homepage Welcome to WebmasterWorld Guest from 54.204.215.209
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

This 59 message thread spans 2 pages: < < 59 ( 1 [2]     
DNS Cache Poisoning
Redirecting web traffic through cache poisoning.
pageoneresults




msg:664419
 5:08 pm on Apr 10, 2006 (gmt 0)

Are you open for DNS Cache Poisoning? Are your SERPs being redirected because an attacker has compromised your DNS and is now stealing your traffic? And possibly destroying your domain in the process?

Yes you are! And, a recent Home Page topic posted by Tom56 proves this...

Links Hijacked in Search Engines
[webmasterworld.com...]

DNS Cache Poisoning - The Next Generation
[lurhq.com...]

Sub-Attacks
Once an attacker has managed to poison a DNS cache, there are a number of ways they can subvert protocols that rely on DNS. Some of the potential methods are listed below.

Redirecting Web Traffic
An attack of this nature might range from a simple annoyance to a financial nightmare for a great number of people. The goal here is to set up a website that looks enough like the original so as to not raise any suspicion. Then the domain is hijacked via cache poisoning for as many ISPs/companies as possible, causing their traffic to hit the phony site instead. Some of the sub-attacks here are:
  • Redirect a popular search engine to a pop-up ad site.
  • Redirect a bank website to gain access to account passwords.
  • Redirect news site to inject false stories and manipulate stocks.

Unfortunately there is much more to it than the above. Although what I've outlined may be affecting many who visit WebmasterWorld with various issues pertaining to search engine marketing.

What's the First Step?

Carefully read the various topics circulating around WebmasterWorld concerning DNS Recursion, Open DNS Servers and DNS Cache Poisoning. Perform the tests that are outlined. If you fail for Open DNS Servers, you've discovered a major hole in your online marketing efforts.

You need to plug that hole ASAP! Like today!

DNS Recursion - Open DNS Servers
[webmasterworld.com...]

Links Hijacked in Search Engines
[webmasterworld.com...]

Run a DNS Report Now!
[dnsreport.com...]

[edited by: tedster at 7:55 pm (utc) on April 10, 2006]
[edit reason] spelling fix [/edit]

 

pageoneresults




msg:664449
 2:07 pm on Apr 12, 2006 (gmt 0)

My Personal Summary of DNS Recursion Issues

I posted my first DNS Recursion topic on 2006-03-13

DNS Recursion - Open DNS Servers
[webmasterworld.com...]

That was the opening topic for many to follow. If your domain fails the DNS Report for Open DNS Servers, many, many problems can arise. That topic currently has 61 replies as of today 2006-04-12.

I posted my second DNS Cache Poisoning topic on 2006-04-10

DNS Cache Poisoning
[webmasterworld.com...]

The above topic on DNS Cache Poisoning was posted after a topic by Tom56 was brought back to life and placed on the home page for discussion. tedster sent me an email when he saw it and asked if I had any input for the OP. The first thing I did after reading the topic was have the OP run a DNS Report for their domain. It failed for Open DNS Servers which is what I expected after seeing the symptoms that Tom56 was describing.

Links hijacked in search engines
[webmasterworld.com...]

Based on the progression of that topic and Tom56's confirmation that he felt it was DNS Cache Poisoning, I felt a specific topic on DNS Cache Poisoning was in order. This is not new, it has been around for years. In the past some of the terms used were DNS Hijacking, Pagejacking, etc. They're all the same.

"If this has been around for so long, why is it a problem now?"

That is the question I keep running into. The only answer I can give is that it has not affected those who have servers open for non-authoritative DNS queries (or it fails the Open DNS Server test from DNS Report). YET!

Security firms have been warning server administrators for years about the threat posed when allowing for non-authoritative DNS queries from your server. The RFC states specifically that you should not do this.

After reading hundreds and hundreds of documents related to my original topic on DNS Recursion, I kept coming across the terms DNS Cache Poisioning, DNS Cache Pollution and HTTP Request Smuggling. So, I decided to dig a little deeper into those. Wow, did that open up a can of worms. Not only that, but it exposed an area that I hadn't even thought about and that is PPC. Is it possible that a percentage of click fraud can be blamed on DNS Cache Poisoning?

Yes, it is, and this report from LURHQ Security Systems proves it.
[lurhq.com...] (Please, read the entire report, not just parts of it.)

I'm the type of person who likes to work Proactively. I've been bitten in the past due to my mistakes and working reactively is just too damn stressful for me. I carry that same principle over into my personal life too. I'd rather nip things in the bud as they say.

Please, no more Stickys, emails, contact requests through my secure contact form, etc. There is nothing more that I want to do right now than help you correct your problems. Unfortunately I cannot determine if DNS Cache Poisoning is at the root of your problems. There are no public testing facilities for this. And, if there were, they'd be in jail in a heartbeat as you would actually have to perform the exploit to test for DNS Cache Poisoning, not something I'd want to do.

Is it possible that many of the problems posed by webmasters around the world tie in with DNS problems?

Yes it is. If you are finding that your site is not being indexed properly, it has gone missing, it's in a Sandbox with the rest of the children, could it be possible that there are related DNS issues causing that? I don't know. Only you would know by running the various tests available out there to determine if it could possibly be the problem.

I've been spending my time these past few days getting as many bloggers, moderators, admins, etc. to post information about this. For the most part, there has been a positive response. In some instances, the response has been less than satisfactory. I've been called chicken little, I have a tin foil hat on, etc. I made the decision this morning to just back away from those topics and let them dig their own holes. I posted the information as a favor to my peers. Not as some way to make it look like pageoneresults is clueless or doesn't know what he is talking about. Chicken Little? lol! I just took my daughter to see that movie, we loved it. Okay, call me Chicken Little if you want. Wasn't he a hero? :)

My bottom line suggestions are this...

First, run a DNS Report
[dnsreport.com...]

If you fail for Open DNS Servers or anything else, send the report to your provider. Send them links to the various topics here related to DNS Recursion and DNS Cache Poisioning...

DNS Recursion - Open DNS Servers
[webmasterworld.com...]

DNS Cache Poisoning
[webmasterworld.com...]

If they come back to you and say that they cannot fix the problem or it is not a concern, then only you can make the choice on whether or not to switch providers and work with one who is willing to take your business seriously.

Now that we are aware of the problem and the potential threats that are posed to us, we can make an informed decision.

pageoneresults




msg:664450
 10:44 pm on Apr 12, 2006 (gmt 0)

In my continued coverage of DNS Cache Poisoning, I thought it would be appropriate to split things off into another topic covering PPC Hijacking which uses DNS Cache Poisoning to steal your hard earned and paid for traffic...

PPC Hijacking using DNS Cache Poisoning
[webmasterworld.com...]

Note: Please be aware that these are informational topics only and not an absolute. These issues may or may not concern you. If you've passed the test for DNS Recursion, then you are most likely not vulnerable. But, it is still something to look into because even though you pass the test, there are still other issues to contend with on the DNS side. ;)

pageoneresults




msg:664451
 12:56 am on Apr 13, 2006 (gmt 0)

2006-02-10 - Secunia Advisories

HP Tru64 UNIX BIND4/BIND8 DNS Cache Poisoning Vulnerability
[secunia.com...]

jpalmer




msg:664452
 4:06 am on Apr 13, 2006 (gmt 0)

Thanks pageonresults and all in WebmasterWorld community, keeping an eye on each others backs!

Did a dns report. A couple of warnings which I'll check with my host about, but other than that (fingers crossed) all clear. Woo Hoo! ;)

Maybe this explains why I don't seem to have "sandbox" and other topic issues (touch wood) discussed which come up here at WebmasterWorld?

Cheers
JP

Powdork




msg:664453
 7:01 am on Apr 13, 2006 (gmt 0)

I have contacted my host inquiring what they planned to do about the issue (my first contact was with their forums, this is now with support). They replied that they are aware of the security problem and are looking at how to fix it. But they added that they cannot simply turn off recursion because the servers need to be able to perform DNS lookups for other domains or they would never be able to have any contact (web, mail, ftp, etc) with a server outside our network.

This is probably a stupid question but here goes. Why does the server my site is hosted on need to do DNS lookups for domains off the network?

plumsauce




msg:664454
 8:39 am on Apr 13, 2006 (gmt 0)


Ok, I almost never post these days. However, reading this thread has forced me out of retirement.

At the risk of having egg all over my face, I am suggesting that the premise of this thread is wrong.

As I understand it, the premise of this thread is that:

the dns for a domain is subject to highjack if the authoritative name servers for the domain permit recursion.

I think this is untrue and here is why:

the domain dns highjacking actually occurs at, is targetted at, the dns servers of consumer isp's. for example, the AOL dns servers responding to the dns requests originating from AOL subscribers. the goal of the poisoning is cause these AOL dns servers to *bypass* the authoritative name server for a domain. thus, poisoning of the authoritative name server, that is, *your* name server is a non-issue, or at least a separate issue. in fact, an authoritative name server does no upstream lookups when replying for it's own zones. the links posted earlier to the various informational articles are quite clear on this if read carefully.

the only thing that is going to happen if the cache of *your* authoritative dns server gets poisoned is that outgoing email might be misdirected, or if you are in the habit of using them from your workstation as client dns settings, then your browser or ftp client might get highjacked. in other words, at the most, you risk trying to ftp proprietary source code to the wrong box.

i realise that i am posting at the very tail end of the thread, but i hope it gets read by those who have become worried by the alarms that have been raised.

the bottomline is that if your authoritative dns is working well, then there is no reason to change it. the problem is downstream from you. i am quite surprised that the tech staff of various hosting companies have not pointed this out.

ps. Windows 2000, according to MS, has been defaulted to cache poisoning prevention mode since SP3. Very few sites run below SP3.

pageoneresults




msg:664455
 10:10 am on Apr 13, 2006 (gmt 0)

Okay, I'm going to get confirmation on the above. From what I understand, you are referring to just one method of DNS Cache Poisoning and it is referred to as the Man-in-the-Middle scenario.

Don't worry, I will have more for you as I get confirmation and detailed explanations of the differences. Don't ignore the warning just yet. In fact, don't ignore the warning about DNS Recursion. If you fail for Open DNS Servers, that needs to be fixed ASAP! The issue of DNS Cache Poisoning is just one of many exploits that can be performed if your servers allow for non-authoritative DNS queries.

Some additional reading while I'm gathering other information...

[dns.measurement-factory.com...]

Also, can you describe to me the kind of attack that Tom56 may have discovered in this topic...

Links hijacked in search engines
[webmasterworld.com...]

Ok, I almost never post these days. However, reading this thread has forced me out of retirement.

It's nice to have you with us. This must be important if I was able to rouse you out of retirement. ;)

pageoneresults




msg:664456
 11:44 am on Apr 13, 2006 (gmt 0)

The domain dns highjacking actually occurs at, is targetted at, the dns servers of consumer isp's. for example, the AOL dns servers responding to the dns requests originating from AOL subscribers.

The above is scenario one.

Here's scenario two...

While the above targets the mainstream and/or secondary (upstream/midstream) DNS Servers, what about those DNS Servers that are downstream?

What about the DNS Server located at 123 Anywhere Street, Any City, Any State, Any Country that hosts a few thousand websites? What if their server is vulnerable to DNS Cache Poisoning, what happens then?

In much of the research I've done, the word affiliate keeps popping up. In one report, DNS Cache Poisoning exploits are more apt to happen amongst certain affiliates. If I were a miscreant [answers.com], wouldn't I stand a much better chance of poisoning someone's cache at the server level where the targeted website is being hosted? Wouldn't that provide me with a little comfort in knowing that my activities may not be noticed and that I could exploit this vulnerability at will during particular hours and you may never know it?

Based on my research, that may be happening. I want to find that out for sure. So, I (along with others) are taking the steps to find out. I've personally budgeted funds to have someone intimate with the DNS industry walk me through this step by step so I fully understand what I'm discussing here.

You guys/gals are hitting me with responses that I'm not qualified to answer. I'm probably at fault for posting a topic that I'm not fully versed in. But hey, I'm not shy. After that first topic on DNS Recursion, I ended up pushing some projects to the side just so I could focus on this. So, if I'm wrong in anything that I'm saying here, you can be assured that I will gladly confess to my mistakes publicly. I have a feeling though that I'm pretty much on target based on input so far.

Powdork




msg:664457
 3:13 pm on Apr 13, 2006 (gmt 0)

Let's also not forget the number of people who have complained about their site being hijacked and reported that the problem ended when the servers were closed or they switched hosts. That is a pretty strong argument for the problem lying at the site's servers rather than up or downstream.

pageoneresults




msg:664458
 3:40 pm on Apr 13, 2006 (gmt 0)

I'm waiting now for more authoritative answers and I'm getting them via email along with being on the telephone this morning with various geeks who deal with this.

The potential is there, whether or not it is a major issue is left to be proven.

Let's also not forget the number of people who have complained about their site being hijacked and reported that the problem ended when the servers were closed or they switched hosts.

I think what happened in the above case (I believe you are referring to Tom56) is that the DNS server was rebooted which cleared the poisoned cache, correcting any problems that were there.

And then, based on Tom56's comments, the redirection issues would take place again until another reboot. That's what led me to the whole DNS Cache Poisoning exploit and when his server failed the test, I thought the two were tied together.

After reading the replies from my peers, I'm beginning to question exactly what happened in this case. You can be assured that I will come back to this topic and post updates as I find out more information that is an absolute, and not just my Chicken_Little assumptions based on all the documentation out there that I've been assimilating.

Much of the documentation deals with larger DNS server networks and not the small mom and pop server that is running a version of BIND that is vulnerable. After seeing this story from News.com dated 2005-08-03, I'm concerned. Are my concerns unfounded? Or misguided?

[news.com.com...]

There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

pageoneresults




msg:664459
 6:24 pm on Apr 13, 2006 (gmt 0)

Okay, I'm back and have just spent the last 30 minutes going through various scenarios to determine how much risk is involved.

The Sky is not Falling!

But, there may be some parts of the world where it is cloudy! ;)

My scenario above of the downstream DNS server being poisoned is plausible and possible. But, it probably is a very small percentage of the overall picture and it would only affect those who utilize that particular server or others that are poisoned in the upstream.

Here's an example...

ABC Company hosts a few hundred websites locally. ABC Company is running a Windows Server and has not been on top of their upgrades and patches so they have a potential vulnerability for DNS Cache Poisoning. Please note, I said potential.

In Tom56's case, this was most likely the issue as each time he mentioned it to his host, they rebooted the server which in turn cleared the poisoned cache and made things right again. Then the miscreant would return at random and do their thing again at which time another reboot was performed clearing the poisoned cache.

To compound matters, if any of the DNS servers that were in the upstream of ABC company were also vulnerable, the poisoning would then move to that caching server. This is an unlikely scenario, but is possible.

Most of these issues apply to older implementations of BIND, Windows NT Servers and Windows 2000 Servers. Windows 2003 out of the box has addressed the DNS Cache Poisoning exploit or what MS refer to as DNS Cache Pollution. Bind versions 9.0 have also addressed the issue of poisoning. It's all those old implementations that we need to be concerned about. Maybe not directly, but indirectly as there are many out there that are part of this somewhere along the way.

ATTENTION WEBMASTERS

This issue may not be of concern for most of you. For those of you hosting on a box that fails the DNS Report for Open DNS Servers, keep in mind that this particular failure also opens up the possibility that the DNS Cache Poisoning exploit may be a vulnerability. I've been informed that even if you pass the test for Open DNS Servers, that is not a 100% sure sign that problems don't exist elsewhere and this is something your server administrators would address, no need to make your brain hurt like I have over the past 30 days researching all this.

Most of the testing performed by the big companies in regards to this issue, were performed on the primary and secondary DNS servers (and some a little further downstream) for the Internet. They didn't travel too far downstream as they were not as concerned about those as they were about the primary ones that run the Internet.

What About DNS Recursion?

While a separate issue, it is something that is serious enough to start discussing and cleaning up as soon as possible. Some say that the DNS DDoS Attacks earlier this year were a prelude to the big one. Others are saying that it was probably someone on an ego trip who just wanted to let the Internet know that "we can take you down if we want to".

Hopefully Tom56's case was a rare one and we won't see much of this around here. If we start to see more reports of this, and they have the same symptoms as Tom56 did, then we'll resurrect these topics and open them up for discussion again.

So, business as usual, finally. I can get out of my Chicken_Little costume and get on with some real work!

Also, there are two tools available for testing DNS Recursion...

DNS Report
[dnsreport.com...]

Open Resolver Test
[dns.measurement-factory.com...]

I'd recommend performing tests using both tools. My understanding is that they use different algorithms and it's always good to use two tools in this particular instance for verification. The Open Resolver Test requires an IP address and does not work for hostnames. So, get your IP out if your going to be testing.

On a side note, my contact (who is also co-owner of The Measurement Factory), and I have discussed the development of an online tool to check a server for the DNS Cache Poisoning vulnerability. The tool is developed but it is not ready for public consumption. They want to make sure that there are no false positives and need to do more testing before considering releasing it. I'll keep you posted.

Thanks to everyone for following along and offering your feedback. I understand these issues a bit more than I did when first posting this topic. Now that I am an informed consumer of DNS services, I'll know what to look for in certain instances while performing tests on domains that I have in my portfolio.

plumsauce




msg:664460
 9:06 pm on Apr 13, 2006 (gmt 0)


I've personally budgeted funds to have someone intimate with the DNS industry walk me through this step by step so I fully understand what I'm discussing here.

Sorry, I guess I should have laid out the dns resolution step by step. Hey, it was 5:00AM!


The Sky is not Falling!

Exactly.

Webmasters have no direct influence on dns cache poisoning. They can only hope that consumer isp dns servers are functioning correctly. The sole exception might be ttl settings.

Webmasters should be aware when testing dns that not all warnings are targetted at administrators of authoritative dns zone servers.

If a webmaster has verified the correctness of the records and made sure the records are protected from change, then everything that can be done has been done.

By doing this, the admin is ensuring that the correct information is served up when requested. Now, if the rest of the internet dns gets corrupted, through cache poisoning or other means, there is nothing you can do about it directly. At this point, the authoritative dns servers are being bypassed.

Mind you, there are a lot of webmasters who *think* they know dns and end up shooting themselves in the foot. Google canonicalistion problems come to mind.

I repeat again, Windows 2000 has had cache poisoning prevention turned on by default since SP3. This capability can be turned on in any Windows server version since NT4.

Back to retirement :)

pageoneresults




msg:664461
 9:52 pm on Apr 13, 2006 (gmt 0)

Wait, before you go back to rest...

Webmasters have no direct influence on dns cache poisoning.

lol! Depends on whether or not the miscreant refers to themselves as a webmaster. :)

They can only hope that consumer isp dns servers are functioning correctly.

Yes. And, in the process, if they are an informed marketer, they will have taken into consideration at least some basic DNS issues that may have an effect on their marketing efforts. Yes?

If a webmaster has verified the correctness of the records and made sure the records are protected from change, then everything that can be done has been done.

I think that is the primary issue to address. There's a lot of laziness out there when it comes to DNS and it is haunting the Internet right now. From DNS Recursion and DDoS attacks (which are on the rise), to Cache Poisoning and HTTP Request Smuggling, there is much to consider if you're going to cover all your bases.

Topics such as this, even though they may sound like Chicken_Little, hopefully bring attention to issues that many of us don't even think about, even if it's just the absence of an SPF Record (which is now required for the AOL Whitelist).

By doing this, the admin is ensuring that the correct information is served up when requested. Now, if the rest of the internet dns gets corrupted, through cache poisoning or other means, there is nothing you can do about it directly.

No, but you can help clean up a bit if you find that you have some blatant DNS errors like the DNS Recursion issue. Pair saw the potential and also a great opportunity to get some PR. They made a positive move. Hopefully others will follow.

At this point, the authoritative dns servers are being bypassed.

This is when it get's ugly, I think. My understanding is that Windows DNS Servers that are using forwarding to a BIND 4 or BIND 8 recursive resolver have this huge gaping hole for DNS exploits. And, this study performed in 2005 August does depict the sorry state of DNS...

There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Mind you, there are a lot of webmasters who *think* they know dns and end up shooting themselves in the foot.

Okay, okay already! So I blew off my foot. I'll limp for a few days and recover. Although I do feel good that this is out there. I asked those who assisted me with this over the phone if I had any blatant misinformation here and they said no. There were a few misunderstandings but the topic is great to have out there. It is a real threat but it is typically going to happen in the upstream.

I'll also tell you there was some interest in a particular scenario I laid out from a PPC perspective. With the LURHQ article on PPC Hijacking, there are certain methods that could be used to wreak havoc on PPC campaigns.

Related quotes from the PPC Hijacking document.

Search hijackers are not a new phenomenon; however, their purveyors are becoming more and more aggressive in capturing clicks from web users. Often, attempting to find the entity behind the hijack becomes an endless task of following layer after layer of obfuscation. Below we attempt to peel back the layers of one major search hijack incident in a step-by-step illustration.

The incident in question involves DNS hijacking, and was widely reported in the beginning of 2005. The hijack was simple, and the vulnerability old and well-known. It involved a rogue DNS server sending bogus authority records in a DNS reply packet, in which it claimed to be the authoritative server for all of the .com TLD. Vulnerable hosts would then direct queries for any .com sites to the rogue DNS server.

End users may not be able to prevent cache poisoning - the problem lies with the user's ISP or company DNS servers. Users may direct the persons responsible for maintenence of the DNS servers to Microsoft's KnowledgeBase article 241352, which explains how to secure Windows DNS servers against this type of cache poisoning (or "cache pollution", as Microsoft calls it). Modern *nix-based DNS servers are not vulnerable to this type of attack. This vulnerability in Windows DNS services has been common knowledge for nearly four years now.

plumsauce




msg:664462
 2:39 am on Apr 14, 2006 (gmt 0)

But, but, but ...

the scope in the context of the audience here ought to be:


what *can* and *should* the webmaster do directly that affects the outcome with regards to recursion and cache poisoning

this does not automatically preclude permitting recursion on your dns server.

thus for dns servers *under our own control*, we have:

1. ensure that the proper dns records are in place
2. prevent unauthorised modification of same

cache poisoning can still affect your visitors, but it outside of your *direct* control.

It *is* really that simple.

beyond this, you really have to look to dns servers under someone else's control.

Oh, about Microsoft Knowledgebase Article Q241352, it only applies to pre Windows 2000 SP3 and NT4. Even so, it is an available fix that only involves registry settings. Unlike some other dns software where a complete replacement is required. No need to keep on pointing the finger only at Microsoft products.

danimal




msg:664463
 6:11 am on Apr 14, 2006 (gmt 0)

>>>Oh, about Microsoft Knowledgebase Article Q241352, it only applies to pre Windows 2000 SP3 and NT4.<<<

it also applies to winxp 2003 server, IF the default dns cache pollution settings were somehow changed from the default setting.

my winxp 2003 server has the plesk front end, which apparently means that it can't be checked via the Dnscmd /Info /SecureResponses command listed in the microsoft 241352 article.

and guess what, of course my server fails the dnsreports test... so is the dnsreports test wrong, has plesk turned off the default winxp 2003 server dns cache poisioning settings, ect.?

on top of that, my winxp 2003 server shows "closed" when tested via the [dns.measurement-factory.com...] listed earlier in this thread.

i'm also on a shared linux-based server that fails the dnsreports test, but passes the open resolver test, just like the winxp server.

in light of those conflicting test results, and the role that plesk is playing here, all i can say is that this situation is far from being cleared up.

pageoneresults




msg:664464
 5:07 pm on Apr 15, 2006 (gmt 0)

Possibly related to all of this...

Banks Hit With New Spoofing Attacks
Attackers made changes to legitimate Web sites, making the scams much harder to detect

Earlier this month, attackers were able to hack servers run by the Internet service provider that hosted the three banks' Web sites. They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement's Computer Crime Center.

2006-03-30 - [pcworld.com...]

Thanks to Kirby for the link.

Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.

First of its type because I believe many are not focusing on where other problems lie. Personally, I think this is happening a bit more than what is made public. :(

In light of those conflicting test results, and the role that plesk is playing here, all i can say is that this situation is far from being cleared up.

Danimal, I have emails out to those responsible for the two tools being used. Since it is a holiday weekend, I may not get a response until Monday. I'll update this topic once I get a confirming response on the differences.

I also have raised the question to Scott at the DNS Report Forums. He's responded and I'm now waiting for The Measurement Factory's response.

[forums.dnsstuff.com...]

pageoneresults




msg:664465
 6:10 pm on Apr 15, 2006 (gmt 0)

In addition to the above, much of my research leads back to Phishing scams and Spear-Phishing scams. Has anyone used the Netcraft Toolbar yet?

[toolbar.netcraft.com...]

Have you viewed the Phishing statistics they now have posted on their site?

[toolbar.netcraft.com...]

Some 32,000 unique phishing sites have been detected and blocked to date [late November 2005] and the community has been widely featured in the media from the Washington Post & Wall St. Journal through to Slashdot.

Here are the top ten. The last numbers to the right are the probability that you will encounter a Phishing site while browsing domains in those referenced TLDs.

Comoros KM - 1 in 0
Turkmenistan TM - 1 in 8
Nicaragua NI- 1 in 10
Palestine Territory, Occupied PS - 1 in 19
Romania RO - 1 in 19
Bangladesh BD - 1 in 20
Rwanda RW - 1 in 22
Vanuatu VU - 1 in 22
Albania AL - 1 in 22
Laos LA - 1 in 25

The reason I've posted the above information is because many of the Phishing sites may also be involved in DNS Cache Poisoning exploits.

danimal




msg:664466
 4:59 am on Apr 16, 2006 (gmt 0)

">>>Oh, about Microsoft Knowledgebase Article Q241352, it only applies to pre Windows 2000 SP3 and NT4.<<<
it also applies to winxp 2003 server, IF the default dns cache pollution settings were somehow changed from the default setting."

AND it also applies if you are running plesk for windows, because plesk uses bind, not the ms dns... the plesk default leaves recursive dns open! you have to edit the named.user.conf to correct it... that file is located in a plesk subdirectory, search the plesk support forum for details, sorry i'm too burnt to look it up right now :-/

but since plesk for windows does use bind, can tell the named.user.conf to do recursive dns for your local site?

once i edited the named.user.conf, my winxp 2003 server passed the dnsreport.com test.

however, the jury is still out with the [dns.measurement-factory.com...] test, because i might have tested the dedicated i.p. for my site yesterday, instead of giving it the nameserver i.p.'s(?)... those showed "open" when i tested 'em just now, but it was cached info from yesterday.

that dns.measurement-factory test needs a serious overhaul in the useability department... i have 5 i.p.'s on my dedicated server, why should i be entering i.p. numbers instead of the url to my site? also, translate the results into something that joe sixpack can understand, and empty the cache every day... i am not going to use remote desktop to telnet into who knows where, just to get around the cache restriction.

pageoneresults




msg:664467
 2:13 am on Apr 17, 2006 (gmt 0)

however, the jury is still out with the [dns.measurement-factory.com...] test, because i might have tested the dedicated i.p. for my site yesterday, instead of giving it the nameserver i.p.'s(?)... those showed "open" when i tested 'em just now, but it was cached info from yesterday.

danimal, here's the response I received from Scott at the DNS Report in regards to the differences in the tools.

No - his way is fine (and likely preferred over the way that we are doing it). I would guess that well over 95% of DNS servers that are open would fail both tests. Those few extra percent would pass the test we do (most likely because they are running unusual DNS servers). But then again, hackers might not use them, for exactly that reason (*they* may also think that the DNS servers are not open).

Another recent Secunia Advisory on Cache Poisoning...

2006-03-21 - Symantec Products Unspecified DNS Cache Poisoning Vulnerability
[secunia.com...]

Who needs to worry about this plumsauce?

plumsauce




msg:664468
 2:38 am on Apr 17, 2006 (gmt 0)


[securityresponse.symantec.com...]

generally, admins using the affected products as corporate gateways who have not applied a patch since MAY 24/2005 to the dnsd component.

old news.

this is not a set of products that is generally used by hosting companies or people with dedicated servers as that is not the intended purpose of the product.

pageoneresults




msg:664469
 3:03 am on Apr 17, 2006 (gmt 0)

Okay plumsauce, I slipped there. My apologies, it won't happen again, but you know what? It's still relevant.

Here, I won't slip on this one from the US-CERT. The first topic that started all of this was the DNS Recursion issue.

2006-03-13 - DNS Recursion - Open DNS Servers
[webmasterworld.com...]

The US-CERT updated their report on 2006-03-30 and have included a long list of references, most of which I've read, and this one which explains what can happen if a server allows for DNS Recursion (non-authoritative DNS queries)...

First, open recursive DNS servers are considerably more vulnerable to pharming attacks, where a DNS server's cache is poisoned with the intent of bringing users to a fake bank or other website, and stealing their personal or bank information. It is more difficult to successfully exploit some of these cache poisoning attacks when recursion is secured properly.

Note: Emphasis mine to help me stay focused on this. ;)

Okay, now that I've provided a Government document dated 2006-03-30, which is 17 days ago, pretty fresh I think. Tell me, if someone runs one of the reports like the DNS Report or the one from The Measurement Factory, and it shows that the server where their domains are hosted on is open for recursion as described above by the references the US-CERT is using, who is at risk?

Second, it opens the door for denial of service and other attacks. Recursive DNS queries a) take a comparatively large amount of "work" for the DNS server to complete, and b) are very important to the legitimate users of the server. If an ISP's recursive DNS servers are taken offline, none of that ISP's customers will be able to get anywhere on the Internet. This could result in huge losses for the ISP.

A Previous Secunia Advisory on Cache Poisoning.
2005-03-21 - Symantec Products Unspecified DNS Cache Poisoning Vulnerability
[secunia.com...]

Again, my apologies for that one. Rarely will I slip like that. ;)

[edited by: pageoneresults at 3:20 am (utc) on April 17, 2006]

pageoneresults




msg:664470
 3:14 am on Apr 17, 2006 (gmt 0)

plumsauce, may I ask why you are implying that this is not a risk? When you first replied you mentioned that you came out of retirement just to get involved with this topic (either here or over at TW). Based on your replies, I'd have to assume you are an expert in DNS. But, is it possible that you've missed some of the latest news stories and security advisories relating to Pharming, Phishing, Spear-Phishing, etc.? And, when viewing those alerts, many refer to Cache Poisoning. I would think if you were in retirement, you'd be out golfing, fishing, hunting, etc. and not scouring the Internet for all the latest news and advisories on this?

Either I've become extremely dense in the past 30 days since posting the DNS Recursion topic, or, I've possibly alerted the Webmaster community to an issue that could potentially affect them, in a serious way?

pageoneresults




msg:664471
 3:43 am on Apr 17, 2006 (gmt 0)

2006 April Updates

plumsauce, since you are coming out of retirement for a bit, I thought I'd help bring you up to speed on just what has been happening as of 2006 March. I'm still digging for the April events to date. It takes a while to locate this stuff, disseminate it, and then regurgitate it. It is typically in places that the average person is not going to be looking.

And plumsauce, before you respond, I am aware that we are talking about two different issues here. DNS Recursion and DNS Cache Poisoning. Again, I go back to all the documentation for this and many times DNS Cache Poisoning is referenced as part of the attack.

2006-04-03 - Computer Business Review - US Takes Interest in DDoS Attacks
[commentwire.com...]

Senior levels of the US government are taking an interest in recent distributed denial-of-service attacks against the internet's domain name system, according to a person familiar with the situation.

2006-03-31 - ICANN SSAC Advisory - DNS Amplification Attacks
[icann.org...]

In early February 2006, name servers hosting Top Level Domain zones were the repeated recipients of extraordinary heavy traffic loads. Analysis of traffic by TLD name server operators and security experts at large confirmed that DNS packets comprising the attack traffic exhibited characteristics associated with previously attempted DDoS attacks collectively known as amplification attacks.

2006-03-31 - US-CERT - DNS Recursion Attacks - v2.0 Update
[niscc.gov.uk...]

US-CERT is encouraging wide dissemination of this paper and organizations that currently have DNS recursion enabled are encouraged to disable it if possible.

2006-03-30 - PCWorld.com - Banks Hit With New Spoofing Attacks
[pcworld.com...]

Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.

New Trends Noticed

Although scammers have traditionally targeted large financial institutions with phishing attacks, that is now changing, according to Rich Miller, an analyst with Internet research company Netcraft. "Lately we've seen phishing attacks move down the food chain and target much smaller, regional banks," he said.

Smaller banks such as those in the Florida scam can sometimes make easier targets, Miller said. "The big banks are able to put more resources into securing their sites," he said.

2006-03-29 - The Register - DNS Hackers Target Domain Registrars
[theregister.co.uk...]

Network Solutions and Joker.com hit by DDoSsers. More to follow? Hackers have launched distributed denial of service attacks against the Domain Name System (DNS) servers of a brace of domain name registrars over recent days.

2006-03-26 - Netcraft - Domain Registrar Joker Hit By DDoS
[news.netcraft.com...]

Domain registrar Joker.com says its name servers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany.

2006-03-24 - CNET News.com - DNS Servers Do Hackers Dirty Work
[news.com.com...]

Cyber criminals are using DNS servers, the phonebooks of the Internet, to amplify their assaults and disrupt online business.

2006-03-20 - SecuriTeam - DNS Amplification Attacks
[securiteam.com...]

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.

2006-03-17 - ISOTF - DNS Amplification Attacks
[isotf.org...]

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets. The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue.

2006-03-17 - ZDNet UK News - DNS Recursion Leads to Nastier DoS Attacks
[news.zdnet.co.uk...]

A new kind of denial-of-service (DoS) attack has emerged that delivers a heftier blow to organisations' systems than previously seen DoS threats, according to VeriSign's security chief.

2006-03-16 - Yahoo! News Associated Press - Computer Researchers Warn of Net Attacks
[news.yahoo.com...]

This would be the Katrina of Internet storms, Silva said.

There's more for 2006 February, but I won't bore you with those as I'm sure you've read them already from previous links referenced in these series of topics. ;)

2005 August - "There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned."

CNET News.com - DNS Servers - An Internet Achilles' Heel
[news.com.com...]

The goal of DNS cache poisoning is to misdirect requests for DNS records to rogue DNS servers. The effect of DNS cache poisoning is to bypass the authoritative DNS name servers for a DNS zone.


pageoneresults




msg:664472
 4:14 am on Apr 17, 2006 (gmt 0)

What is Phishing and Pharming?

Okay, I'm now going to inject a few more terms here that most are probably aware of and those are Phishing and Pharming.

This from the Anti-Phishing Working Group
[antiphishing.org...]

Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

In 2006 January, there were 17,877 phishing reports received. There were 9,715 unique phishing sites reported.

Phishing Activity Trends Report
[antiphishing.org...]

101 Brands were hijacked in 2006 January

Would you care to wager that those numbers will have increased substantially over the next few months?

Check out the Phishing and Crimeware Map
[antiphishing.org...]

Automated systems based on trojaning schemes and session hikacking systems have reported worldwide over the past 18 months in a trend of development that has surged markedly over the past 3 months, supporting the APWG's view that automated phishing systems are the way of the future worldwide for this criminal enterprise.

Phishing-based Trojans - Redirectors
Definition: Crimeware code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS specific information, crimeware browser-helper-objects that redirect information to fraudulent sites, and crimeware that may install a network level driver or filter to redirect to fraudulent locations. All of these must be installed with the intention of compromising information which could lead to identify theft or other credentials being taken with criminal intent.


plumsauce




msg:664473
 4:49 am on Apr 17, 2006 (gmt 0)


And who or what is antiphishing.org?

Their site has no member roster, no sponsoring group mentions, no founders, no endorsements. The whois and a press release link the owner to tumbleweed. At least, I've heard of tumbleweed.

pageoneresults




msg:664474
 4:53 am on Apr 17, 2006 (gmt 0)

And who or what is antiphishing.org?

I guess I could ask "And who or what is plumsauce?".

Their site has no member roster, no sponsoring group mentions, no founders, no endorsements.

WHAT? Are we looking at the same site? It doesn't sound like it.

pageoneresults




msg:664475
 5:01 am on Apr 17, 2006 (gmt 0)

Their site has no member roster, no sponsoring group mentions, no founders, no endorsements. The whois and a press release link the owner to tumbleweed. At least, I've heard of tumbleweed.

plumsauce, you are way off target with the above comments. Here are just a few of the APWG Sponsors.

Adobe
Aladdin
ebay
Earthlink
Experian
GeoTrust
Go Daddy
McAfee
MasterCard
Microsoft
NameProtect
Netcraft
Panda Software
PayPal
Symantec
Trend Micro
Visa

Please don't try to discredit the resources being referenced. Is it possible your browser got hijacked and you ended up on a different site?

Powdork




msg:664476
 6:38 am on Apr 17, 2006 (gmt 0)

and the 2300 members
48000 backlinks, which look to be very high quality.

Powdork




msg:664477
 9:27 pm on Apr 24, 2006 (gmt 0)

My site is down as is my hosts.
I went to look if there was anywhere that showed real reports of DDos attacks. I didn't find it but one of the top results led me to this
A story from verisign [computerworld.com] that pertains here. Sorry if it was in the already given links.

This 59 message thread spans 2 pages: < < 59 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved