[oclug] DNS cache poisoning: should we care?
oclug_mail at strosberg.com
Thu Apr 7 19:21:55 EDT 2005
Dana Webber wrote:
>According to http://isc.sans.org/ there are a lot of DNS
>that will reply with the IP of a malicious host instead of
>the one that belongs to the host that was queried for.
>Apparently there are a lot of MS name servers that do
>not have all the required patches and now somebody
>is exploiting this. The goal is to redirect the ignorant
>masses to web sites that will install malware.
>Bind comes configured to point to the root servers and
>this malware will not hurt any decent OS.
>So, should anybody here care about this ?
Certainly we should care. Any time we are connecting to the Internet we
stand a good chance of using one of these servers, unless you alway 100%
control every environment you work in. Do you trust every name server
your ISP provides by DHCP?
As you know, the Internet was built on implicit trust of the
infrastructure upstream of any point, and by arp cache poisoning at any
point along the communication you could redirect traffic whereever you
like - to one of these bogus name servers. Something like this could
cause huge liability and trust problems if it isn't sorted out quickly.
Face it, the average joe doesn't even bother turning on certificate
validation in their browsers - how are they supposed to know a server
clearly reporting itself as secure.royalbank.com isn't actually the
right box. This combined with phishing, and no checking of certificates
creates the perfect environment for the criminal. Self-sign a PEM
encoded cert, set up a phishing pond, and grab a few Internet bank
transactions - and then dissapear!
Imagine if this happened to Rogers - or Sympatico - or Videotron?
More information about the OCLUG