Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DNS Cache Poisoning Spreads Malware

timothy posted more than 9 years ago | from the cold-hard-cache dept.

The Internet 314

Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

cancel ×

314 comments

April Fools Idea (4, Funny)

DarkHelmet (120004) | more than 9 years ago | (#12156166)

Oh man, this article gave me an idea. Too bad it's a couple days late, or else it would have made a *great* april fools for the workplace here.
  1. Change the company's DNS server here to map google.com to a private machine here on the network.
  2. Create a frontend on the internal machines here that looks exactly like google.com
  3. Map the internal IP addresses on the network to specific people here.
  4. Inject specific "spooky" messages into the search results based on the IP address of the querying machine. Examples would be like: "How about looking at some pr0n, Mr. Bridges?" or "You really should have that bald patch looked at, sir."
  5. April Fools! HA HA!
  6. Look for a new job.
Oh well, you only live once.

Re:April Fools Idea (4, Funny)

Cruithne (658153) | more than 9 years ago | (#12156204)

7. Profit!

Re:April Fools Idea (2, Funny)

TimeTraveler1884 (832874) | more than 9 years ago | (#12156352)

7. Profit!
Whoever modded this "Redundant" needs thier head examined. Granted, it's only mildly funny, but it's not "Redundant". Uh, maybe because no one else had said it yet in response to the parent?

You moderators are so fickle. I will probably get modded down "-1 He's got a point, but I don't like it" for this post.

Re:April Fools Idea (3, Interesting)

dAzED1 (33635) | more than 9 years ago | (#12156493)

the mod adjectives have needed to be changed for years. What do you do when someone isn't flamebait or trolling, they simply don't know what they're talking about? Mod them "overrated?" But what if they're only a 1 or 2? There are other problems. I generally have a pretty damn hard time modding most posts. I don't know how I spent as many points as I used to have.

Re:April Fools Idea (3, Interesting)

afd8856 (700296) | more than 9 years ago | (#12156702)

I also had your problem. I've decided to give up on moderation and read slashdot at -1
There are a lot of interesting things to be said at that level, too :)

Re:April Fools Idea (0)

Anonymous Coward | more than 9 years ago | (#12156494)

It got modded down because its not even mildly funny. It is, in the strictest sense, Redundant. How about a "-1 Whinging idiot" moderation?

Re:April Fools Idea (3, Funny)

Greger47 (516305) | more than 9 years ago | (#12156503)

On Slashdot it's redundant. We already subconciously add

3. Profit!
In Soviet Russia ... you!
Imagine a Beowulf cluster...

to all posts.

/greger

You forgot..... (2, Funny)

isotope23 (210590) | more than 9 years ago | (#12156597)

I for One welcome.........

Re:April Fools Idea (2, Funny)

lucabrasi999 (585141) | more than 9 years ago | (#12156678)

Only old Koreans subconsciously add statements to posts.

Re:April Fools Idea (0)

Anonymous Coward | more than 9 years ago | (#12156712)

I don't have a conscience, you insensitive clod!

Re:April Fools Idea (1)

mirrorful (872223) | more than 9 years ago | (#12156739)

Step 1 : Collect Underpants.....

Re:April Fools Idea (1)

antifoidulus (807088) | more than 9 years ago | (#12156276)

You could always stick a google search in the goatse man's....text entry space....
shudders

Re:April Fools Idea (2, Funny)

mightypenguin (593397) | more than 9 years ago | (#12156291)

I think one of the better net admin jokes on this date was using the swedish chef text filter on all webpages in certain sections of the my college's site :)

http://www.cs.utexas.edu/users/jbc/home/chef.html [utexas.edu]

Re:April Fools Idea (1, Funny)

Anonymous Coward | more than 9 years ago | (#12156331)

I did something very similar as a prank on my bosses birthday a few years back. I manually updated the HOSTS file on his laptop so that the domain of a very important client was pointing to one of our internal development servers. I then set up a special internal virtual host for the prank, and put up a faux copy of the real web site in question, with a bunch of "YOU'VE BEEN HACKED!!" messages all over the place.

My boss bought it hook line and sinker...it was fun for the whole family.

Re:April Fools Idea (0)

Anonymous Coward | more than 9 years ago | (#12156539)

I did JUST that a few years ago! (2 years I think)
I proxied everything to google and added a top result pointing to fake a wish stories with their name on them. (Google for 'fake a wish')

I still have the mod_perl handler code I used.

Next phase : stealth ninja midgets (2, Funny)

88NoSoup4U88 (721233) | more than 9 years ago | (#12156675)

The bigger failure rate through email (come on, -some- people have wisened up over the years... right ? right ??), has caused the spammers to look for other ways, now taking it up to the DNS level.

I guess that when this is eventually blocked, and spammers -really- are out of ideas of what to do next, it's time for the ninja-midgets-phase :

A spammer will employ stealth ninja midgets (or clone them), that will roam around the world causing havoc by typing in their master's URL in your browser, while you're out to get a snack.

Bah! (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12156709)

I submitted this story on Friday, April 1st, but Slashdot was too damn busy with April Fool's pranks to publish it. It got rejected within minutes.

That's when I realized the Slashdot editors are more interested in peurile humor than in actually notifying their readers of important information that could save them headaches, time and money.

Re:April Fools Idea (1)

nametaken (610866) | more than 9 years ago | (#12156731)


Sounds very similar to a story I heard on April fools day. A guy modified just one guys hosts file at work to point requests for the company website to a server on his laptop. He then posted a terribly hacked version of the company page. The man came running to his cubicle, completely freaked out.

IRC (4, Informative)

Wizy (38347) | more than 9 years ago | (#12156171)

Anyone who has been on irc for over 8 years remembers when DNS cache poisoning first started showing up (about 97.)

This is a quote from the "IRC Operators Guide" written in 8/97:
"DNS spoofing is a relatively new hit these days on IRC. You'll generally find spoofs one of two ways - you're watching the connections (usermode +c) and an unusual hostmask appears, or a user reports one. The first thing to do is to get the user's IP address (/stats L nick), and check to see if the DNS lookup matches the IP address. If it doesn't, you know you have a spoof. With this information, you can KILL the spoof, and when it reconnects, see where the real host is and issue a K-line (which won't stop them from spoofing again, but will prevent them from signing on *without* spoofing). Some servers have the capability of D-lines, which allow you to ban by ip mask. A D-line will prevent the client from connecting at all, regardless of whether they try DNS spoofing or not. If the server supports the DLINE command, you can do /dline ipmask :reason."

It has been a well known problem since way back then and it has still not be dealt with in any real way.

Yes and no. (3, Informative)

jd (1658) | more than 9 years ago | (#12156596)

It has been dealt with, at the specification level. DNSSEC has been around for a while and for the ultra-paranoid, you can always run IPSec tunnels between DNS servers.


The "no" part is that virtually nobody does this. All the protection in the world is useless if you don't use it. Further, the protections that do exist (such as those I mentioned) get redesigned a little too often, making wide-scale rollouts a real problem.


Routers are another key part of the infrastructure where there is plenty in place that COULD prevent poisoning, but where actual use in the "Real World" is limited. If DNS ever does improve, then scammers may well simply shift to poisoning router tables to achieve the same results.


The resources spent on producing quality and security are phenominal. The resources spent on actually putting these into practice can barely be detected with the best tunneling electron microscopes.

No (4, Informative)

temojen (678985) | more than 9 years ago | (#12156694)

The article is about DNS Cache poisoning, not DNS spoofing. In DNS cache poisoning you're effectively telling the victim's DNS server to query your (fake) server for all of a class of requests (ie *.com), instead of the one it should be querying. DNS spoofing only tries to fool reverse lookups.

My post (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12156173)

Is teh awesome one before second!

internet rash (5, Funny)

Cruithne (658153) | more than 9 years ago | (#12156175)

following a rash of active DNS poisonings

Damn internet rashes, they're the worst. Remember, dont surf without protecting your board. :/

More reason to use Firefox (-1, Flamebait)

netcrusher88 (743318) | more than 9 years ago | (#12156179)

I bet that malware is Internet Explorer-specific.

Re:More reason to use Firefox (1, Flamebait)

lowrydr310 (830514) | more than 9 years ago | (#12156214)

I didn't think DNS servers needed web browsers.

Re:More reason to use Firefox (2, Informative)

mboos (700155) | more than 9 years ago | (#12156251)

It's the malware on the sites that the infected DNS servers redirect to.

Re:More reason to use Firefox (4, Funny)

bcmm (768152) | more than 9 years ago | (#12156268)

I bet that malware is Internet Explorer-specific.
Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...


Idiot.

Re:More reason to use Firefox (2, Insightful)

Anonymous Coward | more than 9 years ago | (#12156359)

I bet that malware is Internet Explorer-specific.

Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...


Yes, the malware is almost certainly designed to install via IE, not other (better) browsers.
Methinks the idiot here is the one who signed
his post "Idiot"

Re:More reason to use Firefox (2, Informative)

netcrusher88 (743318) | more than 9 years ago | (#12156368)

Well, yes, but I meant the malware on the sites redirected to. Obvoiusly, you can't avoid the DNS cache poisoning, so this would be annoyingly effective for phishing.

Re:More reason to use Firefox (2, Informative)

bcmm (768152) | more than 9 years ago | (#12156355)

And besides, there are plenty of cross-platform attack you could do with this.

Want a copy of a user's eBay cookie? (Ok maybe eBay doesn't save passwords this way but you get the point, lots of sites do. It's like phishing, but the computer believes it's genuine, not just the user).

Re:More reason to use Firefox (1)

junkcode (671530) | more than 9 years ago | (#12156444)

ah, yes... now, i just hope someone just doesn't say firefox "secures" you from dns-poisoning.

Re:More reason to use Firefox (1)

me at werk (836328) | more than 9 years ago | (#12156583)

Of course it doesn't, yet [slashdot.org] .

colored alerts (1, Funny)

hey (83763) | more than 9 years ago | (#12156201)

I am sooo glad that SANS uses colored alerts like "Homeland" Security. Its pretty tacky. I guess the first time I heard about it was in the orginal Star Trek. Nothing tacky there.

Re:colored alerts (4, Interesting)

delta_avi_delta (813412) | more than 9 years ago | (#12156322)

You know the British secret service use color coded bikini's for terror alert levels. Black-Special Bikini has got to be the coolest alert level around :)

ummm (1)

dAzED1 (33635) | more than 9 years ago | (#12156626)

do you realize that Star Trek used them because it has been standard practice for a long while? The election of the new Pope - every vote that doesn't pick someone will be signaled with black smoke. One that does pick someone will be signaled with white smoke. Smoke canisters demark certain types of activities. Green light means go, yellow means caution, red means stop. Color has been used as a quick way of alerting people for long before Star Trek.

Re:We all know what's next (1)

jcaren (862362) | more than 9 years ago | (#12156692)

Even ST has gone off this and tried to retrofit a "reed" alert.

More color-coded warnings? (5, Funny)

loqi (754476) | more than 9 years ago | (#12156207)

I give it two years until the sight of a rainbow fills me with abject terror and confusion.

Re:More color-coded warnings? (0)

Anonymous Coward | more than 9 years ago | (#12156273)

. . . That's when we'll know the terrorists have won.

Re:More color-coded warnings? (2, Funny)

peragrin (659227) | more than 9 years ago | (#12156314)

forget rainbow, wait till the perfect orange sunset, and run around screaming even mother nature knows terrorists are coming.

Re:More color-coded warnings? (3, Funny)

krf (873528) | more than 9 years ago | (#12156419)

The rainbow [wikipedia.org] already fills most republicans with abject terror and confusion.

Maybe that's why they invented that terror warning thing.

Re:More color-coded warnings? (4, Funny)

oneiros27 (46144) | more than 9 years ago | (#12156523)

Kryten:
We must take action. Be bold, positive, decisive. I suggest we move from blue alert to red alert, sir.
Cat:
Forget red! Let's go all the way up to brown alert!
Kryten:
But there's no such thing as brown alert, sir.
Cat:
You won't be saying that in a minute. And don't say I didn't alert you!

Red Dwarf, Series 8, Episode 1.

Re:More color-coded warnings? (4, Funny)

mmkkbb (816035) | more than 9 years ago | (#12156635)

*KABOOM*

Arrr, an attack! Matey, fetch me red shirt! Can't let the men see me bleedin' if I get hit! ...

*KABOOM*

Arrr, that was a close one! Fetch me brown pants too!

Re:More color-coded warnings? (0)

Anonymous Coward | more than 9 years ago | (#12156748)

Thank you. That was the funniest thing I've seen on slashdot in a while.

How does it happen? (1, Interesting)

caluml (551744) | more than 9 years ago | (#12156210)

I've not really looked into it, but how do you go about poisoning DNS?

Re:How does it happen? (5, Informative)

Anonymous Coward | more than 9 years ago | (#12156472)

There are a few ways. Off the top of my noggin:
  • If your target DNS server is running Microsofts DNS server, on W2K SP 1 or 2 (this may have been patched, I dunno), you can poison DNS using an alias. It's simple. You have to have control of a zone (say realzone.com) and a DNS server. You create a zone on your dns server under the name you want to poison, say example.com. Your DNS server thinks it is authoritative for the example.com zone. Next you create a host record in example.com that points to a host you control. In your real zone (realzone.com), you create a CNAME record for a host like spoof that points to hostname at example.com, like www.example.com. Then you point your local stub resolver at the target DNS server (most DNS servers will resolve for anyone by default). When you try to lookup spoof.realzone.com, the target DNS server will find your dns server. Your dns server will see that spoof.realzone.com is a CNAME for www.example.com and look that up. Since it thinks it is authoritative for example.com, it will ask itself, and returh that IP address to the target DNS server. Now it is in the targets DNS cache. Anyone who tried to resolve www.example.com from that DNS server will get the IP address of the host you defined in the example.com zone. Spoof!.
  • Another way is to sniff the traffic of the target DNS server and when it tries to resolve a host name, feed it the result of your choosing before the recursive query finishes. The first response wins, generally.


There are probably other ways, but it isn't hard.

The bottom line, DNS is an untrustworthy system.

Re:How does it happen? (4, Insightful)

jon3k (691256) | more than 9 years ago | (#12156616)

Unprotected DDNS (dynamic dns registration, Microsoft loves this one)

And also you can feed a slave server your own zone, based on the nameserver configuration, it will work (very rarely).

Re:How does it happen? (3, Informative)

Rolan (20257) | more than 9 years ago | (#12156666)

Start by clicking the "HERE" in the article and, oh, wow, there's a whole report on how it happens!

If this is such a big deal... (1)

oldosadmin (759103) | more than 9 years ago | (#12156216)

Then why haven't we hard about it before it got this serious?

I mean, isn't there a way to make people aware of stuff like that? I don't want some script kiddie seeing my google searches for pr0n.

Re:If this is such a big deal... (5, Informative)

Wizy (38347) | more than 9 years ago | (#12156258)

We have. This has been a known problem since early 1997. It is well documented in the IRC community (admins and coders.)

Documents like this one from 1997: http://www.cs.rpi.edu/~kennyz/doc/unix/dns.spoof [rpi.edu]

How does this work? (2, Insightful)

bcmm (768152) | more than 9 years ago | (#12156220)

Is this done basically by taking over insecure DNS servers or is something more subtle involved, e.g. making comuters treat your machine as their DNS server instead?

Re:How does this work? (4, Informative)

Tony Hoyle (11698) | more than 9 years ago | (#12156265)

It's where you have an insecure server and someone manages to modify your zone file externally. It really shouldn't be possible any more... all dns servers ship secure by default, and any admin that makes such a configuration change should be fired on the spot.

Re:How does this work? (1)

Wizy (38347) | more than 9 years ago | (#12156333)

Since the problem is over 8 years old, anyone still doing it should be SHOT on the spot so they dont find another job and do it again.

Re:How does this work? (1)

SPY_jmr1 (768281) | more than 9 years ago | (#12156380)

The DNS service might be secure, but what happens if the box is rooted...

if they fixed so that it's impossible to hack a box, and no one told me... Heads. Will. Roll.

Re:How does this work? (3, Informative)

Anonymous Coward | more than 9 years ago | (#12156301)

usually its done by flooding a dns server with carefully crafted false replys based on known previous requests from the server.

or by taking advantage of servers that listen to extra information that they really shouldn't listen to in a reply.

with both methods the aim is to trick the dns server into cacheing your false response for its clients.

Your Sig (0)

Anonymous Coward | more than 9 years ago | (#12156337)

llamas feed upon themselves!!!

Re:Your Sig (1)

bcmm (768152) | more than 9 years ago | (#12156527)

Well done. Plenty of people don't know where they come from. Someone even claimed to get no output, which seems very untrue.

On my computer, though, the majority of llamas are in strange sentences or compound words like "llamaboy" and I can't work out were they come from. Which is scary.

Let's Kill The Golden Goose (5, Insightful)

ackthpt (218170) | more than 9 years ago | (#12156248)

Sure, internet click-thrus generate money, but when they get so invasive and destructive, they'll drive people way from the internet. I can't imagine any advertiser likes that idea.

Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.

Re:Let's Kill The Golden Goose (1)

DigiShaman (671371) | more than 9 years ago | (#12156484)

If the UN controls the Internet, then you can bet your bottom dollar that the Internet as we know it will become fragmented. I can only imagine the horrors the consumer market faces with a bunch of AOL-Me-too networks/service.

Meanwhile, the educational system will be on threaded togeather on Internet2.

what... (1)

dAzED1 (33635) | more than 9 years ago | (#12156534)

what does that have to do with the article? Do you think fly-by-night, get-rich-quick, screw-the-world folks who sneak malware onto your system care about that?

And do you not think the internet will persist regardless, and will instead create another AOL type sub-internet (like China) with filtered content?

Question (4, Funny)

Ryosen (234440) | more than 9 years ago | (#12156267)

I've been using Opera for 6 years now and I'm a little confused.

What is "malware"?

Re:Question (1)

tomstdenis (446163) | more than 9 years ago | (#12156497)

Malware would be the "bonus added value" that your younger_brother/sister/mother installed on your computer along with real_player/real_arcade/other_silly_program/etc.

Tom

Re:Question (4, Informative)

OnceWas (187243) | more than 9 years ago | (#12156544)

Opera (or Firefox) isn't immune to phishing attacks. How would you know you're giving your banking info to a phony site that looks exactly like your own bank's login screen? Especially if the domain name is correct?

I assume SSL would catch some of this, but not all.

DNS poisoning is creepy, since it's browser/OS agnostic.

Re:Question (0)

Anonymous Coward | more than 9 years ago | (#12156592)

I thought you said you used Opera?

How to stop DNS cache poisoning (0, Informative)

Anonymous Coward | more than 9 years ago | (#12156290)

As a rather well known expert in the field of cybersecurity, I offer the following solutions (sans my standard $450/hr rate) -

Turn the lifetime of all DNS records to 0. This way they will not be cached, hence no poisoning issues

Upgrade everyone to BIND 9.0 - including Windows - and turn on crypto. This will add security so malicious users can connect and poison the DNS cyber buffer!

Implementing these 2 will solve 90% of problems. Free advice from a top security consultant at Foundstone. (you'd know my name)

Re:How to stop DNS cache poisoning (4, Funny)

Wizy (38347) | more than 9 years ago | (#12156374)

Did you run the warez server? I know that guys name.

Re:How to stop DNS cache poisoning (0)

Anonymous Coward | more than 9 years ago | (#12156613)

0. Separate DNS Server and DNS Cache for better security as Djbdns. (my rate 1 beer/hr)

AC ??? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12156614)

Wait, hold on ... Anonymous Coward?! DUDE! I love your work, I read your posts all the time.

Re:AC ??? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12156706)

Hey! That guy's an impostor. I'm Anonymous Coward!

Re:How to stop DNS cache poisoning (2, Funny)

clickster (669168) | more than 9 years ago | (#12156746)

"Free advice from a top security consultant at Foundstone. (you'd know my name)"

OK. I call bullshit. I spent 30 minutes looking through the Foundstone corporate directory and there is no "Anonymous Coward", "A. Coward", etc.

windowsupdate.microsoft.com? (0)

jfengel (409917) | more than 9 years ago | (#12156292)

Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.

That's the reason I don't auto-update. I'll let it download the software but I'm waiting a few days before installing it. Hopefully in the intervening time somebody would say, "For the love of God please don't install update #77439245!"

Re:windowsupdate.microsoft.com? (5, Informative)

Anonymous Coward | more than 9 years ago | (#12156349)

Has anybody tried to redirect windowsupdate.microsoft.com? That could potentially install malware at massive privilege levels and therefore impossible to remove. And it's done automatically.

Automatic updates that are not signed and verified will not install.

Re:windowsupdate.microsoft.com? (1, Interesting)

The Bungi (221687) | more than 9 years ago | (#12156703)

It's interesting that when Peter Torr brought up the issue of Mozilla not signing [msdn.com] their packages he was massively flamed by all the retard fanboys, who of course got wind of his "criticism" from the ever-helpful Slashbork [slashdot.org] .

Shortly thereafter, Mozilla mysteriously started signing [msdn.com] their packages.

I wonder who would have gottern flamed if someone had trojaned a few million Firefox users using this method. Ah well, we all know open source is perfect, so this type of speculation is pointless.

Re:windowsupdate.microsoft.com? (1)

QuantumRiff (120817) | more than 9 years ago | (#12156747)

if the attacker is redirecting the windowsupdate.microsoft.com domain, wouldn't it be possible to redirect the domain for the CA that signs those packages? I'm certainly not very knowledgeable on signing and certs, but couldn't they just setup a cert-server running somewhere that says "yep, thats microsoft"?

Re:windowsupdate.microsoft.com? (4, Informative)

Dejohn (164452) | more than 9 years ago | (#12156361)

I believe that all Windows Update patches are digitally signed, so this spoof might be harder to pull of than it would initially seem

Re:windowsupdate.microsoft.com? (2, Informative)

dAzED1 (33635) | more than 9 years ago | (#12156423)

they are. Hopefully someone will take the GP down a notch or 2 from "5-insightful" and up your retort a few notches from "1"

Its not just windowsupdate.microsoft.com that is prived - it's a little more sophisticated than that.

I'm not even a MS apologist...haven't used a MS product in many years (except when I'm forced to for work-related reasons)

Re:windowsupdate.microsoft.com? (1)

slashkitty (21637) | more than 9 years ago | (#12156397)

Windows updates use keys to identify real MS updates. They'd have to crack the key and do a DNS poisoning for there to be a problem.

Home Is Where the Heat Is (2, Interesting)

Doc Ruby (173196) | more than 9 years ago | (#12156336)

Isn't this kind of attack on the global Internet exactly the kind of thing that Homeland Security's "Cybersecurity" department is responsible for stopping? What are we paying them billions of dollars, and suspending our liberties, to do? While we're at it, what's the difference between National security, Homeland security, and Defense? Aren't they all just riding a single planebombing to unchecked power and riches, without accountability or results?

Re:Home Is Where the Heat Is (1, Insightful)

Winterblink (575267) | more than 9 years ago | (#12156475)

You want DHS to make sure your google surfing doesn't fill your computer with spam? You're actually more concerned about that than some terrorist blowing up a kindergarten or something? Your priorities are truly fucked.

Re:Home Is Where the Heat Is (1)

ladyeyes (667481) | more than 9 years ago | (#12156591)

Do you really, really WANT the DHS folks setting standards for this type of stuff?

I know there's DNSSEC work going on in the IETF... Think NIST is involved (at least their IT Lab's annual report says they are). Anyone know how well this work is progressing?

simple (0)

tomstdenis (446163) | more than 9 years ago | (#12156358)

Run Firefox on Gentoo as a non-root user on an AMD64 in 64-bit mode.

Nobody writes software [in binary only form] let alone viruses for that platform...

[Anyone know of a flash plugin that actually works in 64-bit mode? I've tried gflash and the default macromedia ones...]

Tom

Re:simple (0)

Anonymous Coward | more than 9 years ago | (#12156434)

No, as you said, there is no malware for that platform.

Re:simple (-1, Redundant)

tomstdenis (446163) | more than 9 years ago | (#12156461)

touche. ;-)

Tom

Re:simple (4, Informative)

fimbulvetr (598306) | more than 9 years ago | (#12156500)

This is a DNS server issue, not a client issue.
Suppose you visit citibank.com often. citibank.com is at 192.168.0.1 (It's an example). If the dns server you normally query has been poisened, it could potentially give you 10.0.0.1 (that's an example too). 10.0.0.1 could be a quick 0 day citibank look alike setup in korea with the sole purpose of grabbing your username,password,acct number, etc.
The real citibank.com would never know that this happened, and there is a real chance the person who ran your dns server wouldn't know either.
There are no 10 minute preventative measures one could do to protect themselves on this one, outside of using a known good dns resolver. Even then, you have to know the the dns server the resolver uses is good...

Re:simple (1)

tomstdenis (446163) | more than 9 years ago | (#12156638)

Except they wouldn't have a signed CA cert for citibank.com

And smart people should check the certificate before loging in.

Tom

Re:simple (1)

ArbitraryConstant (763964) | more than 9 years ago | (#12156715)

Great. Except when the DNS server sends you somewhere where you can give up your credit card numbers, passwords, and other personal information. Unless SSL is employed, there's no practical way to know that you're going to the right site.

Re:simple (0)

Anonymous Coward | more than 9 years ago | (#12156729)

No need to use 64 bit technology. You'll be just as safe on an 8-bit Apple IIe. Nobody writes software for that either.

Djbdns - immune to DNS cache poisoning (?) (5, Insightful)

bad_outlook (868902) | more than 9 years ago | (#12156398)

Anyone using Djdns? I've set it up on my home network server running FreeBSD to provide dnscache for all my boxes within 192* and thus far it's working perfectly. From Djdns' security page, it says that it's impervious to DNS poisoning:

  • "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."

    "dnscache is immune to cache poisoning."

Djbdns [cr.yp.to]

While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.

bo

Re:Djbdns - immune to DNS cache poisoning (?) (3, Informative)

Tuqui (96668) | more than 9 years ago | (#12156495)

The separation between DNS Server and DNS Cache is very clever. This is a point that even BIND must take care.

Where law fails to dissuade... (0, Offtopic)

erroneus (253617) | more than 9 years ago | (#12156400)

...perhaps a lead pipe would.

The people who perpetrate this kind of thing are nothing short of criminals and these people are not being persued and prosecuted as they should be.

They need the crap beat out of them is what they need. I wonder if/when it will happen though...

The most frightening part... (5, Insightful)

loopsandsounds (752223) | more than 9 years ago | (#12156425)

If you read down the SANS presentation you come to this:

The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.

Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.

But is it really there? (0)

Anonymous Coward | more than 9 years ago | (#12156435)

The full presentation of information up until this point can be found here."

But are you really really really sure that it is?

Treewalk (1)

BenWang (658479) | more than 9 years ago | (#12156468)

For the longest time, I've been running Treewalk my Win32 machines, hence I guess I'm immune to this.

http://ntcanuck.com/

DNS Cache Poisoning Spreads Malware (0, Offtopic)

chrisnewbie (708349) | more than 9 years ago | (#12156543)

You dont have to have DNS poisonning to get redirected to another website or get altered search result.
Download my web search,kazaa,e-donkey and those crapy software that gives you all those neat(sucky) tools for searching the web,,,,just see what the results are when you search for something and it gives you weird asnwers...

OH wait Internet explorer's search engine does the same thing,,forgot to put it in unwanted crapy search engine.

cat syslog | grep named (1)

SamMichaels (213605) | more than 9 years ago | (#12156547)

Have you done this lately? I've never seen so much nonsense, rejections, security denials, et al.

Funny How Easy this is to prevent (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12156552)

Damn, if only I had checked the "turn on security" box!!

From MSFT (http://support.microsoft.com/default.aspx?scid=kb ;en-us;241352 [microsoft.com] )

NOTE: On Windows 2000, you can perform the same entry in the GUI. Use the following steps to do this:

1. Open DNS Management Console by clicking Start, Programs, Adminstrative Tools, DNS.
2. Right click on the server name in the left window pane.
3. Choose Properties.
4. Choose the Advanced tab.
5. Place a check in the box "Secure cache against pollution".

DNS is broken... (1, Funny)

Anonymous Coward | more than 9 years ago | (#12156564)

Everyone should just learn to remember IP addresses...my email is ac+NOSPAM@127.0.0.1

how big is this problem? (1)

msblack (191749) | more than 9 years ago | (#12156669)

If this is such a big problem today, why aren't the folks on NANOG (North American Network Operators Group) discussing it?

Yet another example of Windows messing up (4, Insightful)

Paradox (13555) | more than 9 years ago | (#12156696)

Ahh, Windows. People use it for servers too.

From TFA:
Basically, the UNIX-based stuff has been secure against cache poisoning
for quite some time, but there may always be a bug or design flaw that
is discovered. We are not quite sure why Microsoft left a default
configuration to be unsecure in NT4 and 2000. (Exercise to reader:
insert Microsoft security comment/opinion/joke here, but keep it to
yourself).


The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.

Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.

Protection against DNS Poisioning (1)

jdion (664108) | more than 9 years ago | (#12156721)

Another thought would be to disable DNS Forwarding services. I understand the purpose of DNS is to distribute the service and pull resources off of the root servers, but if DNS servers are getting spoofed packets after querying the root DNS servers, then I think there is an even bigger problem that needs to be addressed.

SANS vs. the rest of the security community. (5, Interesting)

tsu doh nimh (609154) | more than 9 years ago | (#12156740)

Washingtonpost.com is running an interesting story [washingtonpost.com] about how SANS is really the only major player in the security community that is making any noise about this.

...(snip..)

...."But here's the rub: Symantec Corp., which maintains tens of thousands of "sensors" at various points around the Internet to pick up signs of Internet attacks, said it isn't seeing anything out of the ordinary with DNS attacks.

Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."

Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."

All of this may seem like an academic debate to those who claim to have been victimized by these attacks.

On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.

"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.

John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.

In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.

Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)

"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...