browser install mini-CD.

Re:unanimous multi-polling? (1)

totally bogus dude (1040246) | more than 6 years ago | (#24708483)

ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

Why can't you trust your bank if your bank can't trust you? My bank has an SSL certificate which does a reasonable job of ensuring that when I connect to online.westpac.com.au, I'm connecting to a server operated by Westpac, and not some other server that my hijacked DNS is mistakenly pointing me to, and that someone on a router between me and my bank isn't eavesdropping. It's unnecessary for my bank's server to trust me at this point; they trust me after I supply my customer number and password over the encrypted connection.

Yes, ideally there'd be more security than that, e.g. an RSA token and/or a client certificate. If I did have a certificate, I presume it would have been given to me by the bank either in person or via the post. Regardless, a username and strong password are "good enough" if you know that a) your own system is secure and b) you really are talking to the server you think you're talking to.

The servers within the pool regularly check each other and flag and sequester rogues.

What exactly do they check each other for? Every possible hostname? Every hostname they've ever looked up? Every hostname of popular sites? Every hostname for every financial institution that pool operator happens to know about?

When a client gets a mismatch, it would report that mismatch to all three pools, and the pools would send messages around to all servers to unwedge their caches for that IP address.

This seems troublesome. Either we verify with all the other pools that we really do have a mismatch whenever a client alerts us, in which case we make it really easy for people to DoS us and/or the other pools; or we don't verify it and just flush our caches, which makes it really easy for clients to DoS us and/or the DNS servers of the target site. The latter seems like it would make it much easier to poison caches as well, seeing how if your attempt fails you can just tell the servers to drop their cached records and make another lookup. Granted you have to poison a lot more servers at the same time, but you also greatly reduce the time between retries.

Yes, each bank supplies a dedicated browser for its own customers ... you can get cross platform browsers with most of the necessary functionality as library classes in Java and Perl, and probably other languages

Right, and you really think each bank (or even your particular bank) is going to supply a secure and accessible browser for every OS you want to use? Of course not. There's a lot of online banking interfaces that don't work properly in anything other than Internet Explorer, blissfully ignorant of the other 20%+ of browser market share.

I grant that this is technically possible, but it's just not realistic. Banks aren't browser vendors. Besides which, if a bank is going to issue their own special software for banking, why would they make a web browser and not a custom app? If the industry went this way, then I absolutely 100% guarantee you that we'd end up with a whole bunch of poorly designed custom applications with really crappy security that relies on obscurity more than anything else. I'm so confident that this would happen, I'd put money on it.

Yeah, I need to think this out some more, but that's the general idea.

Certainly. The following issues come to my mind immediately:

1. Why would anyone who is capable of setting up a pool of such servers (or a single server in the pool) with all this special code be incapable of applying patches to prevent their DNS servers from having their cache poisoned in the first place? You're creating a very complex system in order to solve a problem which is already pretty much solved by much simpler means (better randomization). The only reason this article exists is because an ISP hasn't applied a widely available, highly publicised patch to their name servers. You really think they're going to implement some complex cross-checking DNS pool -- and monitor it to make sure it's working properly -- when they can't even apply a patch which is probably supplied by their OS vendor?

2. You're assuming there's no legitimate reason for name servers to return different responses to different query origins. Ever heard of Akamai or LimeLight Networks or Cachefly or any of the other content distribution networks? Want to guess how many popular sites would suddenly be unreachable because your 2 or 3 pools would never agree on the response? It's quite a lot. Heck, even the organisation I work for has one.

3. Even assuming we go ahead and remove the platform neutrality that makes the web so useful and convenient by requiring dedicated browsers/applications for some applications, you still need to make sure the server at the identified IP is actually that server. DNS isn't the only place vulnerable to attack, after all; and if you're verifying the identity of the server, then hijacking the DNS isn't going to work, anyway.

4. This article is discussing poisoning of mis-typed URLs, such as "gogle.cn". No banks or other special institutions involved, so I don't see how the magic bank-supplied browser will help here. Or is your plan to have a dedicated browser for each popular website you might want to visit?

Re:unanimous multi-polling? (1)

reiisi (1211052) | more than 6 years ago | (#24715129)

Well, I have to admit, the unanimous polling is probably overkill for web surfing, and overkill usually opens more holes. And it is all too easy to try to fix the social engineering vulnerabilities.

You know the websites you visit regularly by pattern recognition, and "trust systems" have to be able somehow to take advantage of what the user knows. Maybe it would be better to provide an alternate opinion function. Press a button and your surfing browser asks two other DNS servers, preferably separately managed, for a lookup of the name, and compares the IPs. Perhaps it also checks who owns the IPs, so that big sites can still load balance without using exotic tricks. (And that leaves us with Akamai as a potential trouble spot, but I would assume that Akamai and Apple (for instance) should be able to arrange so that only IPs owned by Apple respond to requests for Apple's servers.

Still only advisory, but meaningful to humans. I guess, if we're going that far, it would be reasonable to also query a public cert for the domain name at the same time. But our current certificate infrastructure is sorely lacking, both in administration and in fundamental structure.

We don't want to go to Verisign when checking a domain name certificate, we want to go to the domain registrar. (Note that I say "domain name certificate". That's not a certificate to shop by.)

Under normal operation, the current clot of certs in the browser tells you only that the cert you're looking at is trusted by someone in the clot. That's upside down. Checks done in the background put the user to sleep. You shouldn't care until you care, and when you care, that's when the check should be done, and that's when the entire trust chain should be presented, along with the dns and IP chain.

Where did this idea that the general purpose browser should be used for secure transactions come from? Hmm? (Okay, I'm poisoning the well here, but there is some bad sales engineering going on here.)

You don't send the bus driver to the bank for you.

With todays personal computer systems, it would be better to have the financial transactions done on completely separate hardware, really. I'm thinking of an electronic wallet, so to speak, that you plug into your ethernet hub. You set the sale up on your surfing browser, the shop gives you a ticket number and a url to log into with your electronic wallet, you plug the electronic wallet in, type in the url and the sales number, and the wallet does the certificate exchanges, etc. And queries you one last time to okay the transaction by hand, just so you can think again before you commit the money.

But I don't like the idea. Too hard to keep people from trying to combine that with the cell phone. (Already something like that in use here in Japan, vulnerable like a dog to fleas.) Also too easy for governments to try to pull it into the tax system.

Dedicated browser -- Sure, they use standard parts. They have a master at your office, and when you go in to set up your account, both you and the bank officer digitally sign a pair of certificates. Probably mix a scan of the physical signatures on the paperwork into one part of the digital signatures. The bank's hardware generates the keys (Just like it owns the credit card it gives you, it owns the key it gives you.) It installs those certificates and your key, encrypted, into the dedicated browser with the initial list of IP addresses for the servers. Then it burns the dedicated browser (probably a java app) into a CD.

You take the CD home after hearing a short lecture about it not being safe to use the browser on any machine you don't know is clean. That lecture is given at the same time as the short lecture about not letting others use your credit cards or your checks.

(That last step is where it all falls apart. I know. Well, that, and, as you say, the temptation that all financial institutions' market departments will have to add bells and whistles.)

Why should banks go through this kind of thing? Well, the process would not be too terribly different from what you do when you open an account and order your first box of checks. If the marketing departments can keep their hands out of the cookie jars, so to speak, these dedicated browsers should be as streamlined as your checks. Three functions -- look up your bank balance, transfer money, put a stop on the account. We could call it a custom banking application, if it would help.

No, the bank would probably not build the browser itself, it would probably arrange for that somewhere else, just like banks don't print checks. One difference would be that machine for issuing the browser CDs would have to be on the bank premises. Has to be done face to face by people who will have a hope of recognizing each other again.

I'm not sure about overriding the setup when the servers' IP addresses change (as they sometimes do) and such. It's tempting to say that any time you need to override, you really need to go back to the bank for another face-to-face. It's also tempting to provide some sort of phone service to walk the customer through it. I lean towards the former, because I can still remember when hospital emergency rooms didn't expect us to be able to access our bank accounts on the weekends. We've seen a breakdown of trust there, and that ripples through everything. But arranging some way to do it by phone is not out of keeping with current banking practices, either.

But updating the IP addresses should never happen automatically.

Might want to put more than three addresses in the list, choosing at random, and when one server is down, check with the other servers and if the other servers say it should be down, log it and continue, and if (all) the other servers say that servers' IP will change, the notice says to contact the bank. Always leave tracks. Always bring a person in the loop at some reasonable point.

With that in mind, can you see why you and the bank shouldn't really trust each other without a certificate exchange? That does rely on you to refrain from exposing your certificate, but at least they'll have done their job, and that is what gives semantics to the word trust. You have met each other face to face, and the mutually generated certificates are your proof of that.

So --

1. You're forgetting that the patch is not a fix? That the researchers have still succeeded in poisoning a patched server in about eight hours?

We really need some way to detect the poison and purge it and notify users and admins that the poisoning happened.

2. Load balancing does present problems, I've sort of waved my hands at that above.

3. How do you verify the server? That's what we've got to do, isn't it? And certs simply don't work as the sole solution. Or did you miss the comments from the researchers that DNSsecure itself is just another, somewhat better stopgap?

4. How do we verify the server? See above, but this idea of asking more than one DNS server from different organizations would throw a big wrench in the ISPs efforts to profit from mis-typed urls. They'd have to co-operate with each other to do the dirty deed.

Surfing browsers could be programmed to work with the ISPs to offer a list of possible matches, however. But I would want such pop up lists to be restricted from using any javascript and from most style sheets.

(Speaking of which, maybe we need a restricted pop-up type in the HTML spec, so that browsers could legitimately kill any other pop-ups.)

Re:unanimous multi-polling? (1)

totally bogus dude (1040246) | more than 6 years ago | (#24715867)

Press a button and your surfing browser asks two other DNS servers, preferably separately managed, for a lookup of the name, and compares the IPs. Perhaps it also checks who owns the IPs, so that big sites can still load balance without using exotic tricks.

If a user suspected a site was fake, they wouldn't be providing it their credentials in the first place. If they don't suspect it's a fake, why would they ask for a second (or third) opinion?

I would assume that Akamai and Apple (for instance) should be able to arrange so that only IPs owned by Apple respond to requests for Apple's servers.

This seems... impractical. In order for an organisation to fully leverage Akamai's network, they'd have to pay for at least one dedicated IP address at every major ISP in the world. Maybe when the whole internet is on IPv6 that could be viable, but you'd still need some highly scalable way of authoritatively identifying who "owns" which IP address. I'm pretty sure the ARIN and APNIC and RIPE (etc.) WHOIS servers would melt if every DNS lookup also resulted in a ownership database query.

Checks done in the background put the user to sleep.

This I completely disagree with: checks done in the background are what prevents users from falling asleep at the wheel! Do you seriously believe that you could teach every internet user how to verify that a DNS and IP address chain is legitimate? If so, why are there hundreds of thousands of compromised systems out there whose owners either don't know or don't care that they're spewing garbage on to the internet 24x7? Even if we do somehow achieve this utopian enlightenment of even a significant minority of internet users, do you seriously believe that people will routinely do a full, serious check every single time they access a secure site? Even though 99% of the time everything checks out fine?

That's important to remember. The attack won't come when you expect it; it will come on an ordinary day when you're not on the look out for suspicious activity. This is why it's absolutely imperative that security verification does not require an alert user to consciously and conscientiously verify the identity of the site every single time they access it. Forcing people to do this just leads to complacency, because 99% of the time everything is legit and you're just wasting their time. You need a system that can detect the 1% of the time when things seem a bit suspect, and at that point enlist the aid of a human.

Where did this idea that the general purpose browser should be used for secure transactions come from?

Economic realities, I suppose. Where did this idea that a bank will be able to produce a "banking application" that's some kind of Fort Knox come from? What's the incentive? If forced to do this, the bank will produce something that is "good enough" to make their customers feel like the bank is taking security seriously, while minimising the cost of producing it. It will be an exercise in security theatre. You might improve this by legislating that banks must provide an application that meets certain requirements (which is why I said "if forced to do this"), but I have my doubts whether this would actually work. Or you could let the banks sell their application at a profit, but I'm not sure that'd work: consumers would largely opt for the cheapest options they can find.

Even if all this does actually somehow work, it's now tremendously expensive to do anything secure over the internet. All this cost might be acceptable for large financial institutions, but why are they the only ones deserving of "proper" security?

With that in mind, can you see why you and the bank shouldn't really trust each other without a certificate exchange? That does rely on you to refrain from exposing your certificate

I don't see that a certificate exchange is necessary. After all, your certificate is essentially just a very strong password. My bank already trusts me to refrain from giving my password to anyone else. When I provide the password that only I know, I've proved my identity in exactly the same way as providing a certificate that only I have would do.

My bank's identity is verified by a third party. There may be some benefit in having them provide me with a certificate rather than going through an intermediary, and the extra hassle of obtaining and installing a certificate may be worthwhile for something as important as banking. However, I certainly wouldn't want to be without an equivalent to the current system, despite its flaws and potential for abuse. It would be a real pain in the arse if I had to go meet someone to exchange certificates every time I wanted to buy something online. And forget ordering anything from an overseas store!

1. You're forgetting that the patch is not a fix? That the researchers have still succeeded in poisoning a patched server in about eight hours?

You mean the one where they attacked it over a gigabit link that allowed them to send 40-50 thousand fake replies before the real reply arrived? I have to say, I'm not terribly worried. If this does become a problem, then the only people that it's going to really annoy are operators of public DNS resolvers such as OpenDNS. Anyone running private resolvers should be able to identify which of their users is flooding their servers with hundreds of thousands of DNS queries and take "affirmative action" to stop them. These attacks aren't exactly easy to hide as being normal traffic, after all.

3. How do you verify the server? That's what we've got to do, isn't it? And certs simply don't work as the sole solution. Or did you miss the comments from the researchers that DNSsecure itself is just another, somewhat better stopgap?

By certificates I'm referring to transport layer verification, i.e. SSL or TLS, not DNSSec. If we return to your bus driver analogy, you are declaring the general purpose web browser to be the bus driver. I think it's better to say the general purpose internet is the bus driver. If it's possible to trick your DNS into returning the wrong IP for a hostname, then don't trust the DNS. Even if it returns the correct IP address, what proof do you have that the packets you're receiving from that address are actually being generated by a server operated by the people you think are operating it, and that they haven't been tampered with?

You don't have any proof of that. You're just blindly trusting that your computer really is sending its packets to your default gateway and not some hostile machine on your network that's spoofing your gateway's address. You're trusting your gateway is doing the right thing. You're trusting your ISP's routers, their upstream routers and so on all the way to the bank and then back again (potentially via a completely different set of routers).

This is why Transport Layer Security exists. You verify that whatever it is you're talking to really is what you think it is, precisely because no other part of the stack currently provides any verification. Even if you fix DNS to be 100% watertight, you still have to fix the rest.

To be honest, I think the only really powerful suggestion you've got is that for high security applications, such as banking, we should be using certificates properly. That's a great idea; perhaps as the public begin to perceive the net as being untrustworthy this might occur.

certificate just a very strong password? (1)

reiisi (1211052) | more than 6 years ago | (#24716661)

Get back, troll.

Re:certificate just a very strong password? (1)

totally bogus dude (1040246) | more than 5 years ago | (#24724053)

Okay, I forgot one important property of certificate-based authentication: even if you present your certificate to a hostile party, they can't use it to pretend to be you. That and mutual authentication pretty much negates phishing as an attack vector altogether, whether it's via social engineering, DNS spoofing or some other method of covertly hijacking communications between two parties. The only way to interfere with such a transaction would be to compromise the security of either the user's computer or the server. Or I guess you could try to recreate the user's private key through brute force, but that seems impractical enough to be a nonissue.

So taken together with your acknowledgement that the unanimous polling is probably overkill for web surfing we can conclude that a) "unanimous multi-polling" doesn't really solve anything (and certainly not the attacks this article is about) and b) we already have the tools necessary to provide a very strong level of protection for secure transactions over the internet.

This veered far away from "fix DNS spoofing", so to get it back on track:

We really need some way to detect the poison and purge it and notify users and admins that the poisoning happened.

Well there's some variations of your proposal that seem simpler. For example, what if the resolver sent its resolution requests to all the name servers for a particular domain, and only accepted the response if they all matched? Now an attacker has to simultaneously poison at least 2 responses. To up the ante, the resolver could additionally request another trusted resolver to also resolve it, which would also do the same thing. So now there's at least 4 responses you have to simultaneously poison, without requiring client-side changes or multiple independent pools.

This still results in any sites which return different responses for different requests suddenly disappearing from the internet though, which I don't think is an acceptable price to pay.

A simpler way to mitigate the problem would be to have your resolver cap the TTL. This limits the maximum amount of time your cache can be poisoned for, requiring attackers to continually re-poison it. This alone might make the cost:benefit ratio low enough to make it not worth doing.

Ultimately, I still think the long-term solution for the majority of resolvers is to detect and block people who are trying to poison their caches. While many won't be in a position to do this currently due to IP spoofing, that is a problem that really ought to be fixed anyway -- DNS poisoning is hardly the only abuse made possible by IP spoofing. The only ones who really can't protect themselves from this are public resolver operators like OpenDNS, as ISPs should be preventing their customers from sending packets from IP addresses which weren't assigned to them. Unfortunately many don't, and many that do only do it at their borders rather than on customer's individual links, so their resolvers are likely vulnerable to attacks from their clients.

Re:unanimous multi-polling? (2, Interesting)

OriginalArlen (726444) | more than 6 years ago | (#24702863)

The only real fix available now for the fundamental vulnerability is DNSSEC. There's an excellent doc up on ISC's site called DNSSEC in Six Minutes [isc.org] for those who read bothered to read Kaminsky's actual presentation (especially the last 40 or so slides on subtle ways security systems like SSL break when you can't trust DNS), put that together with the ten hour exploit for patched servers [milw0rm.com] , and realised we're not out of the woods yet by a long chalk...

Re:unanimous multi-polling? (0)

Anonymous Coward | more than 6 years ago | (#24708521)

God, not another self-confessed poorly thought out solution.

Have you actually been paying attention to this issue since it was brought up ORIGINALLY in 2003? All these (stupid) idea's were brought up and shut down faster than you can say 'oi'.

Olympic DNS poisoning (2, Funny)

syousef (465911) | more than 6 years ago | (#24701625)

Someone's decided to make DNS poisoning an Olympic sport. Obviously the only place to do it at the moment is China.

I've got images in my head of a broken toothed Chinese geek running around Beijing with an EEE PC and a Linksys wireless router hooked to a 12V SLA battery, lights a-blinking, instead of the Olympic torch. Thank goodness the Olympics are about to end.

Suck it! (0, Flamebait)

CaptSaltyJack (1275472) | more than 6 years ago | (#24701767)

Ahh well, I just chalk it up to payback for all those Chinese hackers out there committing SQL injection attacks and other types of breaches. How's it feel, jackasses?

It's a big flaw (5, Interesting)

ledow (319597) | more than 6 years ago | (#24701881)

It's a big flaw. Someone big was bound to fall foul of it eventually. And to be honest, I can't say that I'm at all surprised. In fact, I'm expecting a lot more.

I bet that there are still hundreds of large companies that are vulnerable worldwide and I bet that translates to hundreds of thousands, if not millions, of affected people. For instance, last time I checked the whole LGfL (London Grid for Learning) was vulnerable - and they provide DNS / Internet connectivity for every school in London (several million users, hundreds if not thousands of schools) with little alternative because they have been mandated as the recommended solution and thus all "interesting" content is in their private network.

If they ARE still compromised (and several days after the release of the information, they were still showing up as vulnerable on all those DNS tests and today I got: Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32768), that's virtually every school, staff member and student in London (we're probably talking close on a million people because it includes Greater London Boroughs but I'm not sure of the exact figure) which are in trouble because they use the upstream DNS from LGfL as their basis.

Have we heard anything through official channels? Nope.
Does everybody just trust LGfL to do their job transparently? Yep.
Have they done it? Apparently not.
Have they even heard of it? I don't know, but there have been zero advisories, zero visible configuration changes, that I can see.

Give it a few months, one of the students will download something and poison the whole of London's educational system and THEN maybe someone will bother to look into it.

When I heard about this flaw, the first thing I did was check all upstream servers that either my servers or my own home computers use - my cheap ISP (PlusNet) had apparently fixed the issue before I'd even caught wind of the "there may be a DNS problem" posts on Kaminsky's blog. Every other one just seems to be dragging their feet.

Snapview (0)

Anonymous Coward | more than 6 years ago | (#24701885)

On patch Tuesday MSFT did release a fix for Snapview:
http://support.microsoft.com/kb/955439

iDon't Like It (2, Funny)

OldMiner (589872) | more than 6 years ago | (#24701905)

"iFrame"? Lower-case i, uppercase next letter? How odd. It's "inline frame", normally all caps ('IFRAME') or all lower-case ('iframe'). "iFrame" makes it sound like some new Apple-branded house support structure with built-in Internet-something.

Re:iDon't Like It (0)

Anonymous Coward | more than 6 years ago | (#24702123)

it's caps-agnostic, so you can spell it iFrAmE or IFramE or ifraME if you really want and it's still correct.

of course then someone would be wondering what an ifra was and why the hell there's a Millenium Edition of it.

check your server (4, Informative)

the_denman (800425) | more than 6 years ago | (#24701947)

It may be a good idea to check your DNS server to see if it is vulnerable. Dan Kaminsky has a tool that shows vulnerability on his blog. [doxpara.com]

Re:check your server (1)

chap_hyd (717718) | more than 6 years ago | (#24702225)

these things make me paranoid of trusting any DNS server, as many ISPs are yet to patch their DNS servers. so i got my own personal dns on the xp box http://treewalkdns.com/ [treewalkdns.com] . now it feels much safe

mod 0P (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24702235)

Just a warm-up (3, Interesting)

Ant P. (974313) | more than 6 years ago | (#24702367)

If they were trying to do damage to china, wouldn't they have simply redirected everyone to anti-government propaganda sites instead?

Re:Just a warm-up (2, Insightful)

abirdman (557790) | more than 6 years ago | (#24703079)

They're not trying "to do damage to China," they're trying to enlist more computers into botnets to spread email that sells fake \/iaGrA pills and penile enhancements to stupid people, and possibly to redirect unwitting browsers to ad-sponsored pages. It's motivated by Greed! It's the new (inter)nationalism, and unfortunately it knows no national boundaries.

The Internet != The intarwebs (1)

incubuz1980 (450713) | more than 6 years ago | (#24702703)

"Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet."

I would have expected more from CNet. I guess thats what the internet is now: "The Web".

Run your own caching resolver (1)

sega01 (937364) | more than 6 years ago | (#24702903)

Just run your own caching resolver if you don't 100% trust any local ones. I use Unbound and choose not to worry about which external DNS server is "safer", and give myself (overall) faster resolves in the process.

I don't suppose it was... (1)

davidbrit2 (775091) | more than 6 years ago | (#24702937)

...lead poisoning, was it?

Thank you, thank you, I'll be here all week.

Patch or profit (the eternal question) (1)

I cant believe its n (1103137) | more than 6 years ago | (#24703065)

1. Buy gold
2. Poison huge ISP DNS, redirecting to various sites with extreme info on chemical warfare
3. ???
4. Profit

... that is: Sell your gold after teh GW upgrades public "terrist" threat level.

Redirected? (1)

Shotgun (30919) | more than 6 years ago | (#24704781)

So we know there is an exploit and it is being redirected to a website...but no one in law enforcement can determine where that IP is located? They're running the scam out in the public, for cripes sake. It's not even like the old shell scam on a card table, where you had to have compatriots looking around the corners for policmen on foot patrols. These scammers have their card tables set up in front of the precinct office.

Yes it is a hole. Yes it needs to be fixed. But would the perps be that difficult to trace down and prosecute?

CNC Network sucks (0)

Anonymous Coward | more than 6 years ago | (#24707795)

Although CNC's DNS server has been poisoned, but the network are so slowly that the virus/malware background downloading failed after half an hour...

already corrected? or?... (1)

atomicskate (1173421) | about 6 years ago | (#24790539)

the only example on Websense is concerning "gogle.cn". I've just tried a nslookup using CNC DNS (and even with CT DNS) and nothing is wrong... so either, CNC has corrected its DNS (for this specific domain), either...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>