Friday, April 8. 2005
DNS attacks under way
It sounds really geeky, but DNS cache poisoning attacks affect everyone, and can be a major problem. Basically, the attack can result in you typing in the address of a trusted site and ending up at a fake site which steals your information or installs malware.
The upshot? Be careful - any time you go to a site that has a login or asks you to install something, even a trusted site, make sure that the SSL certificate is correct, matches the name, and is valid. If anything seems wonky, log off and try again later, or call the company.
From the SANS alert:
The upshot? Be careful - any time you go to a site that has a login or asks you to install something, even a trusted site, make sure that the SSL certificate is correct, matches the name, and is valid. If anything seems wonky, log off and try again later, or call the company.
From the SANS alert:
(1) HIGH: DNS Cache Poisoning Attacks
Affected:
Windows NT and Windows 2000(prior to SP3) DNS servers in the default configuration The following configurations are also reportedly vulnerable and being investigated: Windows DNS server forwarding requests to a BIND DNS server running version 4.x or 8.x Windows DNS server forwarding requests to another vulnerable Windows DNS server
Description: SANS Internet Storm Center (ISC) has been actively analyzing reports of large-scale DNS cache poisoning attacks underway. By performing the DNS cache poisoning, an attacker is able to direct traffic intended for legitimate domains (for instance, windowsupdate.com) to an IP address under the attacker's control. The attacks have been used to re-direct popular domains belonging to a number of financial, entertainment, travel, health and software companies to the attackers' servers in order to install malware on the user systems. The attacks are targeting flaws in the Symantec Gateway security products (described in an earlier @RISK newsletter), and the forwarding configurations using Windows and BIND DNS servers listed above.
Status: Microsoft has published an article KB241352 that describes how to set up a registry key on Windows 2000 (prior to SP3) and NT 4.0 (SP4 and later) to harden a DNS server's configuration. An upgrade to version 9.x for the DNS forwarding servers running BIND is recommended. An upgrade to Windows 2000 (SP3 or above) and Windows 2003 is recommended for Windows DNS servers since these versions offer protection against the cache poisoning attacks in their default configuration. Symantec has already released updates for its DNS products that should be immediately
applied. ISC has also detailed steps on how to clean the current DNS cache, which may be polluted.
[...]
References: ISC DNS Cache Poisoning Report http://isc.sans.org/presentations/dnspoisoning.php Microsoft KB241352 http://support.microsoft.com/default.aspx?scid=kb;en-us;241352
SANS Handler's Diary Postings http://isc.sans.org/diary.php?date=2005-04-07
http://isc.sans.org/diary.php?date=2005-04-03
http://isc.sans.org/diary.php?date=2005-04-01
http://isc.sans.org/diary.php?date=2005-03-31
http://isc.sans.org/diary.php?date=2005-03-30
Symantec Gateway Products (patches available) http://www.sans.org/newsletters/risk/display.php?v=4&i=11#widely1
Trackbacks
Trackback specific URI for this entry
No Trackbacks