| This 31 message thread spans 2 pages: 31 (  2 ) > > || |
Is your hard earned and paid traffic being redirected?
First let me preface this topic with the fact that I am not an expert in DNS but am learning something new every day in regards to DNS. Some of what I'm going to say may not jive and I would like for those who know for sure that what I'm saying is wrong, to step up to the plate and tell me that I'm wrong, please!
Okay, so what led me to this topic?
First posted on 2006-02-18. Made Front Page on 2006-04-09.
Links hijacked in search engines
First posted and on Front Page 2006-03-13
DNS Recursion - Open DNS Servers
First posted and on Front Page 2006-04-10
DNS Cache Poisoning
In that last topic on DNS Cache Poisoning, I referenced a document from the LURHQ Security Systems site titled PPC Hijacking. It can be found here...
The above document is dated 2005-04-01, just over a year ago. If you've been following the above topics at WebmasterWorld on DNS Recursion and DNS Cache Poisoning, you'll see that the warnings have been around for years.
Much of the above document may be totally incomprehensible to some. It was a bit overwhelming for me until I printed it and then carefully studied each and every step they took to perform their tests. WOW! It was an eye opener. As I am somewhat familiar with server header status codes and such, it was pretty amazing to see everything that was taking place in this particular instance of PPC Hijacking.
- Are you experiencing a large spend with a less than satisfactory ROI?
- Are you in an industry where this type of technical foul play is possible and probable?
- Is your Internet presence at risk because someone is slyly stealing your traffic and poisoning your brand?
- Is it possible that the server your websites are hosted on allows for DNS Recursion (for non-authoritative DNS queries) and you are now open for the DNS Cache Poisoning exploit?
- Is it possible that someone has been stealing your traffic and you don't know it?
- Have you ever been turned down or removed from an advertising program only to be told that there is a virus (malware/spyware/adware associated with your domain?
Those are all questions I've been asking myself while researching these very important issues.
What should you do?
This is a tough call because many of us typically don't have to deal with this, it is best left to our server administrators. The problem is, our server administrators may have a different perspective on this than we do. We've reached a point in our industry where the technical aspects of what we do now outweigh the "what you see" aspects. The advanced marketer is going to be informed and know of issues such as this and address them promptly. The uninformed marketer may be falling prey to these types of exploits and never know it.
First things first. Run a DNS Report.
If you fail for Open DNS Servers (it will be flagged in red), you may be at risk for the above exploits. Please note that I've emphasized may. There are no publicly available tests to determine if you're a victim of DNS Cache Poisoning. The only way you would know is if you click on a link somewhere that was supposed to go to your site but didn't. Or, you've carefully disseminated your raw server logs and have detected a pattern that could be a DNS Cache Poisoning exploit.
The choice is now up to you on what to do.
|The only way you would know is if you click on a link somewhere that was supposed to go to your site but didn't. |
Be careful in this instance. The site may look exactly like yours byte for byte.
Great post pageon...
Some really valuable information here...and that last link you show has some very detailed information about how the PPC hijacking can occur...
I, obviously, have some serious work on my end tracking down all of this and then making sure I plug holes (if any exist)..
Another excellent example of why WW is one of the best communities on the web for "REAL" learning and growing of one's web presence .. (Thanks again Brett and crew)
I have addressed this in one of the earlier threads quoted by POR, so please look at them before making up your mind.
|The advanced marketer is going to be informed and know of issues such as this and address them promptly. |
Informed? Yes. But you need to listen to the advice you are being given. A pro might be expensive, but well worth it.
|you may be at risk for the above exploits |
No, a thousand times NO.
The *only* risk is that *your* dns server aids and abets the exploit of *another* domain. The reasons are explained in the other thread, and the further clarification I published offsite.
Visitors intending to visit a particular site can be victims of misdirection, but not through the fault of the site's own name servers.
|you may be at risk for the above exploits |
Okay plumsauce, if this doesn't affect us, who does it affect? Who should this topic be addressed to?
|But not through the fault of the site's own name servers. |
What happens if the site's own name servers allow for recursion (for non-authoritative DNS queries) and/or allow for related exploits to occur?
|The *only* risk is that *your* dns server aids and abets the exploit of *another* domain. |
I'll assume that it is not a risk that most should worry about? And again, if not, who should be worrying about it?
|Who should this topic be addressed to? |
The dns administrators of the isp's of your potential visitor, eg. AOL. Who *have* to at least some recursive behaviour on their caching dns servers or your visitor's could not reach your site to begin with. This is why split dns is used.
|What happens if the site's own name servers allow for recursion (for non-authoritative DNS queries) |
In the usual configuration, then they can actually send outbound email, resolve inbound smtp connections to do various spam checks, connect to upstream data sources, lots of useful stuff.
The *only* risk is that *your* dns server aids and abets the exploit of *another* domain.
I'll assume that it is not a risk that most should worry about? And again, if not, who should be worrying about it?
Not in the context of being a web host. Furthermore, a dns server that is configured to prevent cache poisoning obviates any concerns. That should encompass any recent dns server run by a competent dns admin. Not admin, but dns admin.
plumsauce, I will just keep providing documentation that readers of these topics can hopefully discern and then make an informed decision based on that.
Thank you for keeping me on my toes. Each time you post, I have to dig further into my research and read, reread, and then read again to make sure I'm understanding your responses and unfortunately I am not convinced. Not yet anyway. ;)
plumsauce, are you familiar with this new technique? I mean, being in retirement and all, you could have missed this, yes?
|Phishing-Based Trojans – Redirectors |
Definition: Crimeware code which is designed with the intent of redirecting end-users network traffic to a location where it was not intended to go to. This includes crimeware that changes hosts files and other DNS specific information, crimeware browser-helper objects that redirect users to fraudulent sites, and crimeware that may install a network level driver or filter to redirect users to fraudulent locations.
Along with phishing-based keyloggers we are seeing high increases in traffic redirectors. In particular the highest volume is in malicious code which simply modifies your DNS server settings or your hosts file to redirect either some specific DNS lookups or all DNS lookups to a fraudulent DNS server. The fraudulent server replies with “good” answers for most domains, however when they want to direct you to a fraudulent one, they simply modify their name server responses. This is particularly effective because the attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening as they could be typing in the address on their own and not following an email or Instant Messaging lure.
[edited by: pageoneresults at 6:07 am (utc) on April 17, 2006]
|Not in the context of being a web host. Furthermore, a dns server that is configured to prevent cache poisoning obviates any concerns. That should encompass any recent dns server run by a competent dns admin. Not admin, but dns admin. |
Arrrggghhh! WE'RE NOT DEALING WITH COMPETENT SERVER ADMINISTRATORS! We're dealing with this...
|2005 August - "There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned." |
|In the usual configuration, then they can actually send outbound email, resolve inbound smtp connections to do various spam checks, connect to upstream data sources, lots of useful stuff. |
Would I be correct in assuming that this information from Dan Kaminsky is incorrect?
|Kaminsky agreed. "If you are a DNS administrator, you shouldn't be providing recursive services to the Internet anymore. It is unfortunately no longer a responsible thing to do," he said. |
Increasingly, DNS is going to be used in attacks, experts said, and their administrators can no longer afford to be lazy.
"There are a multitude of these kinds of storms that are rising, and service providers and enterprises need to figure out how to make sure that their sea walls, dams and dikes and levees are high enough to withstand them," Mockapetris said.
2006-03-24 - DNS servers do hackers' dirty work
I mean, these people are the experts on DNS and they are warning server administrators to take care of this now.
plumsauce is explaining the issue correctly.
DDOS against major DNS service providers are around since many years. The providers mentioned in this article simply didn't do their homework.
Admins with a deeper understanding of how DNS works/is vulnerable always did a.) set correct minimal permissions for users (or potential hackers) to retrieve only data they really need to get and b.) set up multiple (3 - 6 not just 1-2) DNS servers for very specific tasks in several DCs
|DDOS against major DNS service providers are around since many years. |
That's already been acknowledged. Have you read the latest warnings from the authorities on this matter?
|The providers mentioned in this article simply didn't do their homework. |
You mean to tell me that the providers of some 230,000 servers simply didn't do their homework? Wow!
Okay, so we have 230,000 servers out there that are potentially vulnerable. Where does that leave us, the Internet Marketers of this world who eventually may feel the wrath of these types of exploits? If we haven't already. :(
joker.com mentioned in the register article that they "solved" the problem by adding more name servers. They probably had their DNS servers running at 80%+ CPU usage before the attack so it was very easy to DDOS them.
The DNS service provider we are paying gives us 6 DNS servers around the world - and the servers are mostly idle.
|joker.com mentioned in the register article that they "solved" the problem by adding more name servers. They probably had their DNS servers running at 80%+ CPU usage before the attack so it was very easy to DDOS them. |
The provider in question is just one of many instances that have occurred over the past 9 months.
|The DNS service provider we are paying gives us 6 DNS servers around the world - and the servers are mostly idle. |
How does that tie in with this? And, how about a reply to the above questions in reponse to your first reply? ;)
|Okay, so we have 230,000 servers out there that are potentially vulnerable. Where does that leave us, the Internet Marketers of this world who eventually may feel the wrath of these types of exploits? If we haven't already. |
To (hopefully) quell some potential panic ... ;)
DNS cache poisoning is mainly a problem for those running Windows DNS servers. Any 'Nix DNS server that is running BIND v.9 or patched BIND v.4-v.8 is in good shape. While it's true that a badly configured BIND9 server has a couple of potentially complex attack vectors, the script kiddie vectors are closed by default.
I refer you to an article on the history and current status of DNS cache poisoning at lurhq.com [lurhq.com] and one from the SANS Internet Storm Center [isc.sans.org].
|I refer you to an article on the history and current status of DNS cache poisoning at lurhq.com and one from the SANS Internet Storm Center. |
Which takes us right back to the original article posted.
The above article takes the SANS report and investigates further by peeling back the layers that were used in the exploit.
And then all the other articles afterwards that appear in the DNS Cache Poisoning topic here...
DNS Cache Poisoning
Redirecting web traffic through cache poisoning.
|Any 'Nix DNS server that is running BIND v.9 or patched BIND v.4-v.8 is in good shape. |
ARRRGGGHHH! Can I assume that you are paying no attention to these statistics from 2005 August?
|There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned. |
Yes, the above is 7 months old and my sources tell me that those who have updated their systems are less than 10%.
That is why we have organizations now reporting on this monthly. Some have even set up blacklists for those servers that are flagged as poisoners.
The above blacklist is not something you want to be on. Or even be remotely considered for inclusion.
There are many old servers running archaic linux distros that never got updated... somebody should tell these "DNS poisoners" (cheap-domains.biz etc.) to issue a "up2date bind" and add a "recursion no;" to their named options and I am sure the list would shrink dramatically ;)
|There are many old servers running archaic linux distros that never got updated... somebody should tell these "DNS poisoners" |
As I dig further into the depths of recursion and the layers that can take place in a cache poisoning exploit using a redirect, the names in the obfuscation may be those that might be associated with these types of exploits. Why should they fix it if they are possibly profiting from it? It gets really deep. :(
That's just one group. My sources tell me that a good portion of this is due to laziness and that many are just not aware of the issue. Hence the reason for all the research being done now and warnings to help prevent this from happening on a large scale which has happened already in a couple of instances.
Secunia has a recent advisory on the BIND issues here...
2006-02-02 - HP Tru64 UNIX BIND4/BIND8 DNS Cache Poisoning Vulnerability
|BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allows remote attackers to gain privileged access via a "Kashpureff-style DNS cache corruption" attack. |
2006-02-02 - Q-111: HP Tru64 UNIX Running DNS BIND
|If a nameserver -- any nameserver, whether BIND or otherwise -- is configured to use "forwarders", then none of the target forwarders can be running BIND4 or BIND8. Upgrade all nameservers used as "forwarders" to BIND9. There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as "forwarders" targets. |
Sorry 'bout the dupe link, P1.
There is still some missing info, like what qualified a DNS server for the "vulnerable" lists? Is it simply that a server allows recursion? That they are running BIND v.4/8? Those in and of themselves are not dangerous; it's how those programs are configured to handle recursion that makes them vulnerable.
Quoting from the article about the research you mention (emphasis mine):
|The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against. |
BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.
There is no indication of what criteria were used by this self-described black hat to qualify a DNS server as "vulnerable". He might as well have said that EVERY MS DNS implementation was vulnerable. Why not? No harm to him, and the conclusion is just as obscure.
Check the BIND Security Matrix [isc.org] for current issues with a properly-configured server. (BIND v.9 was released in January of 2004!)
Granted that this is an important issue for those running outdated DNS servers, but let's get the details before we go nuts pestering our DNS admins to perform a security modification that some users just heard about and are in a state of panic about. And have you checked out what it takes to execute one of even the "easy" exploits on the pre-patched systems? Yoiks!
For all we know he found a high percentage of private servers (like mine and those of friends of mine) in his identification of 2.5M. There is no way of knowing how many DNS servers are active at any given time, so while 2.5 million may seem like a lot (and it is), as long as the Big 13 Root Nameservers are cool, and as long as the nameservers for your domains are cool, there's not a lot you need to worry about.
Okay, maybe you can worry about the bird flu ... but the DNS issue is not likely to get personal.
I'm just saying learn everything you can about this before you tell your DNS admins to make a change based on incomplete knowledge and fear of the unknown. Heck, there are lots of other DNS programs out there, and many of them are secure without disabling recursion.
thank you so much for the thought-provoking discussion. what great research, thanks for sharing... and to the others for constructive criticism too ;)
|You mean to tell me that the providers of some 230,000 servers simply didn't do their homework? Wow! |
Okay, so we have 230,000 servers out there that are potentially vulnerable.
This is turning into somewhat of a flame thread, and I have no intention of adding fuel to the fire.
I'll just say that it only takes a few hundred dollars or so to get a dedicated server with root and call yourself a host. There are many servers out there that are administrated by people who are completely incompetent. You could fully explain such situations to them, and they'd never understand it.
After teaching myself server administration, I'm scared of doing it, and also scared of not doing it.
I've got just this problem regarding my agents in India. I can get to my UK hosted site from the UK just fine but they tell me that theres a problem two hops down the line from Delhi which results in them ending up on a page full of on target adsence links. My site's hosting is not the problem even though it does have 'open DNS'.
I am with pageoneresults.
To anyone technical it seems like a non-event, i.e. simple patch, what basis for declaring vulnerable, all those issues.
What I would like to say is that I know nothing about DNS "hacking" - but I have to say I know of guys who do. Here's the thing, they don't care about the mass of DNS servers that are fine, they can just do this sort of thing and make a quick bunch of cash without anyone ever knowing.
I don't know them personally but I know this is the sort of "back door" that is the escalation of simple network hacks at college - anyone seen the film Sneakers?
It may not affect a lot of people - but neither do virus, key logging, IE security flaws, phishing - this time they can do it under the radar.
|That is why we have organizations now reporting on this monthly. Some have even set up blacklists for those servers that are flagged as poisoners. |
Are you aware that link redirects to another site and doesn't appear to have that list.
Could this be the result of an open DNS server on the target site? :)
I have a question--how do those of us, who know nothing about administring servers, determine if our clients, that are on OPEN DNS Servers, need to move to a new host when the host claims they don't have a problem? Is there a test we can perform somewhere to determine if they are on a vulnerable BIND4 or 8?
|Are you aware that link redirects to another site and doesn't appear to have that list. |
No, can you please explain? There are two links at the bottom of that page, one for 2006 February and one for 2006 March which lead to the actual blacklist. The other two go to the IRCache site which used to contain the blacklist.
|I have a question--how do those of us, who know nothing about administring servers, determine if our clients, that are on OPEN DNS Servers, need to move to a new host when the host claims they don't have a problem? |
At this point, I might pose that question to the creator of the tool at DNS Report. They do have a small forum over there where Scott (the Admin) will answer your questions pertaining to the report.
My understanding is that if the site your server is hosted on fails for Open DNS, that there may be some issues there for you to contend with and it is worth investigating even if you find out that the least that could happen is that the server would be used in a DDoS attack.
|We have an ongoing, periodic survey that looks for DNS cache poisoners. A nameserver may be able to poison vulnerable DNS caches by returning bad (incorrect) referrals for important domains. If a local caching resolver trusts the bad referral, future queries for the affected domain are sent to the wrong nameserver, which may refuse to answer the queries or provide incorrect answers. |
DNS resolvers for Microsoft Windows NT, 2000, and 2003 are vulnerable to cache poisoning. Windows 2003 is not vulnerable by default, but may become vulnerable if the administrator unchecks the "prevent cache poisoning" option.
Thanks for the reminder re the forum. I'll do that.
Re the redirected link, the link you posted goes where you indicated but when you click on "database of poisoners" on that page it is redirected to another site that dosen't have that info.
I found the poisoned list under the "Feb 2006 and Mar 2006" links on the page you directed us to.
|Re the redirected link, the link you posted goes where you indicated but when you click on "database of poisoners" on that page it is redirected to another site that dosen't have that info. |
You are correct. That particular database is offline right now. The ones to reference are the two monthly ones that are visible on that page. I did alert them to the issue and they are aware of it. Hopefully that link will lead to the master database sometime soon. It's being worked on. ;)
|I have a question--how do those of us, who know nothing about administring servers, determine if our clients, that are on OPEN DNS Servers, need to move to a new host when the host claims they don't have a problem? Is there a test we can perform somewhere to determine if they are on a vulnerable BIND4 or 8? |
The best test would be to send traffic to the DNS servers in question testing for the vulnerability, but that might be considered antisocial. A simple test to see if a DNS server is running a particular version is to send a "version.bind" request to it. When using dig, it looks like this:
% dig @a.b.c.d version.bind ch txt
; <<>> DiG 9.3.1 <<>> @a.b.c.d version.bind ch txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 682
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "8.3.3-REL-NOESW"
;; Query time: 220 msec
;; SERVER: a.b.c.d#53(a.b.c.d)
;; WHEN: Wed Apr 19 20:08:04 2006
;; MSG SIZE rcvd: 70
Note that some DNS servers don't provide this information for security purposes.
affiliate for webmasters
[edited by: trillianjedi at 6:58 pm (utc) on April 21, 2006]
[edit reason] TOS [/edit]
Thank you pageoneresults for such vital information looking forward to get more from you in the fuure.
>>>Visitors intending to visit a particular site can be victims of misdirection, but not through the fault of the site's own name servers.<<<
afaik, that can only be 100% true if your correct website dns info is cached on all dns servers.
what if the web server for your website is also the authoritative dns server for itself?
when you type a url into your browser, the first place it goes to find the dns info is on the dns servers of your internet service provider... however, if the dns info you need isn't cached, your browser will get forwarded to the authoritative dns server for the site you want... unless it's hi-jacked!
go to this url, and type your website name into the "ISP cached DNS lookup" box near the bottom of the page:
most likely, you'll see a lot of: [No cached answer: Would go to NS of com.]
so if the dns info for your website resides only on your website, and it gets re-directed by hackers, how can you claim that it's "not through the fault of the site's own name servers"?
| This 31 message thread spans 2 pages: 31 (  2 ) > > |