July 29th, 2008
DNS cache poisoning attacks exploited in the wild
UPDATE: Arbor Networks have provided more details in their “30 Days of DNS Attack Activity” analysis, SANS confirmed HD Moore’s statement on DNS cache poisoned AT&T DNS servers. Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in
what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :
” client 143.215.143.11 query (cache) ‘www.ebay.com/ANY/IN’ denied: 31
Time(s)
client 143.215.143.11 query (cache) ‘www.facebook.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.gmail.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.google.com/ANY/IN’ denied:
30 Time(s)
client 143.215.143.11 query (cache) ‘www.live.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.microsoft.com/ANY/IN’
denied: 30 Time(s)
client 143.215.143.11 query (cache) ‘www.msn.com/ANY/IN’ denied: 30
Time(s)
client 143.215.143.11 query (cache) ‘www.myspace.com/ANY/IN’ denied:
30 Time(s)”
Surprised? I’m not, since this was pretty logical given that the three publicly available exploits have been downloaded over 15,000 times in the last couple of days. What I’m actually surprised of is that it took so long to produce a working exploit, and the despite the media outbreak raising awareness on the potential for abuse, major international and local ISPs remain vulnerable. Ironically, remain vulnerable just like they’ve always been even though patches for a particular vulnerability were available. Insecure and misconfigured DNS servers were, and continue to be a realistic threat even in a Web 2.0 world.
Take for instance a survey of DNS security conducted back in 2004, showing that :
“We next examine which names depend on nameservers with known security flaws. Of the 166771 nameservers, 27141 have known vulnerabilities. These vulnerabilities affect 185802 names. A naive expectation might be that, with ~17% vulnerable nameservers, only 17% of the names would be affected. This is patently not the case; transitive trust relationships “poison” every path that passes through an insecure nameserver. Hence 34% of DNS names can be compromised by launching well-known, scripted attacks. “
Another DNS measurement study conducted back in 2005, showed that 84% of Internet name servers could be vulnerable to pharming attacks. Even if you’re more conservative than you should be, you can easily consider that at least 50% of Internet name servers remain vulnerable three years later. Well, that seems to be the case according to last year’s survey of DNS security, again conducted by Infoblox :
“Still more than 50% of Internet name servers allow recursive queries, which is consistent with 2006 results. Accepting recursive queries from arbitrary addresses allows servers to be used in DNS amplification attacks that can bring down major networks, and also leaves them vulnerable to cache poisoning attacks. The percentage of name servers that allowed us to transfer zones actually increased slightly, from 29% to 31%. While this change is probably within the survey’s margin of error, it does show that this aspect of security isn’t improving. A change in the default behavior of the BIND 9 name server (like the change to the default recursion setting introduced in BIND 9.4) might help here.”
Moreover, the MIT’s IP Spoofer project originally running since 2005, continues to automatically generate graphs representing the state of DNS servers security across the globe, particularly their susceptibility to IP spoofing, the ABC of DNS security. Despite the hype over the recent vulnerability, DNS cache poisoning has been around for years, and it’s not going away anytime soon.
Most importantly, malicious attackers don’t need to take advantage of this flaw to successfully commit cybercrime like they do on a daily basis. What hasn’t been taken care of for years, wouldn’t be solved in a matter of days, that’s for sure. Until then, take control of the situation, check whether or not your ISP is running DNS servers susceptible to cache poisoning, approach them in between sharing your evidence online, and consider going through the possible abuse scenarios malicious attackers can take advantage of using DNS cache poisoning.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
