| This 59 message thread spans 2 pages: 59 (  2 ) > > || |
|DNS Cache Poisoning|
Redirecting web traffic through cache poisoning.
Are you open for DNS Cache Poisoning? Are your SERPs being redirected because an attacker has compromised your DNS and is now stealing your traffic? And possibly destroying your domain in the process?
Yes you are! And, a recent Home Page topic posted by Tom56 proves this...
Links Hijacked in Search Engines
DNS Cache Poisoning - The Next Generation
Once an attacker has managed to poison a DNS cache, there are a number of ways they can subvert protocols that rely on DNS. Some of the potential methods are listed below.
|Redirecting Web Traffic |
An attack of this nature might range from a simple annoyance to a financial nightmare for a great number of people. The goal here is to set up a website that looks enough like the original so as to not raise any suspicion. Then the domain is hijacked via cache poisoning for as many ISPs/companies as possible, causing their traffic to hit the phony site instead. Some of the sub-attacks here are:
- Redirect a popular search engine to a pop-up ad site.
- Redirect a bank website to gain access to account passwords.
- Redirect news site to inject false stories and manipulate stocks.
Unfortunately there is much more to it than the above. Although what I've outlined may be affecting many who visit WebmasterWorld with various issues pertaining to search engine marketing.
What's the First Step?
Carefully read the various topics circulating around WebmasterWorld concerning DNS Recursion, Open DNS Servers and DNS Cache Poisoning. Perform the tests that are outlined. If you fail for Open DNS Servers, you've discovered a major hole in your online marketing efforts.
You need to plug that hole ASAP! Like today!
DNS Recursion - Open DNS Servers
Links Hijacked in Search Engines
Run a DNS Report Now!
[edited by: tedster at 7:55 pm (utc) on April 10, 2006]
[edit reason] spelling fix [/edit]
For anyone who might be interested, this summary from SANS is well written and easy to understand and describes everything you'll need to know as a marketer, website owner, server administrator, etc. about DNS Cache Poisoning. Many of you may not know it, but, is it possible that some of those problems you've just not been able to figure out are due to this type of technical foul play? If your server is open for DNS Recursion, then yes, you may be a victim. :(
SANS - Internet Storm Center
|The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least 5 UNIX webservers. We received information the attack may have started as early as Feb. 22, 2005 but probably only affected a small number of people. |
|The Internet Storm Center is a volunteer effort and the better information that we receive from the community, the better analysis we can perform and contribute back to the community. |
1. How can others help?
2. How do I recover from a DNS cache poisoning attack?
3. What software is vulnerable?
4. I am a dial-up/DSL/cable modem user -- am I vulnerable?
5. Where can I test my site to see if I am vulnerable?
6. What exactly is DNS cache poisoning?
7. What was the motivation for this type of attack?
8. Weren't DNS cache poisoning attacks squashed around 8 years ago?
9. What was the trigger for the attack?
10. How exactly did this DNS cache poisoning attack work?
11. What domain names were being hijacked?
12. What were the victim sites?
13. What malware was placed on my machine if I visited the evil servers?
14. Got packets?
15. Got snort?
P.S. Has Google turned down your AdSense stating that there is a virus associated with your domain? The above may be the problem.
pair.com has finaly fixed their DNS servers so they are not open. The only reason I am posting this company is I know a lot of us here use them. I'm sure I was not the only WebmasterWorld member that sent them an email about this.
Actually pair.com have not fixed all of their DNS servers. At least one of their DNS servers still shows as open.
Looks like they are working on them though which is a good thing.
Okay, let's change the title of this to...
And then, read the information provided at the below link...
Let's see if we can spark some more discussion on this. Please, if you are not familiar with DNS, don't be afraid to ask questions. There are many here who can assist you in answering most, if not all of your questions.
|At the heart of the pay-per-click model is example.com. While it is a legitimate enterprise itself, it is the entity that pays the affiliates who are actively employing trojans and dns cache poisoning to drive traffic to the advertisers. Example.com has a policy prohibiting certain activities of this type, and will likely terminate any affiliate account reported to them for abuse. However, terminating the account only means that Example.com benefits from the hijacker's activity without having to pay the hijacking affiliate. |
This stuff is deep. I've been reading for the past week at various resources and I am truly amazed at how deep this really is. This is at the core of our business. This affects each and every one of us who owns and operates a web property.
From the SANS Website...
2005 March 31 - The Handler's Diary
DNS Poisoning Stats
|The DNS spoofing attack on March 3rd redirected affected users to a set of compromised web servers. Some of the administrators of these servers agreed to share logs collected during the attack (THANKS!). Based on these logs, we collected the following statistics: |
Okay, get ready for this and remember, this is just one incident.
- 1,304 domains poisoned (pulled from the referer entries in the HTTPD logs).
- 7,973,953 HTTP get attempts from 966 unique IP addresses.
- 75,529 incoming email messages from 1,863 different mailservers.
- 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts).
- 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses).
- 2,027 attempted logins to 82 different webmail (HTTP) servers.
Let's say you're on a server that allows for DNS Recursion (according to reports, 75% of servers out there allow for recursion) and the hacker has poisoned the cache. This means that the hacker has control over all domains on that server and can redirect traffic at will. Would you notice this? Probably not immediately and maybe even never because it is being done so slyly that the average user would never know.
How many of you really know how to read the raw server logs to effectively determine how much is happening on your server? I know I'm still learning and my brain hurts! But, I've got to do it if I plan on surviving what I see as being a major threat to the search engine marketing industry and website owners all over the world.
Thank you pageoneresults for all the information on this issue!
My brain is hurting too and I am overwhelmed. Maybe we need to make this a topic at the conference in Boston.
I emailed my host about this problem since it said "Fail" on the Open DNS Servers check. They emailed me back and said:
|The Open DNS Servers fail you see is because CPanel allows recursive DNS queries by Default. If we restrict DNS Queries, your DNS server can't be used to query any domains, other than the ones you host in your server. |
I am not sure how to reply to that?!?
|Thank you pageoneresults for all the information on this issue! |
You're quite welcome. I'm on a mission this week to make this as public as possible before it's too late. Some are probably not taking this as seriously as they should. :(
|My brain is hurting too and I am overwhelmed. Maybe we need to make this a topic at the conference in Boston. |
I'll second that and also suggest that it be made a topic of discussion at all conferences.
|I emailed my host about this problem since it said "Fail" on the Open DNS Servers check. They emailed me back and said: The Open DNS Servers fail you see is because CPanel allows recursive DNS queries by Default. If we restrict DNS Queries, your DNS server can't be used to query any domains, other than the ones you host in your server. |
I'd ask them to correct the issue immediately or I'm going to have to take my hosting business elsewhere. Maybe not in those exact terms because I don't want them shutting down services while I'm making the switch to a new provider that passes the Open DNS Server test.
How to Prevent DNS Cache Pollution for Windows Servers
For Windows Server Administrators, the following article from the Microsoft database will assist you in configuring your server to prevent DNS Cache Pollution (as MS refer to it as) or DNS Cache Poisoning which are one in the same.
|DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature. |
How to Prevent HTTP Request Smuggling for Apache Servers
Apparently Apache Servers and Windows 2003 Servers have been set by default to not allow DNS Cache Poisoning and/or HTTP Request Smuggling (as Apache refers to it as).
|All versions of Apache previous to 2.1.6 are vulnerable to a HTTP request smuggling attack which can allow malicious piggybacking of false HTTP requests hidden within valid content. This method of HTTP Request Smuggling was first discussed by Watchfire some time ago. The issue has been addressed by an update to version 2.1.6. |
There is a document available from Watchfire on the HTTP Request Smuggling, it is very enlightening and a must read for those following this topic. It can be found here...
Check the box for HTTP Request Smuggling and then submit the requested information. That's the only way you'll get to view the 23 page document which contains...
What is HTTP Request Smuggling?
What damage can HRS inflict?
Example #1: Web Cache Poisoning
Example #2: Firewall/IPS/IDS evasion
Example #3: Forward vs. backward HRS
Example #4: Request Hijacking
Example #5: Request Credential Hijacking
Protecting your site against HRS
Check Point FW-1
Final note regarding solutions
A must read!
[edited by: pageoneresults at 11:28 pm (utc) on April 10, 2006]
Ugh. That's one hell of a lot of reading and the cache-poisoning one turned my stomach.
I had an issue with all sites on a VPS (virtual private server) being replaced by an MFA (made-for-adsense website). The server name that showed up in error messages was the name of the MFA domain - not mine. I guessed at the time that the server had been rooted - after a reboot it recovered every time though.
Is it possible that this was done with DNS Cache poisoning and they never really had control of the server?
I am not certain on what to ask here, as I don't really understand the issue... but I want to resolve it.
When running the dns report I get a fail on OPEN DNS SERVERS and a warn on SPF RECORD. Do I contact Pair in regard to this or do I contact my registrar, also what do I say in my email to voice my concern concisely?
|I guessed at the time that the server had been rooted - after a reboot it recovered every time though. |
That one is a little beyond me but let me see if I can guess at what happened.
Is it possible on reboot that the cache was cleared? And, if that were the case, the attacker would return and just do their thing again until you rebooted and cleared cache?
I'll tell ya, I feel like someone just hit me upside the head with a frying pan! It's like wow, all these issues I see being discussed at WebmasterWorld on how sites aren't getting indexed properly, never getting indexed, being banned, penalized, etc. I'm sure a good portion of them can all be tracked back to a DNS issue of some sort.
For example, we know that Tom56 (http://www.webmasterworld.com/forum5/7481.htm) has determined that their server was hijacked and links to their site were going elsewhere.
There is another topic out there about someone being turned down for AdSense or removed due to a virus. If you review the possible results of a DNS Poisoning attack, you'll see that one of the primary ones is redirecting a site to a malware site and installing spyware and all sorts of other stuff on the users system. This then propogates the issue for who knows how long.
It's really an ugly thing to be occurring and I sure hope Server Administrators around the world are correcting these issues immediately. I think a lot of people have taken shortcuts in this area for too long and it is now coming back to haunt them.
For all you Bloggers out there, here's an opportunity to shine and help give back to what we take for granted at times. ;)
[edited by: pageoneresults at 11:49 pm (utc) on April 10, 2006]
|Do I contact Pair in regard to this or do I contact my registrar, also what do I say in my email to voice my concern concisely? |
You would communicate with Pair which it appears they are in the process of addressing the issue. I'd send them an email asking when they plan on having this corrected on the servers where your domain(s) are hosted.
|Also what do I say in my email to voice my concern concisely? |
Just send them a link to this topic. I'm sure Pair are well aware of what is going on as evidenced by above replies stating Pair is correcting the problem.
[edited by: pageoneresults at 11:53 pm (utc) on April 10, 2006]
Thanks PageOneResults, I'm glad WW is on top of it and that Pair is fixing it :)
Pair is the hosting company I did not want to mention earlier.
Great they are working on it but my sites with them still show the problem.
I have had several emails back and fourth with them. They are in the process of fixing thier DNS. I just know the DNS my sites are on have been fixed. They told me they are very aware of the problem and it is not an easy task for them. Aparently making the change will break some sites. They did say if there was an attack they can catch it within 5 minutes.
|...It's like wow, all these issues I see being discussed at WebmasterWorld on how sites aren't getting indexed properly, never getting indexed, being banned, penalized, etc. I'm sure a good portion of them can all be tracked back to a DNS issue of some sort. |
This is what immediately came to my mind, when you opened this thread yesterday, but I didn't want to spoil your brilliant research and opening with my unqualified remarks. Has anyone cross-checked the supplemental issue yet?
Just a quick note: I failed for open DNS servers, and so I emailed my host about it. They assured me that the DNS servers are not open and <insert techy jargon here> something else is triggering the test to show a fail result.
So make sure you check with your host and ask them to run the same DNS test, and see what they have to say about it.
|Just a quick note: I failed for open DNS servers, and so I emailed my host about it. They assured me that the DNS servers are not open and <insert techy jargon here> something else is triggering the test to show a fail result. |
If you failed, then the server where your site is hosted is open for DNS recursion. I don't think there is a way for that report to return false information although I could be wrong. If that is the case, we need to alert Scott at the DNS Report so they can investigate.
I did the check on dnsreport and all was good, but just to double-check I asked my provider if 1) they were aware of the problem and 2) an assurance that their dns servers were safe.
The response I got was that any nameserver released in the last few years was safe from cache poisoning. So I guess I'm okay.
Regarding Pair.com, I sent them an email and got the reply that they have a timetable to make all their nameservers non-recursive by the end of this month.
|The response I got was that any nameserver released in the last few years was safe from cache poisoning. |
I'm not too certain that is 100% true. Based on my research, all versions of Windows Server prior to 2003 were set by default to allow for DNS Recursion.
All versions of Apache Server prior to 2.1.6 had what they refer to as an HTTP Request Smuggling vulnerability.
Yes, I do believe that newer software corrects these issues. But, that still leaves about 75% of the Internet at risk. How many Windows 2000 Servers are out there? How many Apache Servers running something earlier than 2.1.6? Those are the machines that need to be assimilated!
And, what if the DNS Server Administrator has made changes to the default settings and has allowed for DNS Recursion?
Wow this is something else... fortunately my sites are 100% secure but hardly any of my competitors are. This includes a huge international company that I'm sure all of you have heard of.
|Aparently making the change will break some sites. |
That is about the worst thing I have heard. Any info about this, what type of sites are they talking about? Would this mean static html sites too?
Some people have the wrong primary nameserver
listed at their registry is what they said.
|The response I got was that any nameserver released in the last few years was safe from cache poisoning. |
I recently installed the latest BIND version (9.3.2) from source at about the time the issue with open DNS came up. I had to explicitly set the "recursion" option to "no", i.e. the out-of-the-box installation defaults to the "vulnerable" setting.
The report shows that my server has failed. When i do the second test I get these results, which my host says shows they are not open.
|[216.Xyz.X reports that it is NOT an authoritative nameserver for this lookup] |
If you are verifying an open DNS server, and you see the IP address for www.DNSstuff.com above,
that means that the DNS server is an open DNS server (unless it is one of our DNS servers).
To me, that says it is open. Wassup? Am I reading this wrong or are they trying to poison my cache, so to speak.
There were three other fails.
1. Stealth NS record leakage
2. Missing nameservers 2
3. Missing (stealth) nameservers
Host claims these are unimportant.
More poison up my cache?
|Do I contact Pair in regard to this or do I contact my registrar ... |
OK, I suspect I might be showing my complete ignorance here (kudos to Pageoneresults for setting me on this steep learning curve) but I'm confused by this. From what I can tell, the issue is with the DNS servers and not the server that hosts the actual web site files? So if the company hosting the site is different to the company hosting the DNS (the registrar), then isn't it an issue for the domain registrar?
In the example cited, I know they have a separate entity, pairNIC, for registrations ... and presumably DNS issues. But isn't it also possible to register a domain with a registrar / reseller and use their services to administer DNS to resolve to the IP address of your actual site - which may be hosted by a completely different company?
Am I completely off-track here? It implies, to me, that its not so much an issue of 'find a new host for your site' as 'find a new host for your DNS'?
|To me, that says it is open. Wassup? Am I reading this wrong or are they trying to poison my cache, so to speak. |
My understanding is that if your domain (the one you entered when doing the DNS Report) fails for the Open DNS Servers, then wherever that domain is hosted has a problem and that server is open for DNS recursion.
|There were three other fails. |
1. Stealth NS record leakage
2. Missing nameservers 2
3. Missing (stealth) nameservers
All problems that need to be addressed as soon as possible. Any fails on that report (marked in red) should be addressed immediately.
There is information associated with each fail, warning and/or info that you should read (or your host should read) which will give them an idea of what type of problems could arise if the fails are not addressed. Same goes for the warnings and the info sections.
The DNS Report does have a forum if you have any questions about the results of your DNS Report. In fact, many of the questions that may come up are all addressed in their forums. Some good reading over there to when it comes to DNS issues.
|Host claims these are unimportant. |
It may be time to research another host. I'm seeing this comment more and more frequently. In a couple of instances, I did some back tracking and found that the host (one inparticular) may have been involved in what was going on. The person who contacted me changed hosts afterwards.
Maybe not up your cache, but somewhere else. ;)
|OK, I suspect I might be showing my complete ignorance here (kudos to Pageoneresults for setting me on this steep learning curve) but I'm confused by this. From what I can tell, the issue is with the DNS servers and not the server that hosts the actual web site files? |
No, the issue is with the servers that host your website. You've probably got your DNS pointed at your hosts DNS servers, am I correct?
|So if the company hosting the site is different to the company hosting the DNS (the registrar), then isn't it an issue for the domain registrar? |
Actually it doesn't matter in this case. What we are talking about applies to all servers that allow for non-authoritative DNS queries or what is referred to as recursive DNS lookups.
|In the example cited, I know they have a separate entity, pairNIC, for registrations ... and presumably DNS issues. But isn't it also possible to register a domain with a registrar / reseller and use their services to administer DNS to resolve to the IP address of your actual site - which may be hosted by a completely different company? |
I'm not sure on this one as I've never handled DNS in that manner. I've always pointed DNS to my hosts' name servers, always. I wouldn't want my DNS handled by any of the Registrars, too many issues there to begin with.
|Am I completely off-track here? It implies, to me, that its not so much an issue of 'find a new host for your site' as 'find a new host for your DNS'? |
In this case it is simple. If the site that you run a DNS Report for fails, the server where that site is hosted allows for non-authoritative DNS queries which means it is open for all sorts of other exploits that can occur from having Open DNS Servers. DNS Cache Poisoning is just one of many exploits.
| This 59 message thread spans 2 pages: 59 (  2 ) > > |