DNS Cache Poisoning

Are you vulnerable to DNS Cache Poisoning? Based on statistics gathered by Dan Kaminsky, security researcher, these numbers from 2005 August reveal that there is a severe problem with DNS that server administrators need to address ASAP!

2005 August - "There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned."

"The goal of DNS cache poisoning is to misdirect requests for DNS records to rogue DNS servers. The effect of DNS cache poisoning is to bypass the authoritative DNS name servers for a DNS zone."

The Measurement Factory currently performs monthly surveys scanning for DNS Servers that are poisoned. The results of those monthly DNS surveys (the DNS Cache Poisoner Blacklist) can be found here...

SANS Internet Storm CenterSANS Internet Storm Center - DNS Cache Poisoning

The Internet Storm Center is a volunteer effort and the better information they receive from the community, the better analysis they can perform and contribute back to the community.

"The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least 5 UNIX web servers. We received information the attack may have started as early as Feb. 22, 2005 but probably only affected a small number of people."

The below summary from SANS is by far the best and most informative that I've read to date concerning DNS Cache Poisoning (in addition to the one below from LURHQ Security Systems). While I'm not an expert in DNS, I've learned quite a bit here recently about issues pertaining to DNS. This applies to all server administrators around the world.

SANS Handler's Diary

We've listed below various SANS investigations (from the Handler's Diary) that occurred during the 2005 year that are directly related to DNS Cache Poisoning exploits.

Contents of the above DNS Cache Poisoning Summary from SANS

  1. How can others help?
  2. How do I recover from a DNS cache poisoning attack?
  3. What software is vulnerable?
  4. I am a dial-up/DSL/cable modem user - am I vulnerable?
  5. Where can I test my site to see if I am vulnerable?
  6. What exactly is DNS cache poisoning?
  7. What was the motivation for this type of attack?
  8. Weren't DNS cache poisoning attacks squashed around 8 years ago?
  9. What was the trigger for the attack?
  10. How exactly did this DNS cache poisoning attack work?
  11. What domain names were being hijacked?
  12. What were the victim sites?
  13. What malware was placed on my machine if I visited the evil servers?
  14. Got packets?
  15. Got snort?

DNS Cache Poisoning - PPC Hijacking - The Next Generation

LURHQ Security SystemsThe below information on DNS Cache Poisoning and PPC Hijacking was obtained from the LURHQ Security Services website.

Sub Attacks

"Once an attacker has managed to poison a DNS cache, there are a number of ways they can subvert protocols that rely on DNS. Some of the potential methods are listed below."

Redirecting Web Traffic

"An attack of this nature might range from a simple annoyance to a financial nightmare for a great number of people. The goal here is to set up a website that looks enough like the original so as to not raise any suspicion. Then the domain is hijacked via cache poisoning for as many ISPs/companies as possible, causing their traffic to hit the phony site instead."

Some of the sub-attacks here are:

Admin Note: Unfortunately there is much more to it than the above. Although what I've outlined may be affecting some in the search engine marketing industry. And, it is not just our industry, but the Internet as a whole.

PPC Hijacking - Pay Per Click Fraud

Do you manage and/or are involved with a Pay-Per-Click search engine marketing campaign? The following information from LURHQ Security Services is a must read for all search engine marketers and website owners alike. This document, dated 2005 April is a continuation of the 2005 March SANS DNS Poisoning Summary above.

"Search hijackers are not a new phenomenon; however, their purveyors are becoming more and more aggressive in capturing clicks from web users. Often, attempting to find the entity behind the hijack becomes an endless task of following layer after layer of obfuscation.

The incident in question involves DNS hijacking, and was widely reported in the beginning of 2005. The hijack was simple, and the vulnerability old and well known. It involved a rogue DNS server sending bogus authority records in a DNS reply packet, in which it claimed to be the authoritative server for all of the .com TLD. Vulnerable hosts would then direct queries for any .com sites to the rogue DNS server."


SEO Consultants Directory