Information Security News mailing list archives
RE: DNS attack could signal Phishing 2.0
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 17 Dec 2007 00:14:49 -0600 (CST)
Forwarded from The Unknown Security Guy On Dec 13, 2007 3:05 AM, InfoSec News <alerts () infosecnews org> wrote:
Forwarded from: Crypto Admin <novembr5 (at) gmail.com> On 12/11/07, InfoSec News <alerts () infosecnews org> wrote:http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html By Robert McMillan IDG News Service December 11, 2007 Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.Please read the comments on this article over at CircleID, where it is pointed out that the data does not support any difficulties with open recursive DNS servers, but rather with misconfigured DNS servers. Both David A. Ulevitch and Brett Watson make the points far better than I could. http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ The authors of this report would have done themselves a favor, had they listened to their reviewers
I agree that it would make sense to point out that while DNSSEC ( http://www.dnssec.net ) will help, upgrading from Bind 4 might also help out a bit.. While I do not know if Dagon and friends scanned for port 53 (possibly including DNS servers running on infected Comcast machines for example), or used NS and SOA records to locate servers, I think the method was most likely a mix of all methods: port 53 scans, mixed with watching traffic to gather name server addresses, as well as taking advantage of the hierarchical nature of DNS mixed with professional connections. Still, it doesn't take many servers to create either DNS Poisoning or massive DDoS's via DNS amplification attacks, and 10's of thousands of "rogue" DNS servers are easily still enough to bring any TLD to its knees without the need for a massive botnet to do so (see: the death of blue security here: http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html and DNS Amplification Attacks here: http://www.securiteam.com/securityreviews/5GP0L00I0W.html ).. Even if its due to malicious installation, misconfiguration, out-of-date software, caching or recursive queries: these servers all pose a threat, and only contribute to the ability for one person to take out what seems to be the Internet's Achilles' heel: DNS. Combining these five types of "rogue" servers in an attack can lead vectors that boggle the mind. The only reason we haven't seen many of the massive DNS Amplification Attacks on Major TLD's is that the InfoSec community is largely ineffectual when it comes to hurting spammers/botmasters and cleaning up the networks and thereby damaging the attackers bottom line. (I.E.: Whack-A-Mole is better than all-out war for their portfolio (and ours), which relies on the Internet to function for either of us to make any money). If our success at taking down botnets grows, we will see more of these attacks happen in order to show that whack-a-mole appeases everyone, while all out war hurts everyone (see blue security again :-). In the meantime, while DNS Amplification Attacks are blasse' and would lead to all out war (bad for both sides), DNS Poisoning can further the game of whack-a-mole without really hurting either InfoSec or Phishers, only end users. Very likely to be a growing attack vector. I guess I am agreeing with David's assessment of the situation. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
Current thread:
- DNS attack could signal Phishing 2.0 InfoSec News (Dec 11)
- <Possible follow-ups>
- Re: DNS attack could signal Phishing 2.0 InfoSec News (Dec 13)
- RE: DNS attack could signal Phishing 2.0 InfoSec News (Dec 16)
- RE: DNS attack could signal Phishing 2.0 InfoSec News (Dec 17)