Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ten Percent of DNS Servers Still Vulnerable

Zonk posted more than 9 years ago | from the watch-our-back dept.

Security 170

maotx writes "Even with the uproar caused by the recent DNS attacks, a recent study shows that roughly 10% of 2.5 million DNS servers show that they are still vulnerable to DNS cache poisoning. To put that a little bit more in perspective, of that 10% discovered, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." From the article: "The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming."

cancel ×

170 comments

Sorry! There are no comments related to the filter you selected.

Admins - Take some initiative! (4, Insightful)

bigwavejas (678602) | more than 9 years ago | (#13241197)

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches? Instead, it takes an article like this to get them off their asses to take action. It shouldn't be this way.

This is strikingly similar to the Cisco OS debacle, where a patch had been available for some time, yet Admins failed to patch their hardware on their own. Yes, it's a pain in the ass to take your network down, but look at the alternative...Hacked!

Re:Admins - Take some initiative! (3, Insightful)

dthrall (894750) | more than 9 years ago | (#13241227)

agreed, with phishing scams, we can blame the users who fall for the scheme... it seems these techniques are undetectable to the end user...

Re:Admins - Take some initiative! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13241252)

Fuck Slashdot.

Pharming (1)

ePhil_One (634771) | more than 9 years ago | (#13243014)

with phishing scams, we can blame the users who fall for the scheme

While there are always some who fall for the most obvious scam, theses attacks are becoming more professional by the day, and no company can afford to absentmindedly blame their users (yes, I work for a company that sells anti-abuse services, we've been on the cutting edge of this for a while).

The article writer references the term "Pharming"; while DNS cache poisoning is a form of Pharming, its much bigger than that. Its basically a variation of Phishing, where instead of actively sending enticements to vist your site, you place a site out there (usually a mispelling of a Brand) and wait for victims to stroll by. Since its passive, its harder to detect than Phishing (we have a solution of course). But not all Pharming is evil, some is just irritating. Some sites are just out there to collect a wee bit o' ad revenue from every typo that hits them, just 100 hits a month can make a no content site profitable when done on a grand scale...

Re:Admins - Take some initiative! (4, Interesting)

Kainaw (676073) | more than 9 years ago | (#13241275)

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches?

You are assuming the fix is a patch. I get vulnerability reports for my servers every week. The issues are never patches because I check for new patches every day. I get vulnerabilities that have no patch of any kind, yet I'm expected to somehow rewrite all of the software on the computer to fix the vulnerability. If I could do that, I wouldn't be working here. I assume that I am in the same position as most admins, I have to wait for the patches to come out and hope nothing bad happens while I'm waiting.

Re:Admins - Take some initiative! (1)

bigwavejas (678602) | more than 9 years ago | (#13241556)

I agree, it's not always going to be a patch. Although I would venture to say for the majority of problems, patches are avaialble. Yes, there are going to be excuses why people don't maintain a secure environment. For me it's generally a PITA to update our internal servers (inside the firewall), because I depend on our "Security Group" to post the system patch somewhere inside the firewall where I can download it. Yet, I can guarantee you one thing... the instant a new patch *is* available I immediately take action.

Re:Admins - Take some initiative! (3, Insightful)

WillAffleckUW (858324) | more than 9 years ago | (#13241644)

>Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches?

You are assuming the fix is a patch. I get vulnerability reports for my servers every week.

And then there are patches like the last two Oracle patches which - get this - actually made it worse.

Sometimes it's a good idea to wait for them to patch the patch.

Re:Admins - Take some initiative! (4, Informative)

Bi()hazard (323405) | more than 9 years ago | (#13241795)

The fix in question here is available. The BIND webpage [isc.org] has a scary warning box on the right with details. Everyone should be upgrading to the new version.

But it's not surprising that there's still vulnerable servers out there. In fact, I'm surprised the total is so low. Aside from the few admins who just aren't doing their jobs, these kinds of things often run into bureaucracy. In many organizations, upgrades have to be thoroughly tested before release and there's standard schedules for patch cycles. An admin who wants to simply stick a new version of something on the production server may be told to wait until approval comes. That could take a while. And occasionally you'll have some crappy system that doesn't work well with the new software, and they're stuck rolling back until the problem is solved.

I had a friend who worked at a small ISP that had some serious security issues. The guy who should have been patching things "resigned"-something to do with the smell of pot lingering in his office. Anyways, the position went vacant for a little while and the task fell to the two new interns, my friend and another girl. Coincidentally they were both young women and had no experience relevant to the job, proof of quality hiring practices. To make a long story short, the (not terribly large) customer database got hacked and the company was sued. The owner, who had been heavily in debt already, vanished completely. Naturally the whole thing went down in flames and my friend didn't even get a reference out of it.

Most of you are probably sitting there thinking this story is too outlandish to be true. Haha, well, this is the internet so you never know what to trust, but you know there's places out there where things just aren't done the way they're supposed to be. It's shocking what goes on, and there will always be vulnerable servers around.

Getting it down to the numbers in the article this quickly is actually pretty good. The real lesson here is that you need to insulate yourself from the fools who won't take responsibility. Always assume 10% of the internet is out to get you, because they probably are. Hey, I don't even want to think about what 10% of slashdotters would want to do to me.

Re:Admins - Take some initiative! (0)

Anonymous Coward | more than 9 years ago | (#13241951)

Great*YAWN*story. What was the point again?

Is she hittable?

Re:Admins - Take some initiative! (0)

Anonymous Coward | more than 9 years ago | (#13242364)

If you really were an admin, you'd know that in most cases there's a work-around for an issue that can be applied until the patch has been released, methods of firewalling that can prevent abuse of a particular vulnerability, and so on...

Re:Admins - Take some initiative! (3, Funny)

Anonymous Coward | more than 9 years ago | (#13241320)

Why is it that the Admins can't take it upon themselves to keep their software updated with the latest patches?

Maybe they are all Microsoft Certified?

Re:Admins - Take some initiative! (0)

Anonymous Coward | more than 9 years ago | (#13241428)

lol, what?

Re:Admins - Take some initiative! (2, Funny)

Ravatar (891374) | more than 9 years ago | (#13241574)

You forgot to praise linux, A- for effort though.

Re:Admins - Take some initiative! (2, Interesting)

cybersaga (451046) | more than 9 years ago | (#13241365)

Well, the Admins cannot be blamed entirely in the Cisco case. Cisco was blamed for not pushing the importance of that patch.

While, in a perfect world, admins should immediately be on top of every new patch, if I noticed a patch that I thought was just a couple of minor bug fixes, it would go on the end of the "whenever I have time" list.

Re:Admins - Take some initiative! (3, Insightful)

egypt_jimbob (889197) | more than 9 years ago | (#13241414)

This is strikingly similar to the Cisco OS debacle,

No, it isn't. Before the IOS "debacle" it was assumed that remote code execution on IOS was impossible. It's pretty hard to compromise an unpatched system if it's impossible to execute code on it, so admins didn't bother taking down their networks to run the (mostly aesthetic) patches.

Re:Admins - Take some initiative! (1)

gmack (197796) | more than 9 years ago | (#13241502)

This is worse than the Cisco debacle.

Bind9 has been out for years now so there should have been plenty of time to make the few changes needed to the configs to make them compatable with bind9.

This is just a shot in the dark but I'm guessing any isp dumb enough to be still running bind 4 has much more serious problems than DNS cache poisoning.

Re:Admins - Take some initiative! (1)

DuBois (105200) | more than 9 years ago | (#13241659)

Hmmm...
emerge bind
/etc/init.d/named restart
Seems to work pretty well. And doesn't take anything "down."

Gentoo, of course.

Re:Admins - Take some initiative! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13242373)

Because anyone uses Gnetoo on production-systems.

Stick to your WalMart-Windows-Ex-Pee-Homo-Edition-and-Gnetoo-Dua l-Boot-system, you moron, and shut up when grown-ups are talking.

Re:Admins - Take some initiative! (4, Insightful)

Burdell (228580) | more than 9 years ago | (#13241947)

In the case of the Cisco IOS problems, nobody knew there was a problem
to be patched. That was the biggest part of the problem: Cisco's
silence.

When you run services that must be up 24x7, you don't donwload every new
IOS release and load it on dozens or hundreds (or more) of devices just
because there was a new release. IOS often has more new bugs in each
release than bugs fixed; when you find a release that has the features
you require and is stable with those features running, you don't touch
it until you find a bug, require a new feature, or Cisco announces a
security problem.

I run a relatively small network, and I'm looking at having to upgrade
around two dozen devices running IOS in six cities (a number of which
require visiting an unmanned office because some things can't be
upgraded remotely) plus another dozen or so devices in our spares
inventory in two cities. I'm not going to upgrade any operating devices
until I can test new releases in a test setup. All of that takes a lot
of time, which means something else has to get pushed back.

wait!! (2, Insightful)

tdubya (823850) | more than 9 years ago | (#13242658)

Why isn't this said when a microsoft issue comes about, and there has been a patch for some time... it's always bad microsoft!!!

Now that's it's Bind, it's the admin's fault?

third post!! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13241219)

yeah

What? (5, Funny)

ucahg (898110) | more than 9 years ago | (#13241220)

230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Okay, let's have it for unclear writing!

Seriously, what does this even mean? Of the 250,000 that are vulnerable, 230,000 are vulnerable, 60,000 are vulnerable, and 13,000 are vulnerable.

Okay, that clears it up.

Re:What? (1)

dark404 (714846) | more than 9 years ago | (#13241298)

230,000 we don't know but needed to boost our numbers, 60,000 we're pretty sure but still needed more of a numbers boost, and 13,000 we actually got around to testing!

Re:What? (0)

Anonymous Coward | more than 9 years ago | (#13241391)

But 230,000+60,000+13,000=303,000

I think some people need to learn how to add.

Re:What? (1)

JFitzsimmons (764599) | more than 9 years ago | (#13241518)

It didn't need to add up perfectly because some of them can be vulnerable and vulnerable at the same time.

Re:What? (1)

MirrororriM (801308) | more than 9 years ago | (#13241400)

Seriously, what does this even mean? Of the 250,000 that are vulnerable, 230,000 are vulnerable, 60,000 are vulnerable, and 13,000 are vulnerable.

You beat me to the punch. 10% of 2.5 million is 250,000. While the person who wrote the article might be a good writer, it stands to reason because they are terrible at math.

Anyways, that aside, if they identified 250,000 DNS servers with their rating scale, couldn't they at least let the admins of each of the 250,000 DNS servers know? Yeah, I know I'm going to hear "that's like 250,000 emails! OMGWTFBBQ!!1!", but obviously some people took the time to scan 250,000 DNS servers didn't they?

Yes, I know, the admins should be patching their servers, but for the greater good, maybe someone should let these morons (and their bosses) know that their servers might be vulnerable.

Just my two pennies.

Re:What? (1)

ngrier (142494) | more than 9 years ago | (#13243191)

If you actually read TFA, you'd find out that they say "nearly 10% or 230,000" of the 2.5 million computers scanned. And yes he's quoted as saying "I've got several hundred thousand emails to send" - he hasn't sorted through the data to determine which are the vulnerable servers but will notify them when he does the sift. (He also comments that this is the "not-fun" part of security analysis.)

But, for what it's worth, they make no clearer distinction between likely, are, and succumbed.

Re:What? (1)

Newbreedofnerd (894701) | more than 9 years ago | (#13241454)

You have just succeeded in making me incredibly confused. >_>

Re:What? (1)

kinglink (195330) | more than 9 years ago | (#13241623)

230,000 is open to some exploit (don't know how the 20,000 isn't open, maybe they only accept stuff from certain things)

60,000 can be hit by this problem (AKA are BIND 4 or 8).

13,000 they actually hit and proved they could do it? :)

Obviously not, but sounds like they either like large fuzzy numbers or just don't know the meaning of vague.

Young Zaphod Plays It Safe (0)

Anonymous Coward | more than 9 years ago | (#13241892)

A Short Story By Douglas Adams

      A large flying craft moved swiftly across the surface of an astoundingly beautiful sea. From mid-morning onwards it plied back and forth in great widening arcs, and at last attracted the attention of the
local islanders, a peaceful, sea-food loving people who gathered on the
beach and squinted up into the blinding sun, trying to see what was
there.
      Any sophisticated knowledgeable person, who had knocked about, seen a
few things, would probably have remarked on how much the craft looked
like a filing cabinet - a large and recently burgled filing cabinet
lying on its back with its drawers in the air and flying.
      The islanders, whose experience was of a different kind, were instead
struck by how little it looked like a lobster.
      They chattered excitedly about its total lack of claws, its stiff
unbendy back, and the fact that it seemed to experience the greatest
difficulty staying on the ground. This last feature seemed particularly
funny to them. They jumped up and down on the spot a lot to demonstrate
to the stupid thing that they themselves found staying on the ground the
easiest thing in the world.
      But soon this entertainment began to pall for them. After all, since
it was perfectly clear to them that the thing was not a lobster, and
since their world was blessed with an abundance of things that were
lobsters (a good half a dozen of which were now marching succulently up
the beach towards them) they saw no reason to waste any more time on the
thing but decided instead to adjourn immediately for a late lobster
lunch.
      At that exact moment the craft stopped suddenly in mid-air then
upended itself and plunged headlong into the ocean with a great crash of
spray which sent them shouting into the trees.
      When they re-emerged, nervously, a few minutes later, all they were
able to see was a smoothly scarred circle of water and a few gulping
bubbles.
      That's odd, they said to each other between mouthfuls of the best
lobster to be had anywhere in the Western Galaxy, that's the second time
that's happened in a year.

      The craft which wasn't a lobster dived direct to a depth of two
hundred feet, and hung there in the heavy blueness, while vast masses of
water swayed about it. High above, where the water was magically clear,
a brilliant formation of fish flashed away. Below, where the light had
difficulty reaching the colour of the water sank to a dark and savage
blue.
      Here, at two hundred feet, the sun streamed feebly. A large, silk
skinned sea-mammal rolled idly by, inspecting the craft with a kind of
half-interest, as if it had half expected to find something of this kind
round about here, and then it slid on up and away towards the rippling
light.
      The craft waited here for a minute or two, taking readings, and then
descended another hundred feet. At this depth it was becoming seriously
dark. After a moment or two the internal lights of the craft shut down,
and in the second or so that passed before the main external beams
suddenly stabbed out, the only visible light came from a small hazily
illuminated pink sign which read The Beeblebrox Salvage and Really Wild
Stuff Corporation.
      The huge beams switched downwards, catching a vast shoal of silver
fish, which swiveled away in silent panic.
      In the dim control room which extended in a broad bow from the
craft's blunt prow, four heads were gathered round a computer display
that was analysing the very, very faint and intermittent signals that
were[?] emanating from deep on the sea bed.
      "That's it," said the owner of one of the heads finally.
      "Can we be quite sure?" said the owner of another of the heads.
      "One hundred per cent positive," replied the owner of the first head.
      "You're one hundred per cent positive that the ship which is crashed
on the bottom of this ocean is the ship which you said you were one
hundred per cent positive could one hundred per cent positively never
crash?" said the owner of the two remaining heads. "Hey," he put up two
of his hands, "I'm only asking."
      The two officials from the Safety and Civil Reassurance
Administration responded to this with a very cold stare, but the man
with the odd, or rather the even number of heads, missed it. He flung
himself back on the pilot couch, opened a couple of beers - one for
himself and the other also for himself - stuck his feet on the console
and said "Hey, baby" through the ultra-glass at a passing fish.
      "Mr. Beeblebrox...," began the shorter and less reassuring of the two
officials in a low voice.
      "Yup?" said Zaphod, rapping a suddenly empty can down on some of the
more sensitive instruments, "you ready to dive? Let's go."
      "Mr. Beeblebrox, let us make one thing perfectly clear..."
      "Yeah let's," said Zaphod, "How about this for a start. Why don't you
just tell me what's really on this ship."
      "We have told you," said the official. "By-products."
      Zaphod exchanged weary glances with himself.
      "By-products," he said. "By-products of what?"
      "Processes." said the official.
      "What processes?"
      "Processes that are perfectly safe."
      "Santa Zarquana Voostra!" exclaimed both of Zaphod's heads in chorus,
"so safe that you have to build a zarking fortress ship to take the
by-products to the nearest black hole and tip them in! Only it doesn't
get there because the pilot does a detour - is this right? - to pick up
some lobster...? OK, so the guy is cool, but... I mean own up, this is
barking time, this is major lunch, this is stool approaching critical
mass, this is... this is... total vocabulary failure!"
      "Shut up!" his right head yelled at his left, "we're flanging!"
      He got a good calming grip on the remaining beer can.
      "Listen guys," he resumed after a moment's peace and contemplation.
The two officials had said nothing. Conversation at this level was not
something to which they felt they could aspire. "I just want to know,"
insisted Zaphod, "what you're getting me into here."
      He stabbed a finger at the intermittent readings trickling over the
computer screen. They meant nothing to him but he didn't like the look
of them at all. They were all squiggly with lots of long numbers and
things.
      "It's breaking up, is that it?" he shouted. "It's got a hold full
epsilonic radiating aorist rods or something that'll fry this whole
space sector for zillions of years back and it's breaking up. Is that
the story? Is that what we're going down to find? Am I going to come out
of that wreck with even more heads?"
      "It cannot possibly be a wreck, Mr. Beeblebrox," insisted the
official, "the ship is guaranteed to be perfectly safe. It cannot
possibly break up"
      "Then why are you so keen to go and look at it?"
      "We like to look at things that are perfectly safe."
      "Freeeooow!"
      "Mr. Beeblebrox," said on official, patiently, "may I remind you that
you have a job to do?"
      "Yeah, well maybe I don't feel so keen on doing it all of a sudden.
What do you think I am, completely without any moral whatsits, what are
they called, those moral things?"
      "Scruples?"
      "Scruples, thank you, whatsoever? Well?"
      The two officials waited calmly. They coughed slightly to help pass
the time. Zaphod sighed a "what is the world coming to" sort of sigh to
absolve himself from all blame, and swung himself round in his seat.
      "Ship?" he called.
      "Yup?" said the ship.
      "Do what I do."
      The ship thought about this for a few milliseconds and then, after
double checking all the seals on its heavy duty bulkheads, it began
slowly, inexorably, in the hazy blaze of its lights, to sink to the
lowest depths.

      Five hundred feet.
      A thousand.
      Two thousand.
      Here, at a pressure of nearly seventy atmospheres, in the chilling
depths where no light reaches, nature keeps its most heated imaginings.
Two foot-long nightmares loomed wildly into the bleaching light, yawned,
and vanished back into the blackness.
      Two and a half thousand feet.
      At the dim edges of the ship's lights guilty secrets flitted by with
their eyes on stalks.
      Gradually the topography of the distantly approaching ocean bed
resolved with greater and greater clarity on the computer displays until
at last a shape could be made out that was separate and distinct from
its surroundings. It was like a huge lopsided cylindrical fortress which
widened sharply halfway along its length to accommodate the heavy
ultra-plating with which the crucial storage holds were clad, and which
were supposed by its builders to have made this the most secure and
impregnable spaceship ever built. Before launch the material structure
of this section had been battered, rammed, blasted and subjected to
every assault its builders knew it could withstand in order to
demonstrate that it could withstand them.
      The tense silence in the cockpit tightened perceptibly as it became
clear that it was this section that had broken rather neatly in two.
      "In fact it's perfectly safe," said one of the officials, "it's built
so that even if the ship does break up, the storage holds cannot
possibly be breached."

      Three thousand, eight hundred and twenty five feet.
      Four Hi-Presh-A SmartSuits moved slowly out of the open hatchway of
the salvage craft and waded through the barrage of its lights towards
the monstrous shape that loomed darkly out of the sea night. They moved
with a sort of clumsy grace, near weightless though weighed on by a
world of water.
      With his right-hand head Zaphod peered up into the black immensities
above him and for a moment his mind sang with a silent roar of horror.
He glanced to his left and was relieved to see that his other head was
busy watching the Brockian Ultra-Cricket broadcasts on the helmet vid
without concern. Slightly behind him to his left walked the two
officials from the Safety and Civil Reassurance Administration, slightly
in front of him to his right walked the empty suit, carrying their
implements and testing the way for them.
      They passed the huge rift in the broken backed Starship Billion Year
Bunker, and played their flashlights up into it. Mangled machinery
loomed between torn and twisted bulkheads, two feet thick. A family of
large transparent eels lived in there now and seemed to like it.
      The empty suit preceded them along the length of the ship's gigantic
murky hull, trying the airlocks. The third one it tested ground open
uneasily. They crowded inside it and waited for several long minutes
while the pump mechanisms dealt with the hideous pressure that the ocean
exerted, and slowly replaced it with an equally hideous pressure of air
and inert gases. At last the inner door slid open and they were admitted
to a dark outer holding area of the Starship Billion Year Bunker.
      Several more high security Titan-O-Hold doors had to be passed
through, each of which the officials opened with a selection of quark
keys. Soon they were so deep within the heavy security fields that the
UltraCricket broadcasts were beginning to fade, and Zaphod had to switch
to one of the rock video stations, since there was nowhere that they
were not able to reach.
      A final doorway slid open, and they emerged into a large sepulchral
space. Zaphod played his flashlight against the opposite wall and it
fell full on a wild-eyed screaming face.
      Zaphod screamed a diminished fifth himself, dropped his light and sat
heavily on the floor, or rather on a body which had been lying there
undisturbed for around six months and which reacted to being sat on by
exploding with great violence. Zaphod wondered what to do about all
this, and after a brief but hectic internal debate decided that passing
out would be the very thing.
      He came to a few minutes later and pretended not to know who he was,
where he was or how he had got there, but was not able to convince
anybody. He then pretended that his memory suddenly returned with a rush
and that the shock caused him to pass out again, but he was helped
unwillingly to his feet by the empty suit - which he was beginning to
take a serious dislike to - and forced to come to terms with his
surroundings.
      They were dimly and fitfully lit and unpleasant in a number of
respects, the most obvious of which was the colourful arrangement of
parts of the ship's late lamented Navigation Officer over the floor,
walls and ceiling, and especially over the lower half of his, Zaphod's,
suit. The effect of this was so astoundingly nasty that we shall not be
referring to again at any point in this narrative - other than to record
briefly the fact that it caused Zaphod to throw up inside his suit,
which he therefore removed and swapped, after suitable headgear
modifications, with the empty one. Unfortunately the stench of the fetid
air in the ship, followed by the sight of his own suit walking around
casually draped in rotting intestines was enough to make him throw up in
the other suit as well, which was a problem that he and the suit would
simply have to live with.
      There. All done. No more nastiness.
      At least, no more of that particular nastiness.
      The owner of the screaming face had calmed down very slightly now and
was bubbling away incoherently in a large tank of yellow liquid - an
emergency suspension tank.
      "It was crazy," he babbled, "crazy! I told him we could always try
the lobster on the way back, but he was crazy. Obsessed! Do you ever get
like that about lobster? Because I don't. Seems to me it's all rubbery
and fiddly to eat, and not that much taste, well I mean is there? I
infinitely prefer scallops, and said so. Oh Zarquon, I said so!"
      Zaphod stared at this extraordinary apparition, flailing in its tank.
The man was attached to all kinds of life-support tubes, and his voice
was bubbling out of speakers that echoed insanely round the ship,
returning as haunting echoes from deep and distant corridors.
      "That was where I went wrong" the madman yelled, "I actually said
that I preferred scallops and he said it was because I hadn't had real
lobster like they did where his ancestors came from, which was here, and
he'd prove it. He said it was no problem, he said the lobster here was
worth a whole journey, let alone the small diversion it would take to
get here, and he swore he could handle the ship in the atmosphere, but
it was madness, madness!" he screamed, and paused with his eyes rolling,
as if the word had rung some kind of bell in his mind, "The ship went
right out of control! I couldn't believe what we were doing and just to
prove a point about lobster which is really so overrated as a food, I'm
sorry to go on about lobsters so much, I'll try and stop in a minute,
but they've been on my mind so much for the months I've been in this
tank, can you imagine what it's like to be stuck in a ship with the same
guys for months eating junk food when all one guy will talk about is
lobster and then spend six months floating by yourself in a tank
thinking about it. I promise I will try and shut up about the lobsters,
I really will. Lobsters, lobsters, lobsters - enough! I think I'm the
only survivor. I'm the only one who managed to get to an emergency tank
before we went down. I sent out the Mayday and then we hit. It's a
disaster isn't it? A total disaster, and all because the guy liked
lobsters. How much sense am I making? It's really hard for me to tell."
He gazed at them beseechingly, and his mind seemed to sway slowly back
down to earth like a falling leaf . He blinked and looked at them oddly
like a monkey peering at a strange fish. He scrabbled curiously with his
wrinkled up fingers at the glass side of the tank. Tiny, thick yellow
bubbles loosed themselves from his mouth and nose, caught briefly in his
swab of hair and strayed on upwards.
      "Oh Zarquon, oh heavens," he mumbled pathetically to himself, "I've
been found. I've been rescued..."
      "Well," said one of the officials, briskly, "you've been found at
least." He strode over to the main computer bank in the middle of the
chamber and started checking quickly through the ship's main monitor
circuits for damage reports.
      "The aorist rod chambers are intact," he said.
      "Holy dingo's dos," snarled Zaphod, "there are aorist rods on
board...!"
      Aorist rods were devices used in a now happily abandoned form of
energy production. When the hunt for new sources of energy had at one
point got particularly frantic, one bright young chap suddenly spotted
that one place which had never used up all its available energy was -
the past. And with the sudden rush of blood to the head that such
insights tend to induce, he invented a way of mining it that very same
night, and within a year huge tracts of the past were being drained of
all their energy and simply wasting away. Those who claimed that the
past should be left unspoilt were accused of indulging in an extremely
expensive form of sentimentality. The past provided a very cheap,
plentiful and clean source of energy, there could always be a few
Natural Past Reserves set up if anyone wanted to pay for their upkeep,
and as for the claim that draining the past impoverished the present,
well, maybe it did, slightly, but the effects were immeasurable and you
really had to keep a sense of proportion.
      It was only when it was realised that the present really was being
impoverished, and that the reason for it was that those selfish
plundering wastrel bastards up in the future were doing exactly the same
thing, that everyone realised that every single aorist rod, and the
terrible secret of how they were made would have to be utterly and
forever destroyed. They claimed it was for the sake of their
grandparents and grandchildren, but it was of course for the sake of
their grandparent's grandchildren, and their grandchildren's
grandparents.
      The official from the Safety and Civil Reassurance Administration
gave a dismissive shrug.
      "They're perfectly safe," he said. He glanced up at Zaphod and
suddenly said with uncharacteristic frankness, "there's worse than that
on board. At least," he added, tapping at one of the computer screens,
"I hope it's on board."
      The other official rounded on him sharply.
      "What the hell do you think you're saying?" he snapped.
      The first shrugged again. He said "It doesn't matter. He can say what
he likes. No one would believe him. It's why we chose to use him rather
than do anything official isn't it? The more wild the story he tells,
the more it'll sound like he's some hippy adventurer making it up. He
can even say that we said this and it'll make him sound like a
paranoid." He smiled pleasantly at Zaphod who was seething in a suit
full of sick. "You may accompany us," he told him, "if you wish."

      "You see?" said the official, examining the ultra-titanium outer
seals of the aorist rod hold. "Perfectly secure, perfectly safe."
      He said the same thing as they passed holds containing chemical
weapons so powerful that a teaspoonful could fatally infect an entire
planet.
      He said the same thing as they passed holds containing zeta-active
compounds so powerful that a teaspoonful could blow up a whole planet.
      He said the same thing as they passed holds containing theta-active
compounds so powerful that a teaspoonful could irradiate a whole planet.
      "I'm glad I'm not a planet," muttered Zaphod.
      "You'd have nothing to fear," assured the official from the Safety
and Civil Reassurance Administration, "planets are very safe. Provided,"
he added - and paused. They were approaching the hold nearest to the
point where the back of the Starship Billion Year Bunker was broken. The
corridor here was twisted and deformed, and the floor was damp and
sticky in patches.
      "Ho hum," he said, "ho very much hum."
      "What's in this hold?" demanded Zaphod.
      "By-products" said the official, clamming up again.
      "By-products..." insisted Zaphod, quietly, "of what?"
      Neither official answered. Instead, they examined the hold door very
carefully and saw that its seals were twisted apart by the forces that
had deformed the whole corridor. One of them touched the door lightly.
It swung open to his touch. There was darkness inside, with just a
couple of dim yellow lights deep within it.
      "Of what?" hissed Zaphod.
      The leading official turned to the other.
      "There's an escape capsule," he said, "that the crew were to use to
abandon ship before jettisoning it into the black hole," he said. "I
think it would be good to know that it's still there." The other
official nodded and left without a word.
      The first official quietly beckoned Zaphod in. The large dim yellow
lights glowed about twenty feet from them.
      "The reason," he said, quietly "why everything else in this ship is,
I maintain, safe, is that no one is really crazy enough to use them. No
one. At least no one that crazy would ever get near them. Anyone that
mad or dangerous ring very deep alarm bells. People may be stupid but
they're not that stupid."
      "By-products," hissed Zaphod again, - he had to hiss in order that
his voice shouldn't be heard to tremble - "of what."
      "Er, Designer People."
      "What?"
      "The Sirius Cybernetics Corporation were awarded a huge research
grant to design and produce synthetic personalities to order. The
results were uniformly disastrous. All the "people" and "personalities"
turned out to be amalgams of characteristics which simply could not
co-exist in naturally occurring life forms. Most of them were just poor
pathetic misfits, but some were deeply, deeply dangerous. Dangerous
because they didn't ring alarm bells in other people. They could walk
through situations the way that ghosts walk through walls, because no
one spotted the danger.
      "The most dangerous of all were three identical ones - they were put
in this hold, to be blasted, with this ship, right out of this universe.
They are not evil, in fact they are rather simple and charming. But they
are the most dangerous creatures that ever lived because there is
nothing they will not do if allowed, and nothing they will not be
allowed to do..."
      Zaphod looked at the dim yellow lights, the two dim yellow lights. As
his eyes became accustomed to the light he saw that the two lights
framed a third space where something was broken. Wet sticky patches
gleamed dully on the floor. Zaphod and the official walked cautiously
towards the lights. At that moment, four words came crashing into the
helmet headsets from the other official.
      "The capsule has gone," he said tersely.
      "Trace it," snapped Zaphod's companion. "Find exactly where it has
gone. We must know where it has gone!"
      Zaphod slid aside a large ground glass door. Beyond it lay a tank
full of thick yellow liquid, and floating in it was a man, a kindly
looking man with lots of pleasant laugh lines round his face. He seemed
to be floating quite contentedly and smiling to himself.
      Another terse message suddenly came through his helmet headset. The
planet towards which the escape capsule had headed had already been
identified. It was in Galactic Sector ZZ9 Plural Z Alpha.
      The kindly looking man in the tank seemed to be babbling gently to
himself, just as the co-pilot had been in his tank. Little yellow
bubbles beaded on the man's lips. Zaphod found a small speaker by the
tank and turned it on. He heard the man babbling gently about a shining
city on a hill.
      He also heard the Official from the Safety and Civil Reassurance
Administration issue instructions that the planet in ZZ9 Plural Z Alpha
must be made "perfectly safe."

Re:Young Zaphod Plays It Safe (0)

Anonymous Coward | more than 9 years ago | (#13242348)

Mod up insightful, it's obvious how the post applies to the topic. Brilliant!

SECOND POST (-1)

Anonymous Coward | more than 9 years ago | (#13241235)

yeehaa.

second post.

sorry.

varun mathur.

Ooo la la (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13241237)

10% of your base are belong to me!

Cache Poisoning (0)

r00ts (902517) | more than 9 years ago | (#13241283)

Somebody poisoned the water hole!

Not Suprising (4, Interesting)

cmdrTacyo (899875) | more than 9 years ago | (#13241295)

This is not suprising at all especially considering the history of DNS and it's mainframe components. They will always be vunerable, especially for people who do not have the proper PPS setup. I wouldn't be suprised if it's more then 10%.

It's tacyo YO!

bad math (3, Insightful)

rwven (663186) | more than 9 years ago | (#13241301)

with almost all of the potentially vulnerable ones they only said really that 73k of them were vulnerable to something... and only 10k of those "definately" were.... 73k = 2.92% The onlther 230k might not have been vulnerable at all, they just think there's a chance that they might be. This, ladies and gents, is called sensationalism...

Re:bad math (1)

HermanAB (661181) | more than 9 years ago | (#13241427)

This is like - OMFG!!! We need to drum up business, only 3% of servers are vulnerable, you know what I mean? We need to - pssssshhh, you know, get some stuff in print, but, like you know, we can't just say 3%, we gotta blow that up a bit, like by 1000%, like, put some more and bigger numbers in there, nobody is gonna check, math is hard, you know what I mean??? Pssshhh...

Stupid idiots...

Re:bad math (0)

Anonymous Coward | more than 9 years ago | (#13241683)

// begin chris tucker voice
what the HELL did you just say?!?

HOORAY!!!!! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13241316)

HOORAY FOR TAMPON JUICE!!!!!!

DJBDNS -- rocks (3, Informative)

www.sorehands.com (142825) | more than 9 years ago | (#13241329)

I have been using the DJBDNS with the DJBDNS rocks [djbdnsrocks.org] installation under FC2. This makes it very easy to install and manage.

The same person also does Qmail Rocks [qmailrocks.org] . Of course djbdns and qmail is much more secure than bind and sendmail.

Re:DJBDNS -- rocks (2, Insightful)

winkydink (650484) | more than 9 years ago | (#13241374)

Too bad its author is so off-putting as to drive poeple away from both in droves.

Re:DJBDNS -- rocks (1)

tomstdenis (446163) | more than 9 years ago | (#13241569)

I've met DJ twice. It isn't that he doesn't have a sense of humour or tact. It's that he thinks he's so much better than everyone that he ignores anyone elses opinions or suggestions or ideas.

If he gave two shit about OTHER PEOPLE he'd spend more time making the tools [not just djdns but his crypto code] actually easy to work with.

I mean it's a DNS server. I don't understand the big guffaw about it. Respond to requests on port TCP:53 ... not exactly hard.

Tom

Not hard (1)

www.sorehands.com (142825) | more than 9 years ago | (#13241664)

If it is not hard, you can always write a better one -- but it would be TomDNS.

Re:Not hard (1)

tomstdenis (446163) | more than 9 years ago | (#13241775)

Had I the time or inclination I would.

I mean there is enough to DNS that it's not a 3 second job to get a good one put together.

Had I the time I'd say from scratch a competent DNS server can be written in three weeks. That's including proper user separation, all DNS queries and zonefile parsing [as well as documentation and the like].

Right now though I have two paying jobs and my LibTom suite [as well as a huge addiction to GTA:SA] that monopolize my time.

But hey, if you want to pay me the same I get at my two jobs I'd gladly take an unpaid leave and write it.

Tom

my point (1)

www.sorehands.com (142825) | more than 9 years ago | (#13241916)

That is exactly my point. I could write a better one too, if I had spare time. Contracting full time and suing spammers take more than 200 hours a week. So many spammers to sue, so little time.

Re:my point (1)

tomstdenis (446163) | more than 9 years ago | (#13242051)

My point though, is if DJ is going to spend the time to write a DNS server he might as well write it so people can use it.

For example, I said I couldn't write a DNS server because I spend time on my LibTom projects ... that's because "if I'm going to take the time to do it I'll do it right". So once they're feature set complete and stable I'll move on. For now I've got my plateful.

My point was that DJ doesn't care what others think of his tools because he didn't write djdns for others, he wrote it for himself. To be the author of a DNS server that is "sooo secure"...

Tom

Re:DJBDNS -- rocks (1)

winkydink (650484) | more than 9 years ago | (#13241816)

It's that he thinks he's so much better than everyone that he ignores anyone elses opinions or suggestions or ideas.

Making him the biggest megalomaniac since Captain Ahab.

Re:DJBDNS -- rocks (0)

Anonymous Coward | more than 9 years ago | (#13242204)

I mean it's a DNS server. I don't understand the big guffaw about it. Respond to requests on port TCP:53 ... not exactly hard.

Yeah, just run an afxrdns instance and you get tcp:53. It is the tcp brother of tinydns fyi. No, afxrdns is not only for zone transfers.

Re:DJBDNS -- rocks (0)

Anonymous Coward | more than 9 years ago | (#13242660)

It's that he thinks he's so much better than everyone that he ignores anyone elses opinions or suggestions or ideas.
I don't know if that's true for his software, but it certainly isn't true in general. All of his academic papers that I have read are well referenced, and I have seen him at several talks. So he isn't ignoring everyone's ideas.

Re:DJBDNS -- rocks (2, Informative)

Feyr (449684) | more than 9 years ago | (#13241554)

as i said many times when i installed djbdns a few months ago. djbdns is crap, but it's the best crap available

as for being more secure... it doesn't have nearly the same complexity and features as say, bind.

Re:DJBDNS -- rocks (1)

geniusj (140174) | more than 9 years ago | (#13241681)

The thing is, it doesn't need to. It's just DNS. It should be simple and not like BIND where things are (imho) unnecessarily complicated. djbdns is a great example of 'set it and forget it'. Not as good of an example as, say, a Ronco Rotisserie, but it's up there.

Re:DJBDNS -- rocks (3, Insightful)

arivanov (12034) | more than 9 years ago | (#13241993)

Correct.

Apples and oranges.

There are places where you would have to use BIND and places where you can get away with a partial implementation. If an ISP is using DJB-DNS I would recommend to stay away from it. There is a number of neat tricks in the bind cache expiration algorithm (from late 8 and early 9 onwards) which DJB has blamed unnecessary (see the BUGTRAQ archives for the discussion). While they are not necessary they are essential to ensure that operational mistakes have a limited life. That does not happen with DJB implementation as well as some other ones. So if you screw up your TTL or serial no on the zone files - this is it. Same for poisoned entries.

Further to this. DNS is the most easily upgradeable service. Clients fallback automatically and a few seconds of downtime are in the "who cares" area. In fact every ISP out there has scheduled daily mandatory reloads which update configs. Do users notice - nope.

Even further to that, there are methods to make any number of dns servers answer the same address and because DNS is stateless this can be done without any clustering crap. ISC which writes bind have done this for 7+ years. Most global telcos and ISPs do it as well.

And, in order for DNS poisoning attacks to be effective name servers usually need to have both recursion turned on and return authoritative answers. Doing this on an internet facing server is an idiocy. If your ISP does that and serves authoritative requests from the same server which is used for name resolution in clients - RUN. They have NO CLUE WHATSOEVER. If they use clustering for resilience - run even faster.

Re:DJBDNS -- rocks (1)

Transcendent (204992) | more than 9 years ago | (#13243208)

If your ISP does that and serves authoritative requests from the same server which is used for name resolution in clients - RUN. They have NO CLUE WHATSOEVER.

At home, I'm the DNS server for my website's domain name (also hosted there), so I'm the authoritative name server for 2 different master zones (my domain name, and my brothers). I also am the name server for my internal network since I don't want to rely on comcast's servers (which have gone out in the recent past). This server is also my firewall (OpenBSD).

Last time I checked, I had bind configured to use recursion (the default). My understanding of this was that it just took the load off the resolver, and put it on the DNS server itself whenever there was a query.

Is there a problem with this setup (which it seems you are describing)? I thought the problem was in forwarding anyway...

Re:DJBDNS -- rocks (2, Interesting)

demon (1039) | more than 9 years ago | (#13242827)

If you think that DJBDNS is as good as it gets, you really need to check out http://www.powerdns.com/ [powerdns.com] . We switched to it at work (I pushed it, really), and I wrote a nice custom web-based frontend so our customers can manage their DNS domains independently - they can even create new ones as necessary. It's taken DNS out of the "necessary evil" realm, and brought it into a realm of being a "useful service". I recommend it heartily.

(No, I'm not a developer or otherwise affiliated with the project - just a very satisfied user.)

Re:DJBDNS -- rocks (2, Informative)

geniusj (140174) | more than 9 years ago | (#13241630)

I use djbdns for the dynamic DNS/DNS hosting provider mentioned in my sig. It's worked out amazingly well, and it's been deployed that way for a few years now. There's a few reasons I really like it:

1) The rsync method of replication is very well suited for keeping multiple DNS servers synced with the exact same records.

2) I never have to worry about it or touch it

3) The CPU and memory usage are much lower than when I was doing this with BIND. In fact, it's pretty much negligible with a few hundred queries per second.

Re:DJBDNS -- rocks (0)

Anonymous Coward | more than 9 years ago | (#13241965)

For the people who don't like DJBDNS: Why don't you give PowerDNS a go?
We've recently switched from BIND to PowerDNS and we're extremely happy with it.

Re:DJBDNS -- rocks (0)

Anonymous Coward | more than 9 years ago | (#13242873)

Agreed. I have replaced many BIND installations with djbdns and it's amazing. It can easily handle huge amounts of traffic that choke BIND with the same RAM allocation, it has a clean design, it's behavior (and warts) are well-understood and documented, the simple configuration is like a dream (I actually wrote a front-end to BIND a decade ago that's very similar to the djbdns line-oriented format.. it makes me laugh that BIND is carrying around all that junk I don' even use .. I think the code to parse the config files is longer than all of djbdns).

It's easy to interface djbdns to external software like GUI front-ends as well, and everything is atomic and well-defined. Runs great on a big machine as well as a 486-based Soekris board.

It's secure (zero security issues) and immune to cache poisoning (always has been).

It's funny to see people try and come up with excuses for why they still use BIND. DJB's personality is one excuse (frankly, after a couple decades in this industry, I think we definitely need more like him). Another guy in this thread has one I haven't heard before:

There is a number of neat tricks in the bind cache expiration algorithm ... while they are not necessary they are essential to ensure that operational mistakes have a limited life.

Uhm, neat tricks and unnecessary features are exactly what I DON'T WANT in a critical service. Apparently he's willing to put up with bloat and more code paths so that it doesn't cache HIS mistakes?

Do yourself a favor, try djbdns, don't make excuses about why you *think* it's appropriate to ever use BIND for anything. "But, DJB flamed me once, so his software sucks!"

Re:DJBDNS -- rocks (1)

Geekboy(Wizard) (87906) | more than 9 years ago | (#13243224)

djbware is so broken its not even funny. the "human readable" zone files is beyond a joke. lack of support for ipv6 is also a huge blow (yes, I know you can get 3rd party patches for it. but I can also just run bind, and have an actually functional dns server).

mark me as a troll, I don't care.

Phor God's sakes! (5, Funny)

Zab UvWxy (694326) | more than 9 years ago | (#13241339)

Some security companies have called this technique pharming.

Phor phuck's sakes! I've had enough of this phreaking 733T-speak from the phucking security compaines! It was original with phreaking; it was mildly amusing with phishing; now it's just annoying.

Why not just leave the terminology as "DNS cache poisoning" and be done with it?
[/rant]

Re:Phor God's sakes! (5, Funny)

TheSneak (904279) | more than 9 years ago | (#13241680)

-Pharming!? Who the hell makes up these names anyways?

-He's new sir. Guy by the name of "Daffy duck".

-You realize of course, that this means war...

OT: Your Sig (2, Informative)

sconeu (64226) | more than 9 years ago | (#13242801)

Your sig is an urban legend. See snopes [snopes.com] for details.

Re:OT: Your Sig (0)

Anonymous Coward | more than 9 years ago | (#13242918)

Yes, but the thought behind the quote is what counts, not it's validity. Every problem has a simple solution if you are willing to look for it. Additionally, the best answer is not always the most expensive one.

Prior art (3, Informative)

jfengel (409917) | more than 9 years ago | (#13241686)

Especially since the pharmaceutical companies have a much better (and prior) claim to the name for using organisms to produce medicines [wikipedia.org] .

Re:Prior art (1)

fred_sanford (678924) | more than 9 years ago | (#13241903)

yeah, that definitely stopped them from coining the word Spam [wikipedia.org]

Phlooding attack could leave enterprises... (1)

scovetta (632629) | more than 9 years ago | (#13242622)

Dude, what's your problem? Security prophessionals sometimes need to make up words that sound new and specialized. Can't you just embrace the ph-speak like the rest of us?

Besides, it gives reporters a chance to attend Blackhat where they can learn the new lingo.

Oh, you're going to love this article too: Phlooding attack could leave enterprises high and dry [securityfocus.com]

Re:Phor God's sakes! (3, Funny)

DigitalReverend (901909) | more than 9 years ago | (#13243107)

Who knows, down the road, there may be some graphics bug out there where hackers can put a picture or some other art right on your screen. They will probalby call it pharting

DNS stands for (1)

WillAffleckUW (858324) | more than 9 years ago | (#13241343)

Don't Know Standard patches

Re:DNS stands for (0)

Anonymous Coward | more than 9 years ago | (#13241528)

DNS stands for
Don't Know Standard patches

I would assume that it also means Dictionary Needed, Stat!

Re:DNS stands for (1)

WillAffleckUW (858324) | more than 9 years ago | (#13241613)

I would assume that it also means Dictionary Needed, Stat!

I think you mean Directory Needs Solutions ...

Re:DNS stands for (1)

Shut the fuck up! (572058) | more than 9 years ago | (#13241931)

In your case it stands for "Doesn't kNow Shit". Seriously dude, shut the fuck up. Your posts are contentless drivel. Christ, your bio is written third person. I looked you up at washington.edu - You are nothing more than a talentless computer tech and are not 'solving malaria' whatever the fuck that means. The closest you have probably ever come to a DNS server is setting your network settings on your shitty windows box to DHCP. Go slap another 'redefeat bush' on your broken down 85 suburu, head back to Freemont and suck Lenin's cock you know-nothing shitbag.

Re:DNS stands for (1)

Mechcozmo (871146) | more than 9 years ago | (#13242997)

you Don't Know Shit!

How can I check my own DNS configuration for this? (4, Insightful)

Anonymous Coward | more than 9 years ago | (#13241358)

...or for any other DNS exploits, for that matter?

Any good tools to (or sites to help) check for those?

Re:How can I check my own DNS configuration for th (5, Interesting)

Malor (3658) | more than 9 years ago | (#13242144)

I'm confused about this one too. This is what I THINK is going on with this exploit. Hopefully, someone who ACTUALLY knows will correct my mistakes. :)

One of the possible ways to set up a DNS server is as a 'forwarder'. This means that it doesn't do lookups itself, but rather passes all DNS requests to another machine, gets replies, and then sends replies to the clients. One reason you might do this would be to distribute DNS load in a big ISP; you have a few machines that do the actual outbound DNS determination, and then the cache ripples back to the servers that are actually talking directly to the clients. DNS is fairly low-load, relatively speaking... this architecture would date from when everyone was deploying 50Mhz machines as servers. I'll call the local BINDs 'caching' servers, and the one doing the actual lookups on the internet the 'point' server.

So in and of itself, this architecture isn't a problem. But one of the features of the DNS protocol is that any server can send back more data than what was actually asked for, even data that is totally unrelated to the main query. Caching BIND servers by default trust their point server. And, when functioning as a point forwarder, BIND4 and BIND8 apparently just pass along queries they receive without checking them. The point BIND assumes that the caching BINDs are checking, while the caching BINDs assume the point BIND is checking, and the packet never gets checked for sanity at all.

So Joe Hacker snoops around... he tries to find DNS servers on your network. Once he finds one, he queries it for a name in a domain he controls. (or he initiates a connection to a webserver on the same machine, which may cause the same DNS lookup). He watches for the request to his DNS server coming from a DIFFERENT machine. That often indicates a forwarder configuration.

So he waits for his cached info to expire, and does it again... except this time, his reply packet includes extra information, "Oh, by the way, www.microsoft.com is on joes.evil.server.here." If BIND4 or BIND8 is the functioning as the master lookup in a forward configuration, it just passes along the packets it receives. And when BIND is in a SLAVE configuration, it just trusts what it gets from the forwarder. So suddenly, your whole network is connecting to joes.evil.server.here instead of www.microsoft.com. And if it doesn't work, oh well, next DNS server... this is a very low-profile attack. You have to really be LOOKING for it to be able to see it.

Apparently, the workarounds are A) don't use a forwarder configuration. There's no real need for this anymore, even a cheap 1ghz machine with a gig or so of ram will serve tens of thousands of clients. B) if you MUST use a forwarder, use BIND9 (or, presumably, DJBDNS) as your 'point' machine. BIND9 does sanity checking when it's on point.

Hopefully I got this right. I haven't been paying much attention to this before, because I (rightly) didn't think it affected me. If I'm wrong, PLEASE correct me, I hate to spread misinformation.

Checking your DNS config (0)

Anonymous Coward | more than 9 years ago | (#13242623)

It has been some time but Mice and Men [menandmice.com] has (had) a cool tool for this. They also make a damn good DNS server I ran for about a half a decade before I decided the "free as in Beer" part of Bind was too attractive.

I'd strogly reccomend DNS newies read their site and consider thier products. They do good stuff. If Bind were not so ubiquitous I'd still be running QuickDNS.

New term! (3, Funny)

springbox (853816) | more than 9 years ago | (#13241367)

"Some security companies have called this technique pharming."

A lot of these new vulnerabilities have the "phat" theme as dictated by the industry's leading security researcher/rapper Prompt Master Chizzy. Expect an RFC soon on the new naming convention.

Re:New term! (3, Funny)

witch (21633) | more than 9 years ago | (#13242674)

Shouldn't we expect a Request Phor Comments instead?

That's why I only use IP addresses (0)

Anonymous Coward | more than 9 years ago | (#13241373)

I don't trust any of this newfangled DEE EN ESS hooey

My favorite sites are:
66.35.250.151
198.133.219.25
47.249.48.50

TDz.

Re:That's why I only use IP addresses (1)

squallbsr (826163) | more than 9 years ago | (#13242720)

for those who are curious

star.slashdot.org
www.cisco.com
www.nortel.com (I assume, didn't find in reverse dns)

its probably poisoned...

Bad admins + bad webmasters (1)

porneL (674499) | more than 9 years ago | (#13241413)

Stealing? For important information websites should use HTTPS (certificates detect DNS spoofs).

Re:Bad admins + bad webmasters (1)

defaria (741527) | more than 9 years ago | (#13242170)

What would stop someone from redirecting the neophyte user to a malious site that also uses SSL. Just because it's SSL does not mean it's a site I want to be at. Sure SSL can guarantee identity but many, many people don't even check to insure that they got to an SSL site. And how many legitimate "login screens" are not SSL to start with!

Executive board meeting... (3, Funny)

Epistax (544591) | more than 9 years ago | (#13241441)

Exec 1: We at our company want a an attack name with attitude. It's edgy, it's "in your face." You've heard the expression "as easy as stealing from a baby"? Well this is an attack which makes it "eezzay!". Consistently and thoroughly.

CEO: So it's speculative, huh?

Exec 1: Oh, God, yes. We're talking about a totally outrageous paradigm.

Exec 2: Execuse me, but "speculative" and "paradigm"? Aren't these just buzzwords that dumb people use to sound important? [backpedaling] Not that I'm accusing you of anything like that. [pause] I'm fired, aren't I?

CEO: Oh, yes.
CEO: The rest of you start thinking up a name for this funky attack. I dunno, something along the line of say... farming, only more dangerous and 1337.

Exec 1: So, Pharming okay with everybody?

All: [reclining in their chairs] Yeah...

Re:Executive board meeting... (0, Flamebait)

Epistax (544591) | more than 9 years ago | (#13241545)

Redundant? Fine. Note to self: Do not go searching for a funny way to state what I know others will say. Do not do it more intelligently. Allow the people who are bitching to simply type out a message as fast as they can. It does not matter that when I started my message, none of theirs had been posted yet. Since they will beat me to pressing the button because I am putting thought into my post, I am redundant.

Well excuse me. Go back to MTV.

Re:Executive board meeting... (0)

Anonymous Coward | more than 9 years ago | (#13242155)

See, this is why I don't get mod points(well, just once). Because I would have just modded this guy funny and been done with. But no...

Lord forbid someone say something funny. And Hell, this is also more intelligent(very nice replacement of key terms) than 75% of the crap here. I'm sure this is the same thoughtful moderation that got an interesting post of mine that may have actually helped someone out modded down(by one or two assholes) to 'overrated'.

I must be a glutton for punishment because I keep coming back.

Re:Executive board meeting... (0)

Anonymous Coward | more than 9 years ago | (#13241656)

Maybe because you're ripping of The Simpsons without mentioning it?

btw, the last bit should be

Others: [reclining in their chairs] Yeah...
Exec5: It's gooood...

The funniest part is that last guy.

Re:Executive board meeting... (1)

Epistax (544591) | more than 9 years ago | (#13241726)

Yes it's from the simpsons. I grabbed the snpp, I guess I missed the last line. I thought it was obviously the simpsons. No one mentions it when they say the old overlords cliche (unless they use the "oblig. simpsons quote" cliche too). I just find the whole meeting funny. I think I have one of them later this week.

Common sense... (1)

Ravatar (891374) | more than 9 years ago | (#13241446)

Didnt ISC release a warning to stop using forwarders on BIND4/8 several months ago? Guess it'll take a major attack, in which thousands of people lose personal information, for people to act on the warnings.

any one notice... (-1, Redundant)

Martigan80 (305400) | more than 9 years ago | (#13241483)

Phreak phish pharming?

In the Admins' Defense (2, Informative)

sarlos (903082) | more than 9 years ago | (#13241667)

Someone's gotta speak up for the poor admins. Not all of them really are morons for not patching. There are cases where the patch breaks more than it fixes. In these cases, it's often more economical to just leave the vulnerability there (hey, at least you know about it) than to try to patch it. SQL Slammer caused some serious problems with IIS because the 'patch' for the bug it exploited was part of a large update that required a lot of man-hours to clean up after. Of course, there are plenty of moron admins out there too, I wouldn't want them to feel overlooked... >.>

Evolution (0, Offtopic)

burtdub (903121) | more than 9 years ago | (#13241770)

How can we best turn this into a debate on evolution?

Golly, it sure seems like these DNS servers suffer from unintelligent design.

FLAMEBAIT!

What about DNS Cache Snooping? (4, Interesting)

kossak (905158) | more than 9 years ago | (#13241924)

DNS Cache Spoofing is not the only nasty trick available to DNS hackers; There is a (still) relatively unknown vulnerability afecting the vast majority of nameservers today, and one that is not easily resolved by patches alone.

Check out my paper about this, its called DNS Cache Snooping [sidestep.pt] , and allows for a bunch of interesting tricks. It afects most of DNS Server/Cache combination implementations and is triggered by an extremely common misconfiguration, one that allows for the whole of the internet to use a given DNS server as their primary DNS server.

Luis Grangeia

Email redirection (4, Interesting)

Deanalator (806515) | more than 9 years ago | (#13241959)

DNS cache poisoning doesnt stop at tricking people out of their money. At defcon Kaminsky also showed how it can easily be used to do things like email misdirection, which I think is much more of a big deal.

I don't understand (0)

Anonymous Coward | more than 9 years ago | (#13241966)

To me the whole scam of phishing or now pharming seems flawed. Why aren't all the phishers already in jail? No psychologically criminal person can fail to see that the whole operation relies on an actual server hosting a fake site for some amount of time, and an inevitable trail right back to the scammers door. There are plenty of existing fraud laws with teeth enough to put away the perpetrators, so why no action? Even odder, the main victims of these attacks are the worlds clearing banks, organisations with enough weight to raise their own armies if needed, and yet phishers are not being put down. Why?

Can I get a list? (4, Funny)

PhraudulentOne (217867) | more than 9 years ago | (#13242056)

Can I get a list of these vulnerable servers so I can.. umm... see if I'm on it and patch my systems? Yeah.. that's it.

Simple solution... (1)

deviantphil (543645) | more than 9 years ago | (#13242062)

Run your own DNS server.

apt-get bind9

Edit /etc/resolv.conf and point to 127.0.0.1.

I've been doing it for years now...

Re:Simple solution... (2, Interesting)

Blkdeath (530393) | more than 9 years ago | (#13242453)

Run your own DNS server.

Sure. But if you use forwarders who run BIND4/BIND8 you've still got the same problem. If you're connecting directly to the root servers you're contributing to their unneccesary overload and bypassing the heirarchal nature of the DNS system.

Good way to test whether my server is vulnerable? (1)

rthille (8526) | more than 9 years ago | (#13242122)


Given that it is djbdns, I'm not worried, but having a test suite for vulnerabilities is a good thing.

Hardly New (2, Interesting)

DynaSoar (714234) | more than 9 years ago | (#13242272)

We were fighting people doing this 10 years ago. Some of the second-gen (meaning they used at least some technology rather than outright and direct use as is) usenet spammers and flooders and email spammers were doing it. The new uses to which this is being put are news, but DNS poisoning is not. IIRC, the icq.net servers were so compromised after having been bought out by AOL and put to new use.

I'm betting there's still a problem with admins that don't want it fixed, because they have given permission, or worse, for their servers to be used thus with some plausible deniability. Arranging this was the origin of the second-gen spammers.

HE-E-EY!!! How do I know this is REALLY /.? (1)

mmell (832646) | more than 9 years ago | (#13242599)

You're all a bunch of imposters! Well, you'll never get my valuable posts here, buster!

More info from the researcher's web site (2, Informative)

kylog (684524) | more than 9 years ago | (#13242605)

The news.com article is short on specifics about what the thousands of servers are actually doing, but there's better info at Dan Kaminsky's site: http://www.doxpara.com/ [doxpara.com]

This powerpoint presentation has some details: http://www.doxpara.com/Black_Ops_Of_TCPIP_2005.ppt [doxpara.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?