DNS Cache Poisoning Spreads Malware 314
Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."
April Fools Idea (Score:5, Funny)
- Change the company's DNS server here to map google.com to a private machine here on the network.
- Create a frontend on the internal machines here that looks exactly like google.com
- Map the internal IP addresses on the network to specific people here.
- Inject specific "spooky" messages into the search results based on the IP address of the querying
machine. Examples would be like: "How about looking at some pr0n, Mr. Bridges?" or "You really
should have that bald patch looked at, sir."
- April Fools! HA HA!
- Look for a new job.
Oh well, you only live once.Re:April Fools Idea (Score:4, Funny)
Re:April Fools Idea (Score:2, Funny)
You moderators are so fickle. I will probably get modded down "-1 He's got a point, but I don't like it" for this post.
Re:April Fools Idea (Score:3, Interesting)
Re:April Fools Idea (Score:4, Interesting)
There are a lot of interesting things to be said at that level, too
Re:April Fools Idea (Score:4, Funny)
3. Profit!
In Soviet Russia
Imagine a Beowulf cluster...
to all posts.
/greger
You forgot..... (Score:3, Funny)
Re:April Fools Idea (Score:3, Funny)
Only old Koreans subconsciously add statements to posts.
Re:April Fools Idea (Score:4, Funny)
Just keep in mind, In Soviet Russia, a beowulf cluster profits by imagining 50 year old South Koreans pouring hot grits down your pants.
Re:April Fools Idea (Score:2)
shudders
Re:April Fools Idea (Score:2)
Re:April Fools Idea (Score:2, Funny)
http://www.cs.utexas.edu/users/jbc/home/chef.html [utexas.edu]
Next phase : stealth ninja midgets (Score:3, Funny)
I guess that when this is eventually blocked, and spammers -really- are out of ideas of what to do next, it's time for the ninja-midgets-phase :
A spammer will employ stealth ninja midgets (or clone them), that will roam around the world causing havoc by typing in their master's URL in your browser, while you're
Re:April Fools Idea (Score:2)
Sounds very similar to a story I heard on April fools day. A guy modified just one guys hosts file at work to point requests for the company website to a server on his laptop. He then posted a terribly hacked version of the company page. The man came running to his cubicle, completely freaked out.
Re:April Fools Idea (Score:2)
An example [mymsnsearch.com]
Fex ex tracking (Score:4, Funny)
Study shows it could be much worse... (Score:3, Interesting)
E
IRC (Score:4, Informative)
This is a quote from the "IRC Operators Guide" written in 8/97:
"DNS spoofing is a relatively new hit these days on IRC. You'll generally find spoofs one of two ways - you're watching the connections (usermode +c) and an unusual hostmask appears, or a user reports one. The first thing to do is to get the user's IP address (/stats L nick), and check to see if the DNS lookup matches the IP address. If it doesn't, you know you have a spoof. With this information, you can KILL the spoof, and when it reconnects, see where the real host is and issue a K-line (which won't stop them from spoofing again, but will prevent them from signing on *without* spoofing). Some servers have the capability of D-lines, which allow you to ban by ip mask. A D-line will prevent the client from connecting at all, regardless of whether they try DNS spoofing or not. If the server supports the DLINE command, you can do
It has been a well known problem since way back then and it has still not be dealt with in any real way.
Yes and no. (Score:4, Informative)
The "no" part is that virtually nobody does this. All the protection in the world is useless if you don't use it. Further, the protections that do exist (such as those I mentioned) get redesigned a little too often, making wide-scale rollouts a real problem.
Routers are another key part of the infrastructure where there is plenty in place that COULD prevent poisoning, but where actual use in the "Real World" is limited. If DNS ever does improve, then scammers may well simply shift to poisoning router tables to achieve the same results.
The resources spent on producing quality and security are phenominal. The resources spent on actually putting these into practice can barely be detected with the best tunneling electron microscopes.
Re:Yes and no. (Score:3, Interesting)
At least then we'd know the root data was from the roots.
No (Score:5, Informative)
Re:No (Score:2, Informative)
Re:IRC (Score:3, Informative)
internet rash (Score:5, Funny)
Damn internet rashes, they're the worst. Remember, dont surf without protecting your board.
At school (Score:4, Funny)
DON'T CLICK LINK (Score:5, Funny)
colored alerts (Score:2, Funny)
Re:colored alerts (Score:5, Interesting)
More color-coded warnings? (Score:5, Funny)
Re:More color-coded warnings? (Score:3, Funny)
Re:More color-coded warnings? (Score:3, Funny)
Maybe that's why they invented that terror warning thing.
Re:More color-coded warnings? (Score:5, Funny)
Red Dwarf, Series 8, Episode 1.
Re:More color-coded warnings? (Score:5, Funny)
Arrr, an attack! Matey, fetch me red shirt! Can't let the men see me bleedin' if I get hit!
*KABOOM*
Arrr, that was a close one! Fetch me brown pants too!
Re:More color-coded warnings? (Score:4, Funny)
LISTER: What for? There's no-one to alert - we're all here.
RIMMER: I would just feel more comfortable if I know that we're all on
our toes 'cos everyone's aware it's a blue-alert situation.
LISTER: We all are on our toes.
RIMMER: May I remind you all of Space Core Directive 34124?
KRYTEN: 34124. "No officer with false teeth should attempt oral sex in
zero gravity".
RIMMER: Damn you both, all the way to Hades! I want to go to Blue Alert!
LISTER: Ok, ok.
.
.
.
LISTER: Too small for a vessel... maybe some kind of missile.
KRYTEN: It's impossible to tell at this range. Whatever it is, they
clearly have a technology way in advance of our own!
LISTER: So do the Albanian State Washing Machine Company.
RIMMER: Step up to red alert!
KRYTEN: Sir, are you absolutely sure? It does mean changing the bulb.
RIMMER: There's always some excuse, isn't there?
If this is such a big deal... (Score:2)
I mean, isn't there a way to make people aware of stuff like that? I don't want some script kiddie seeing my google searches for pr0n.
Re:If this is such a big deal... (Score:5, Informative)
Documents like this one from 1997: http://www.cs.rpi.edu/~kennyz/doc/unix/dns.spoof [rpi.edu]
Re:If this is such a big deal... (Score:3, Informative)
libresolv problems [cr.yp.to],talking about poissoning [cr.yp.to]
How does this work? (Score:3, Insightful)
Re:How does this work? (Score:4, Informative)
Re:How does this work? (Score:3, Informative)
or by taking advantage of servers that listen to extra information that they really shouldn't listen to in a reply.
with both methods the aim is to trick the dns server into cacheing your false response for its clients.
Re:How does this work? (Score:5, Informative)
Earlier versions of BIND use sequential sequence numbers in each request; nowadays pseudo-random numbers are used. What we're really after here is the next sequence number, or at least an idea of what it might be. In the case of sequential numbers, you have a rather small range of next sequence numbers. If your pseudo-RNG isn't cryptographically secure, it's possible to guess the next number in the sequence (for which you might want to make a few legitimate requests to your target server to observe the sequence).
Let's Kill The Golden Goose (Score:5, Insightful)
Worse, perhaps, is that all these problems may encourage some horrible proprietary internet standards to arise, claiming safety from ad/spy/malware, phishing, etc. and all the cattle have to do is sign up, abandoning the old internet.
Re: (Score:2)
Question (Score:5, Funny)
What is "malware"?
Re:Question (Score:2)
Tom
Re:Question (Score:4, Informative)
I assume SSL would catch some of this, but not all.
DNS poisoning is creepy, since it's browser/OS agnostic.
Re:Question (Score:3, Interesting)
My bank works just fine with Opera and has since v6, when they introduced the service. Granted, I don't have an animated paper clip to help me along with the arduous task of checking my balance, but that's the sacrifice that I am willing to make for a browser that works.
In Opera's defence, making a product that adheres to Web standards and doesn't encourage the continuing bifurcation
Home Is Where the Heat Is (Score:2, Interesting)
Re:Home Is Where the Heat Is (Score:3, Interesting)
The attacks on the WTC were an economic attack, and as such, were exceptionally successful. Witness how much has been spent in Afghanistan and Iraq since then. The attacks on the WTC towers were a liberty attack, and as such, were exceptionally successful.
If Osam bin Laden wanted to kill a lot of people, he could have found far better ways to do it, but that wasn't his goal.
S
Re:Home Is Where the Heat Is (Score:3, Insightful)
Imagine the reprecussions for national security and the economy if people were spoofing the NYSE or other important data center that distributes information that many people rely on.
"Today the DJIA dropped 5,000 points, oil is trading at $200/barrel, etc."
Re:Home Is Where the Heat Is (Score:2)
You want DHS to make sure your google surfing doesn't fill your computer with spam? You're actually more concerned about that than some terrorist blowing up a kindergarten or something? Your priorities are truly fucked.
First, the person you are replying to said the cybersecurity group of the DHS. Second, their is more to this than spam, they are redirecting financial sites, e-mail, etc. Third, are you really afraid terrorists are going to blow up a kindegarten? I mean more people drown in buckets every
Re:Home Is Where the Heat Is (Score:2)
Djbdns - immune to DNS cache poisoning (?) (Score:5, Insightful)
- "dnscache does not cache (or pass along) records outside the server's bailiwick; those records could be poisoned. Records for foo.dom, for example, are accepted only from the root servers, the dom servers, and the foo.dom servers."
Djbdns [cr.yp.to]"dnscache is immune to cache poisoning."
While I don't think I'm in the clear because of this, I feel better protected from the (unwashed ;)) internet. Anyone care to comment, please do, as I've just started using this and want to know how effective it is.
bo
Re:Djbdns - immune to DNS cache poisoning (?) (Score:4, Informative)
Re:Djbdns - immune to DNS cache poisoning (?) (Score:2, Informative)
It is also immune to buffer overflows and runs as a non-root user locked in a chroot. It also is EXTREMELY lightweight, has a much easier/automatable config format than BIND (in fact we wrote a front-end for BIND that uses the tinydns line-oriented format), and has predictable documented memory usage.
It has been this way for years.
Anybody who uses BIND or Windows DNS h
Re:Djbdns - immune to DNS cache poisoning (?) (Score:4, Informative)
That seems fairly reasonable. I don't think you're really protected from poisoning, unless "poisoning" only applies to certain kinds of DNS spoofing. Specifically, first note the exceptions to the djbdns security guarantee:
Specifically, his forgery page points out that a spoofing attack based on the birthday paradox can still work... although probably tens of millions of packets are required. This page [securityfocus.com], which I think I got off slashdot before, uses the TCP sequence-number guessing tools to try to attack it. It's probably not quite as secure as djb estimates, but probably still in the millions. They don't seem to have actually run numbers for the randomized-port plus randomized-id, so it's unclear whether they actually attacked that thoroughly.
The most frightening part... (Score:5, Insightful)
The following list shows how far-reaching this attack proved to be. The list is a small, categorized excerpt of the 665 domain names from his site (with my short notes) that were being re-directed to hostile web servers. It is very important to note that e-mail, FTP logins, HTTPS sessions, and other types of traffic were also being re-directed to the malicious servers. We do not believe that the attacker was reading e-mail or collecting passwords, but we have no conclusive proof to assert either theory.
Totally browser/machine agnostic attacks, no user intervention. If you look at the names of the sites, many of them are financial institutions! And all of those victims that click okay everytime they get an "invalid certificate" message. Be afraid, very afraid.
cat syslog | grep named (Score:2)
Yet another example of Windows messing up (Score:5, Insightful)
From TFA:
The worst part about DNS cache poisoning is that it affects DNS nodes underneath it in the hierarchy. So if you're below a Windows DNS that gets attacked, you yourself may be subject even if your local DNS is in fact secure.
Oh, and fear caching http proxy servers that touch DNS servers that get poisoned. They can keep the bad data around for a long time.
SANS vs. the rest of the security community. (Score:5, Interesting)
...(snip..)
Dave Kennedy, director of research services at Herndon, Va.-based Cybertrust (formerly TruSecure), had this to say about the reports: "It's been nearly a month since SANS started ringing their alarm bells over this and maybe I'm not looking in the right places, but I'm grading this as hype until I see some independent support."
Russ Cooper, Cybertrust's chief technologist, put it this way: "In my opinion, our industry's creditiblity comes from further reports from multiple sources. We run a very large operation worldwide, and we've looked for signs of what SANS is talking about, but we're just not seeing it."
All of this may seem like an academic debate to those who claim to have been victimized by these attacks.
On March 24, Ken Goods, a computer network administrator for a mid-sized insurance company in Idaho, learned that the company's DNS servers had been attacked when employees began reporting that their Internet browsers were being redirected to a Web site hawking generic Viagra and other prescription drugs.
"I kept trying to go to Google to research the problem, but even though my Web browser said I was at Google.com, the only content that showed up was this pharmacy site," said Goods, who asked that his employer not be named because the company is still in the process of fixing the problem.
John, a systems administrator for a major U.S.-based manufacturing company, said a DNS poisoning attack like the one SANS described last month led to Internet problems for roughly 8,000 of his company's 20,000 employees. John asked that his surname and employer's identity be omitted from this story because the company is trying to determine if it is still vulnerable.
In the following weeks, several more attacks ensued that sent victims at John's company to Web sites advertising penis-enlargement pills.
Marcus Sachs, director of SANS and a former White House cyber-security adviser, said the security industry's response to their alerts about the attacks has been little more than a collective "yawn." Meanwhile, Sachs said, it appears the Internet connection at a San Diego hotel where the organization is holding its annual conference this week also was hit with a poisoning attack (the guy at the hotel who handles Web site security hasn't yet returned my calls.)
"People are waving this off and saying 'This is nothing new, we've seen this kind of thing before, let's move on.' But the consensus amongst the SANS folks is that something doesn't feel right here, and that there's more to this story than meets the eye. We feel like there's something deeper going on here, but the fact is there are not a lot of people out there in the security industry who are willing to dig deep and get to the bottom of this."
Re:SANS vs. the rest of the security community. (Score:5, Informative)
Basically it comes down to this - the attack was used to hijack searches for pay-per-click engines. It was done in the most obvious way and got a lot of attention. If they had been smarter, they would only have redirected defunct sites instead of cnn.com and the rest of the .com TLD.
Now that the cat is out of the bag, people are watching for the traffic, so a second, more malicious attack probably won't see nearly as much success. So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.
-Joe
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/ [lurhq.com]
Re:SANS vs. the rest of the security community. (Score:4, Informative)
So there's no reason to panic - it's a 4-year-old vulnerability as it is, and fixed by a simple registry edit. Most people will be unaffected by it.
Ah, but here's the rub: It's not fixed by a simple registry edit. Win2k SP3 and SP4 are "secure" by default. I'm running Win2k SP3 and SP4, and I was bitten by this. The MS articles I initially found about cache poisoning didn't mention that SP3 and SP4 are secured by default, so I went and inserted the registry setting and restarted my DNS servers. The next day, the poisoning was back. That was when I discovered that SP3 and SP4 are secured by default, and that was when I realized that this problem is more serious than most people realize.
I tried to publicize what I'd learned on Friday. I submitted the story to Slashdot, where it was rejected because it wasn't an April Fool's prank. I submitted it to Russ Cooper's NTBugTraq, where it disappeared into the ether. Imagine my consternation when Russ Cooper was quoted in today's Washington Post security blog saying that nobody was seeing it. I wrote to Russ immediately after seeing that quote and assured him that I was seeing it and I had posted to his list, but the post had not been approved by him.
I'm pissed off because very few people are taking this seriously and well-meaning people such as yourself are dismissing it as a minor vulnerability that's easily remedied with a registry edit. This attack is not remedied by inserting a registry entry and restarting the server--it affects servers that are supposed to be immune.
Re:SANS vs. the rest of the security community. (Score:4, Informative)
Despite the fact that your experience contradicts MS and CERT-CC, I'm willing to accept the possibility that because the
Any chance you captured some of the traffic as it was occuring on your would-be immune servers? Because the poisoning attack from abx4.com is over now, so it will take a bit of work to recreate it in the lab without those servers to conveniently supply the test packets.
Re:SANS vs. the rest of the security community. (Score:3, Interesting)
If they had kept a lower profile they probably could have gotten away with the hijacking indefinitely - but these guys don't think long-term (fortunately for us). And it looks like they've stopped the hijacking for now, probably only due to the attention they've gotten in the press in the last
Coder's need to know more about security.... (Score:2)
link [stanford.edu]
Brian Krebs of The Washington Post... (Score:3, Informative)
http://blogs.washingtonpost.com/securityfix/ [washingtonpost.com]
He provides some background and comments from companies effected by the attacks. And he offers some opposing views from SANS and Symantec Corp. on whether this is a serious concern or not.
I've seen this (Score:4, Insightful)
I figured the problem is that I was pointing to an old DNS server for SBC. They won't give you the IPs of the new DNS servers unless you fire up their awful PPPoE program. We use Linux, and this incident has been an excuse to remove the last few Windows computers from the network. It'll probably also be an excuse to rid ourselves of SBC's horrendous services.
Sebben Alert Level Update (Score:4, Funny)
ATTENTION: ALERT LEVEL UPDATE. The authorities at SANS (Sebben-Affilliated Network Security) have issued this network alert update:
The DNS cache poisoning alert has been upgraded from "Yellow" to "Blackwatch Plaid." Repeat: DNS cache poisoning alert level is now at Blackwatch Plaid.
Available information does not yet justify a further upgrade to alert level "Moving Pictures."
And for everyone's safety and security, and to preserve our way of life, SANS is taking a drastic step and installing a network monitor. Just one. For safety, security, and omniscient, unblinking information gathering of everyone's activities.
Schwab
worst one; (Score:3, Informative)
So when you point freinds to Spybot Search and Destroy, you've got to give them the actual download link.
DJB Says (Score:3, Insightful)
Time to stop running BIND and Windows, people.
djbdns is easier to set up by leaps and bounds, anyway.
Re:More reason to use Firefox (Score:2, Flamebait)
Re:More reason to use Firefox (Score:2, Informative)
Re:More reason to use Firefox (Score:5, Funny)
Oh, wait...
Idiot.
Re:More reason to use Firefox (Score:2, Insightful)
Yes. It's so great to use a web browser that doesn't rely on Microsoft technology like DNS...
Oh, wait...
Yes, the malware is almost certainly designed to install via IE, not other (better) browsers.
Methinks the idiot here is the one who signed
his post "Idiot"
Re:More reason to use Firefox (Score:3, Informative)
Want a copy of a user's eBay cookie? (Ok maybe eBay doesn't save passwords this way but you get the point, lots of sites do. It's like phishing, but the computer believes it's genuine, not just the user).
Re:More reason to use Firefox -- Yeah (Score:4, Insightful)
I swear -- Technical people need to stop addressing these problems with solutions that are technically elegant but unrealistic.
Yeah, lets secure all the nameservers on the Net! sure that'll work. Hell, we've only been doing DNS poisoning attacks for what? 12 years or so? hey well at least we finally got sendmail secure. Doh!
The only way we're going to be able to stop bad guys is to start having applications that use more than one protocol to verify integrity AND start building in stronger indepedent crypto behind the scenes making it much much much harder to spoof. You don't have to change the whole protocol stack we just need to share more information across protocols. Right now, when you compromise one protocol, you own the box. Aiiee!
I'm actually happy this happened -- because I've felt the Net needed a big overhaul for a while. My parents can't safely use the Internet, neither can yours. And all us gunslingers who could keep them safe are too busy securing our damn nameserver, and dealing with joe jobs to do anything about it. The solution requires a more comprehensive look at the problem.
If the bad guys are specifically targeting google with DNS poisoning, it's reasonable to assume it will undermine peoples faith in Google. (ATTENTION FLAMERS: YES, I am aware the request was hijacked long before it got to Google -- but the end user won't be because they don't have a clue what DNS stands for or how it works).
Seriously - your mom/dad would take away from an explanation of DNS hijacking was "Go to google, get a virus" (read the previous article posted earlier today about how people don't understand technobabble)
Does anybody else besides me find this whole thing incredibly ironic? People will see Google as being the problem, even though it's almost definitely Microsofts fault. Damn.. sucks to be Google. (Okay, yeah.. honestly i'd love to have Googlesque problems, but also the Googlesque resources to solve them!)
Anyway I think this sort of article hopefully illustrates to Google why they need to start promoting a secure browser WHICH isn't subject to malware attacks such as IE really is in their best interest -- and although it has a minimal cost impact to them, it has a huge long term impact to the net community. Honestly, I believe if Google offered a "safer" online experience -- i'd put my parents on it in a second, I think everybody here would too. I don't trust Yahoo, MSN, Ask Jeeves, etc. or any of those companies with the tender care of my parents Internet experience.
I say Google - rather than just "firefox", because if Google put Gbrowser on their homepage you know it'd have a 30% usershare virtually overnight -- maybe more. They install the google toolbar, it transmits information about where you're surfing to google -- BUT it also checks with Google to make sure you're at a "safe site" --
OKAY so you want a real example -- how about a simple one -- why not a modified robots.txt with an entry that included a list of the valid IP's for the SOA for your root domain for the next 30 days. Boom, they already pick up robots.txt -- BUT now they can authenticate that the DNS wasn't posioned using google toolbar. Sexy huh?
I've got lots of ideas like this -- there are probably 5 things sites could *OPTIONALLY* do, that merge application stacks -- but at the same time it would make it necessary for a phiser to compromise MULTIPLE hosts, across MULTIPLE protocols -- thereby making it *statistically* impossible.
(NOTE: If I seem brilliant it's only because i'm standing on the shoulders of Giants. I love how SPF uses DNS to authenticate mail servers -- it's non-intrusive, but an illustrative example of the types of solutions that we as a technical community need to solve problems)
Re:More reason to use Firefox (Score:2)
Re:More reason to use Firefox (Score:3, Insightful)
What was written in that dialog again?
Re:windowsupdate.microsoft.com? (Score:5, Informative)
Automatic updates that are not signed and verified will not install.
Re:windowsupdate.microsoft.com? (Score:2)
Re:windowsupdate.microsoft.com? (Score:3, Informative)
First, contrary to what some people think, to access a site with HTTPS which has a certificate, you do NOT contact the CA over the internet. This is because your browser already has the public key of that CA installed. The signature of the certificate you are shown by the real or fake site is verified/rejected not by looking something else up on the internet, but by performing cryptographic tests against that installed public key of the CA. This is not only an efficien
Re:windowsupdate.microsoft.com? (Score:5, Informative)
Re:windowsupdate.microsoft.com? (Score:2, Informative)
Its not just windowsupdate.microsoft.com that is prived - it's a little more sophisticated than that.
I'm not even a MS apologist...haven't used a MS product in many years (except when I'm forced to for work-related reasons)
Re:windowsupdate.microsoft.com? (Score:2)
Re:How to stop DNS cache poisoning (Score:4, Funny)
Re:How to stop DNS cache poisoning (Score:3, Funny)
OK. I call bullshit. I spent 30 minutes looking through the Foundstone corporate directory and there is no "Anonymous Coward", "A. Coward", etc.
Re:How to stop DNS cache poisoning (Score:5, Informative)
Ever heard of a monoculture? It's dangerous. That's the primary reason Microsoft has so many security issues. To guard against this, the DNS infrastructure of the internet is intentionally made to be heterogeneous. They use different DNS software on different operating systems as much as possible.
Top security consultant? Doubtful. More likely an AC trying (and failing) to impersonate someone with a clue.
Re:How to stop DNS cache poisoning (Score:3, Insightful)
Re:How to stop DNS cache poisoning (Score:3, Informative)
If you bothered to RTFA, you would also know that the problem is with Windows NT servers (that should have been taken offline years ago or upgraded to Linux) and Unix machines that were compromised (probably also not up
Mods are on crack (or don't know much about DNS) (Score:3)
You'd think people would get suspicious when they read things like "poison the DNS cyber buffer", but that's probably expecting too much of the typical mod-point wielding slashdotter.
Re:How to stop DNS cache poisoning (Score:3, Informative)
Several severe reality problems with this "advice" (it's surely a troll, people - come on, "DNS cyber buffer?"):
While that's a sure fire way of killing cache poisoning for your own records, setting DNS TTL to 0 for all records *will* cause severe Internet Armageddon as the root DNS servers explode (client DNS servers would be screwed in short order as well).
Since DNS is a distributed system, run by admins clueful and otherwise, setting
Re:How does it happen? (Score:5, Informative)
There are probably other ways, but it isn't hard.
The bottom line, DNS is an untrustworthy system.
Re:How does it happen? (Score:5, Insightful)
And also you can feed a slave server your own zone, based on the nameserver configuration, it will work (very rarely).
Re:How does it happen? (Score:4, Informative)
Re:simple (Score:5, Informative)
Suppose you visit citibank.com often. citibank.com is at 192.168.0.1 (It's an example). If the dns server you normally query has been poisened, it could potentially give you 10.0.0.1 (that's an example too). 10.0.0.1 could be a quick 0 day citibank look alike setup in korea with the sole purpose of grabbing your username,password,acct number, etc.
The real citibank.com would never know that this happened, and there is a real chance the person who ran your dns server wouldn't know either.
There are no 10 minute preventative measures one could do to protect themselves on this one, outside of using a known good dns resolver. Even then, you have to know the the dns server the resolver uses is good...
Re:simple (Score:2)
And smart people should check the certificate before loging in.
Tom
Re:simple (Score:3, Insightful)
Unless the person actually noticed the secure symbol missing from their browser, they would never know. I doubt many people notice this missing.
Even if they did notice the secure symbol missing, it's likely they would think to themselves "Well, maybe it only shows up AFTER I log in.", in a case like that, they'd be a little too late...
Re:simple (Score:2)
Re:Funny How Easy this is to prevent (Score:5, Informative)
Damn, if only I had checked the "turn on security" box!!
From MSFT (http://support.microsoft.com/kb/241352/EN-US/ [microsoft.com])
How very wrong you are.
Win2k DNS automatically turns on "secure cache against pollution" in SP3+. Read about it at http://support.microsoft.com/kb/316786/EN-US/ [microsoft.com]. Specifically, you're looking for this quote:
Win2k DNS servers with this feature turned on are STILL vulnerable. I know because my DNS servers are configured this way and I began to suffer from the DNS poisoning on Thursday of last week. It took me until Friday to get a real handle on what was happening. Slashdot ignored my submission of this story back then. They were too busy jerking around with April Fool's stories.
Re:Funny How Easy this is to prevent (Score:2)
How so?