Jump to content


Photo

DNS Cache Poisoning Again...


  • Please log in to reply
15 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 March 2005 - 05:56 AM

FYI...

- http://isc.sans.org/...date=2005-03-25
Updated March 25th 2005 05:57 UTC
"We have received information that another DNS cache poisoning attack has been launched. This time, it appears that the motivation is a little different. The site being re-directed to is a website that sells generic versions of popular prescription drugs. There are numerous references on the Internet to this site as being spammers and the like. We do not see any spyware/adware/malware being served from the server.
Before going any further, let's talk about the DNS server on Windows NT 4 and 2000 (not 2003). By default, the DNS server does NOT protect you against DNS cache poisoning. If you run a resolving nameserver on Windows NT 4 or Windows 2000, you are HIGHLY ADVISED to set the follow the instructions here to protect yourself from these attacks:

http://support.micro...kb;en-us;241352

Here is how the attack works. First, there needs to be a trigger that forces the victim site's DNS server to query the evil DNS server. There are several ways to accomplish this. A couple of easy methods are e-mail to a non-existant user (which will generate an NDR to the source domain), spam e-mail with an external image, banner ads served from another site, or perhaps triggering it from a bot network or installed base of spyware. Once the trigger executes, the victim's site DNS server queries the evil DNS server. The attacker includes extra information in the DNS reply packet. In this particular attack and the one from earlier in March, the reply packets contain root entries for the entire .COM domain. If your DNS server is not configured properly, then it will accept the new entries for .COM and delete the proper entries for the Verisign servers. Once this has occurred, any future queries that your DNS server makes for .COM addresses will go to the malicious DNS server. The server can give you any address it wants. In this attack, any hostname that you request is returned with a single IP address.
The gory details are as follows... The site users are being re-directed to displays a page advertising megapowerpills.com. Interesting, the real IP address for megapowerpills.com is different and seems to only host an "under construction" image...There are numerous domain names and nameservers that point to these IP addresses...

Scott Fendley
Handler on Duty ..."
:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2005 - 05:27 PM

FYI...

Another round of DNS cache poisoning
- http://isc.sans.org/...date=2005-03-30
Updated March 30th 2005 19:53 UTC
"We are investigating another round of DNS cache poisoning. Reports have come in from some very large commercial organizations and they report using only Windows DNS servers that are secured against the attack or using Windows 2003. We are trying to identify whether this is a bug on Windows DNS servers...We still have not identified the trigger. If you know how people are being forced to the malicious DNS server...please let us know..."

(If more detail is needed, use the link. Caution: Offending IP addresses shown there: "These servers are trying to drop malware on your machine, so DO NOT browse to them.")

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 March 2005 - 05:09 PM

FYI...

DNS Poisoning Stats
- http://isc.sans.org/...date=2005-03-31
Updated March 31st 2005 21:25 UTC
"The DNS spoofing attack on March 3rd redirected affected users to a set of compromissed web servers. Some of the administrators of these servers agreed to share logs collected during the attack (THANKS!). Based on these logs, we collected the following statistics:

o 1,304 domains poisoned (pulled from the referer entries in the HTTPD logs)
o 7,973,953 HTTP get attempts from 966 unique IP addresses.
o 75,529 incoming email messages from 1,863 different mailservers.
o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts).
o 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses).
o 2,027 attempted logins to 82 different webmail (HTTP) servers..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 April 2005 - 08:28 PM

FYI...

DNS Cache Poisoning Detailed Analysis Report
- http://isc.sans.org/...date=2005-04-03
Updated April 4th 2005 01:20 UTC
"Handler Kyle Haugsness and several other handlers wrote an excellent report on what they found so far with respect to the DNS cache poisoning we have reported over the past several days. The summary of the report is below, and the remainder of the report is at:
- http://isc.sans.org/...nspoisoning.php
...Contents:
1. How can others help?
2. How do I recover from a DNS cache poisoning attack?
3. What software is vulnerable?
4. I am a dial-up/DSL/cable modem user -- am I vulnerable?
5. Where can I test my site to see if I am vulnerable?
6. What exactly is DNS cache poisoning?
7. What was the motivation for this type of attack?
8. Weren't DNS cache poisoning attacks squashed around 8 years ago?
9. What was the trigger for the attack?
10. How exactly did this DNS cache poisoning attack work?
11. What domain names were being hijacked?
12. What were the victim sites?
13. What malware was placed on my machine if I visited the evil servers?
14. Got packets?
15. Got snort? ..."

:itok:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 April 2005 - 03:46 AM

FYI...

DNS cache poisoning update
- http://isc.sans.org/...date=2005-04-07
Updated April 7th 2005 04:37 UTC
"We have received more technical details on the software configurations that are vulnerable. Thanks to Microsoft for clarifying details on Windows DNS and thanks to numerous others for reporting. We try to get all the technical details right before publishing information on attacks like this, but if we waited until we were 100% sure all the time, we would never be able to notify the community when the attacks are actually happening.
On Windows 2000 SP3 and above, the DNS server DOES protect against DNS cache pollution by default. The registry key to protect against the poisoning is not necessary: the value is TRUE if the registry key does not exist. Microsoft has now corrected the KB article that we published earlier with this information.
- http://support.micro...kb;en-us;241352
Last Review : April 6, 2005 / Revision : 2.0
- http://support.microsoft.com/kb/316786
On Windows 2000, you should manage the DNS cache protection security setting through the DNS Management Console. On Windows 2000 below SP3, the "Secure cache against pollution" is not the default so you should enable it using the DNS Management Console. On Windows 2000 SP3 and above (and Windows 2003), the secure setting is the default (even if the registry key does not exist).
Our recommendation is to only set the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters) on Windows NT4. Otherwise, use the DNS Management Console. If you are on Windows 2000 and you created the key already, you are safe to leave it in place as long as the value is "1".
There seems to be other possible scenarios where cache poisoning can occur. When forwarding to another server, Windows DNS servers expects the upstream DNS server to scrub out cache poisoning attacks. The Windows DNS server accepts all data that it receives, regardless of the setting for protecting against cache poisoning. So vulnerability of the attack depends upon whether the upstream DNS server is filtering out the attack..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 April 2005 - 11:27 AM

FYI...

- http://isc.sans.org/...date=2005-04-07
Updated April 7th 2005 16:25 UTC
"...We are currently trying to determine the behavior of DJBDNS, and BIND versions 4, 8, and 9 when acting as a forwarder. We are asking for assistance from the community to determine their behavior so write us if you have details. It appears that BIND4 and BIND8 do not scrub the data, whereas BIND9 does. See the following scenarios:

Windows DNS --> forwarding to BIND4 or BIND8. Windows DNS server assumes that BIND scrubs out the poisoning attempt. BIND4 and BIND8 do NOT appear to scrub the attack. Windows DNS trusts the data and the Windows DNS cache will become poisoned.
Windows DNS --> forwarding to BIND9. This configuration seems to be secure because BIND9 scrubs the poisoning attempt.
Windows DNS (slave) --> forwarding to Windows DNS (master). In this scenario, your vulnerability is based on the vulnerability of the master. If the master is vulnerable, then it will be poisoned and forward the attack to the slave server, which will also be poisoned. However, if the master is secure then both servers should be safe.

The following recommendations are based on the current assumption that BIND4 and BIND8 forwarders will not filter the cache poisoning attack to its downstream clients. If we find out that this is not the case, then the recommendations may not be valid. If you have Windows DNS servers forwarding to BIND4 or BIND8, you should start investigating an upgrade of those BIND servers to BIND9. If upgrading to BIND9 would not be a possibility, a secondary recommendation would be to turn off the forwarding on Windows DNS and allow the server to contact the Internet directly so that it can apply the proper protection against cache poisoning. If you run an ISP and have clients that are using your DNS servers as forwarders, you may want to consider upgrading your resolvers to BIND9 in order to protect your clients. Alternatively, if you have Windows DNS servers that are functioning as forwarders then you should verify that those machines are protected, which should protect the rest of the DNS servers behind it."

:ninja:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 April 2005 - 06:09 AM

FYI...

(Unintentional) DNS Cache poisoning
- http://isc.sans.org/...date=2005-04-11
Updated April 12th 2005 06:31 UTC
"...Some historical evidence of Internet Service Providers that were initially thought to be taking the easy route in managing their DNS infrastructure and making their Nameservers authoritative for all .com domains effectively reducing the provider's configuration management requirements. However, in DNS environments that do serve recursive DNS queries for any size client base this could create a potentially negative internet experience for resolver clients due to the resulting incorrect, empty or otherwise unexpected DNS query responses.
Our followup on several specific issues that are unrelated to recent malicious DNS poisoning attacks determined that the provider in question had specifically configured their DNS servers in this way, that is acting as authoritative for .com domains, to prevent arbitrary bandwidth utilization by non-authorized clients performing recursive queries through the service provider. This had the unfortunate side effect of poisoning the DNS cache of any improperly configured Microsoft DNS servers that attempted recursive DNS queries through this type of DNS hosting configuration..."

:huh: :oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 April 2005 - 05:07 AM

FYI...

DNS problems at Network Solutions
- http://isc.sans.org/...date=2005-04-22
Updated April 23rd 2005 02:59 UTC
"We have reports from numerous people about problems with the worldnic.com nameservers and there appears to have been an outage today. These nameservers provide authoritative nameservers for Network Solutions customers that don't have their own DNS servers. This outage reported today on the NANOG mailing list:
- http://www.merit.edu...g/msg07136.html

However, there seems to be another potential issue. Numerous sites are reporting problems resolving names against the worldnic servers. There seems to be a bug in the Symantec gateway products including the SEF (Raptor) product line. This seems to be known by the Symantec DNS engineers and they seem to be working on it.
- http://groups-beta.g...26668b6822a4251

Here is a public post on the issue from Barry Margolin, CISSP, Sr. Technical Support Engineer at Symantec.
"When I investigated, I found that occasionally the worldnic.com servers will respond to a query with an empty response with the Truncated flag set. The problem on our end is that the DNS proxy in our firewall seems to ignore the Truncated flag, rather than retry using TCP (I've reported this bug to development), so we cache the NOANSWER response (but we have a hard-coded 60-second negative cache TTL, so the problem usually clears up shortly)."

Finally, the Network Solutions problems may be causing issues on BIND servers. The empty response to the UDP query and the Truncated Flag should force a DNS server to use TCP and ask the question. Apparently, TCP sessions to those servers are very slow so it is looking like an outage (or a high number of SYN-SENT sessions to the worldnic.com servers).

This issue could be wreaking havoc with e-mail delivery. Receiving mail servers can't lookup MX records from remote servers and reject mail as spam. Given the large number of DNS queries some spam filters produce, this can be an issue."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 April 2005 - 11:08 PM

FYI...

Widespread Internet Attack Cripples Computers with Spyware
Experts say at least 20,000 PCs already have been affected. Is your company next?
- http://www.pcworld.c...d,120448,00.asp
"...It starts with an assault known as DNS poisoning: Domain name system servers, which guide Internet traffic, are fooled into directing anyone heading to any .com Web site--for example, ...cnn.com or ...americanexpress.com--to a malicious Web site that the attackers control. That Web site then surreptitiously installs a wide range of adware and spyware on the victim's computer. Companies suffer from the attack in a number of ways. First, the Internet connection for anyone using the poisoned DNS server--often the entire company in the case of smaller businesses--is completely disrupted. All Web traffic and e-mail trying to go to any .com site gets hijacked for as long as the DNS server remains compromised. Even after the DNS server is fixed, the company has to clean the adware and spyware from any affected computers, an onerous task that can keep IT people like David Parsons, who supports about 7000 people in his help-desk job at a Boston hospital, extremely busy. Parsons says his hospital was "slammed for about two days straight" by the DNS poisoning attacks starting March 29. Dunham conservatively estimates that 3000 DNS servers at a range of U.S. companies, including at least two with more than 8000 employees, were compromised over the past month.
"It's a very sophisticated attack," Dunham says. His company sent out a high-level threat warning to its clients, which includes Fortune 500 companies and government organizations. Dunham notes that both DNS poisoning attacks and the types of spyware and adware involved have been around for some time. But, he says, "this [attack] certainly is unprecedented in terms of the methodology and the sheer scope of adware and spyware installed." However, Web surfers at home generally are not vulnerable to this type of attack. Most ISPs use a type of DNS server called BIND, which is not directly affected by attempts at DNS poisoning. But older BIND servers can contribute to the problem by passing the attack along to vulnerable Windows DNS servers..."All the installation is done silently, in the background, with no user interaction," says Dunham...
What You Can Do
The bad news is that there's not much you can do personally to guard your work computer from being affected by DNS poisoning. You have no good way to avoid using DNS or to protect yourself if your company's DNS servers have been hit. Your IT department must make sure your DNS servers are not vulnerable. But you can protect yourself against the malicious software installs by making sure your version of Internet Explorer is up-to-date with all current patches. Other browsers, such as Firefox, are not vulnerable to such installs...
What's Behind It
Joe Stewart, a senior threat researcher at LURHQ, a South Carolina-based Internet security company that independently studied these attacks, analyzed the Web site redirection involved and the links in the two apparent Web search pages that resulted. Stewart found that clicking on one of the advertiser links in either of the sites sends information to Findwhat.com, an Internet marketing company that counts pay-per-click advertising as a big part of its business. The information sent includes one of two account numbers. That sent number notifies Findwhat to transfer payment to that particular account. So, according to Stewart, the attack is all about money..."

- http://www.lurhq.com/ppc-hijack.html
"...The incident in question involves DNS hijacking, and was widely reported in the beginning of 2005. The hijack was simple, and the vulnerability old and well-known. It involved a rogue DNS server sending bogus authority records in a DNS reply packet, in which it claimed to be the authoritative server for all of the .com TLD. Vulnerable hosts would then direct queries for any .com sites to the rogue DNS server. See the incidents.org March 31 Handler's Diary for details ( http://isc.sans.org/...date=2005-03-31 ).
Update: Several people have asked how to stop the hijacking from occurring on their computer. End users may not be able to prevent cache poisoning - the problem lies with the user's ISP or company DNS servers. Users may direct the persons responsible for maintenence of the DNS servers to Microsoft's KnowledgeBase article 241352 ( http://support.micro...kb;en-us;241352 ), which explains how to secure Windows DNS servers against this type of cache poisoning (or "cache pollution", as Microsoft calls it). Modern *nix-based DNS servers are not vulnerable to this type of attack. This vulnerability in Windows DNS services has been common knowledge for nearly four years now ( http://www.kb.cert.org/vuls/id/109475 - Date First Published 08/09/2001 )...
At this point we can see clearly what is happening - the big-name companies are advertising on legitimate networks that utilize pay-per-click search engines to drive traffic to the ads. Unfortunately, the pay-per-click model lends itself to abuse by rogue affiliates who will hijack users in order to drive up their click count and revenue. At the heart of the pay-per-click model is findwhat.com. While it is a legitimate enterprise itself, it is the entity that pays the affiliates who are actively employing trojans and dns cache poisoning to drive traffic to the advertisers. FindWhat has a policy prohibiting certain activities of this type, and will likely terminate any affiliate account reported to them for abuse. However, terminating the account only means that FindWhat benefits from the hijacker's activity without having to pay the hijacking affiliate. It's a win-win situation for them. FindWhat's estimated earnings for 2004 were between $167.5 and $179.5 million dollars. There is no way to determine how much of that revenue was generated by traffic from hijacked machines...
It doesn't seem too far-fetched to imagine that the persons responsible for the DNS hijacking could be apprehended simply by serving FindWhat with a subpoena to find out where they've been sending the checks for the affiliate IDs being passed in the search redirects. However, this activity has persisted for years now without much law enforcement interest, and as each new affiliate comes on board they invent their own scheme to abuse the PPC system. Clearly it seems that through the chain of advertiser to consumer and back again, the end user is ultimately paying to have him or herself hijacked..."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 April 2005 - 06:40 AM

FYI...

Hushmail hit by DNS attack
- http://www.theregist...ail_dns_attack/
25 April 2005
"Surfers trying to visit the web site of popular secure email service Hushmail were redirected to a false site early Sunday following a hacking attack. Hush Communications said hackers changed Hushmail's DNS records after "compromising the security" of its domain registrar (Network Solutions). These changes were undone after a few hours on Sunday and normal Hushmail services have now been restored...the impact of the attack was limited to lost email...Hush Communications said Hushmail users said users should be careful to make sure they are on its secure web page before they enter their pass phrase. "If your browser displays any error messages about the 'certificate' that verifies the website, do not continue," it adds."
- https://www.hushmail...8bfd5fb87ac684e
"Some servers throughout the Internet are still caching the wrong addresses for hushmail.com. We expect that all these addresses will be updated in the next 6 or 7 hours. In the interim, users are now able to access Hushmail through https://www.hush.com . This will avoid the problems associated with hushmail.com DNS records as the hush.com DNS settings were not affected..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 April 2005 - 10:35 AM

FYI...

Continued DNS poisonings
- http://isc.sans.org/...date=2005-04-27
Updated April 28th 2005 15:52 UTC
"We continue to get reports of sporadic DNS cache poisonings. We've covered this in great detail earlier this month, so we won't spend a lot of time on it except to remind folks that the Internet Software Consortium (maintainer of BIND) agrees that BIND 4 and 8 are no longer suitable for use as forwarders, so, if you are running DNS servers that act as forwarders, please upgrade as soon as possible."

- http://www.isc.org/index.pl?/sw/bind/

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 April 2005 - 05:01 PM

FYI...

- http://isc.sans.org/...date=2005-04-28
Updated April 28th 2005 21:31 UTC
Safe Forwarding
"From: http://www.isc.org/index.pl?/sw/bind/
BIND4/BIND8 Unsuitable for Forwarder Use
If a nameserver -- any nameserver, whether BIND or otherwise -- is configured to use forwarders, then none of the the target forwarders can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to BIND9 . There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as forwarders targets.
Very useful BIND security matrix illustrating what issues affect which versions of BIND: http://www.isc.org/s...nd-security.php
Also be sure to check out the fine template from Team CYMRU:
http://www.cymru.com...d-template.html ..."


:huh:

Edited by apluswebmaster, 28 April 2005 - 05:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 May 2005 - 09:02 AM

FYI...

One more scripted mass hack
- http://isc.sans.org/...date=2005-05-05
Updated May 5th 2005 23:34 UTC
"It seems as if several web sites were modified in yet another mass hack yesterday, similar to the one we've reported two months ago ( http://isc.sans.org/...date=2005-03-13 ). Most likely, a script was used to amend all web sites hosted on one or more shared servers with a hostile IFRAME, redirecting visitors... Don't go there - it's an Adware site... places where you maybe should not tread, including a page... that tries the CHM exploit to drop a present. Checking with a search engine, it looks as if more than 1500 pages have been thus modified..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 May 2005 - 01:47 AM

FYI...

OhMyGodGoogleIsGone!
- http://isc.sans.org/...date=2005-05-08
Updated May 9th 2005 06:05 UTC
"...Google went bye-bye for 15 minutes. Or perhaps it was an hour. It depends on who you ask... (or how long your DNS server cached the bogus information). This is, of course, one of several signs that Nostradamus predicted would signal the end days. And while several people were quick to expound theories about what caused the outage, we prefer to stick with the simplest explanation (which is also what Google is saying...): it was a DNS issue. Somebody in charge of Google’s DNS did something dumb. It fits the facts as we have heard them (“google.com” unavailable, but still reachable if you used the IP address). But what of the mysterious “redirects” to other search pages? Yesterday we reported that readers were seeing some suspicious “redirects” to an alternate search engine called “SoGoSearch.” It turns out that “SoGoSearch” owns the domain name “com.net,” and the machines “www.google.com.net” and “google.com.net” lead you to their search engine. So... if an overzealous browser tried to “fix” an unavailable “google.com,” it’s quite likely that you could end up looking at the SoGo search engine. As an aside: The fact that you can do a WHOIS lookup and find a listing showing:
GOOGLE.COM.SU***.FIND.CRACKZ.WITH.SEARCH.*****.COM
doesn’t mean that the entire DNS system has been compromised. It simply means that someone with far too much time on their hands registered their nameserver with that goofy name. Such childish stunts are widely acknowledged to increase your attractiveness to the opposite sex..."

:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 May 2005 - 10:01 PM

FYI...

VeriSign to put more backbone into the Net
- http://news.com.com/...html?tag=cd.top
May 19, 2005
"Over the next year, VeriSign aims to place additional replicas of one of its Domain Name System root servers--the "J"--in up to 100 data centers around the world... Ultimately, VeriSign intends to have machines handling traffic sent to the "J" DNS server in more than 200 additional locations, a shift from its original strategy of having a few servers in several data centers at key Internet hubs. The company currently runs "J" replicas in 18 facilities, Balogh said at VeriSign's annual financial analyst event here. "This expansion provides redundancy and reliability, and specifically deals with the increasing attacks we have out there," he said. The extra DNS servers could make the Internet infrastructure more resilient because even if some machines are downed by a hacker attack, for instance, others will still function. VeriSign is not the only organization to run DNS root servers on multiple systems. There are 13 official root servers, which are currently run on about 80 different physical servers, Balogh said. "We are going to triple that," he said..."

:thumbsup:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 May 2005 - 04:31 PM

FYI...

DNS Denial of Service Vulnerability
- http://isc.sans.org/...date=2005-05-24
Updated May 24th 2005 21:20 UTC
"Earlier today, the NISCC released an advisory that involves a problem with some implementations of DNS. The vulnerability occurs during a recursion process used to decompress compressed DNS messages. Using specially crafted DNS packets, it is possible to cause vulnerable DNS servers to abnormally terminate. Later this afternoon, Cisco and Secunia both issued similar advisories which show some of the Cisco products that are vulnerable to this issue. For more information on this, please see the below URLs:

http://www.niscc.gov...0524-00433.html

http://www.cisco.com...50524-dns.shtml

http://secunia.com/advisories/15472/ ..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button