Slashdot Log In
DNS Poisoning Hits One of China's Biggest ISPs
Posted by
timothy
on Friday August 22, @01:31AM
from the when-bad-childhoods-attack dept.
from the when-bad-childhoods-attack dept.
Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."
Related Stories
[+]
Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
[+]
Kaminsky's DNS Attack Disclosed, Then Pulled 281 comments
An anonymous reader writes "Reverse engineering expert Halver Flake has recently mused on Dan Kaminsky's DNS vulnerability. Apparently his musings were close enough to the mark to cause one of the Matasano team, who apparently already knew of the attack, to publish the details on the Matasano blog in a post entitled 'Reliable DNS Forgery in 2008.' The blog post has since been pulled, but evidence of it exists on Google and elsewhere. It appears only a matter of time now before the full details leak."
Reader Time out contributes a link to coverage on ZDNet as well.
Firehose:DNS Poisoning Hits Biggest Chinest ISP by Anonymous Coward
[+]
Kaminsky DNS Bug Claimed Fixed By 1-Character Patch 112 comments
An anonymous reader writes "According to a thread on the bind-users mailing list, there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere. As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to successfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle. Source port randomization is nice, but removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
It's <iframe> (Score:5, Funny)
Reply to This
Re:It's (Score:3, Insightful)
Re: (Score:3, Informative)
Cyberwar (Score:2)
Whenever attacks target specific countries, I wonder.... Yeah, I guess I'm feeling a little paranoid tonight.
Re:Cyberparanoia (Score:5, Funny)
lol
Can we check the IP origin of that last post please?
*ring*ring*
Badguy1: "Hello"
Badguy2: "Hi its me, you ready to do this thing tonight?"
Badguy1: "sure, dont forget to bring the stuff"
*click*
Badguy2: "hey did you just hear a click on the line?"
Badguy1: "yeah! - do you think we are being tapped by the NSA?"
Anonymous Coward: "No its not our style"
Badguy1: "OK"
Badguy2: "OK"
Reply to This
Parent
Re:Cyberparanoia (Score:5, Informative)
I know you're just trying to be funny, but allow me still to (hopefully) educate some of your readers.
If anyone was wiretapping and using reasonably well-designed equipment, you wouldn't hear clicks, since clicks can be avoided. I think "high-impedance circuitry" was the phrase used to justify that claim.
Also, if the wiretappers are playing by the rules, you can just press C on your phone (or play back two tones with the corresponding frequencies but less amplitude than your phone does) to shut down the recording equipment at the other end.
Source: Matt Blaze, http://www.usenix.org/events/lisa05/tech/mp3/blaze.mp3 [usenix.org], http://www.usenix.org/events/lisa05/tech/ [usenix.org].
Interesting to know, if you plan on being wiretapped. What's also interesting to know is that wiretapping equipment is (usually) illegal to posses, yet can be bought from law enforcement agencies on ebay :)
Reply to This
Parent
Real Player exploits? (Score:2, Funny)
Since when (Score:5, Funny)
Since when do I have to input my SSN to post to slashdot?
Reply to This
As a Chinese Internet user... (Score:5, Interesting)
... I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers. (Disclaimer here: I'm not saying the OpenDNS service is recommended for security. It's just a matter about reputation.)
The Chinese ISPs has been known to use manipulated DNS records as a censorship measure, too. See here: http://slashdot.org/article.pl?sid=07/11/18/1824230 [slashdot.org]
Reply to This
Re: (Score:3, Interesting)
So what makes you think OpenDNS were not the first DNS servers attacked?
That's what I'd do.
Re:As a Chinese Internet user... (Score:5, Informative)
Reply to This
Parent
Re:As a Chinese Internet user... (Score:5, Insightful)
Reply to This
Parent
Re:As a Chinese Internet user... (Score:5, Interesting)
It's not only China that have ISP's that manipulate DNS records... Here in Denmark for instance most ISP's voluntarily manipulate DNS for a whole list of domains known to host kiddie porn causing a redirect to a warning page. But they also censor the net by 'preventing access' to domains like allofmp3.com and thepiratebay.org which were 'banned' by Fodgedretten, a commerce-oriented court, based on bogus claims of extending danish jurisdiction to foreign-based websites (Russia and Sweden). Unfortunately nobody has yet filed an appeal of these verdicts, so they stand - unvalidated.
Anyway, this censorship has caused most somewhat technically-oritented people to switch to other nameservers than those provided by their ISPs, usually OpenDNS but also private nameservers they trust. I use our company's which I run (and keep patched!) so I can circumvent the censorship.
Reply to This
Parent
Re:As a Chinese Internet user... (Score:5, Informative)
Reply to This
Parent
Re:As a Chinese Internet user... (Score:5, Informative)
Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.
For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient [sourceforge.net] daemon to update my IP information to OpenDNS and things are working reasonably well so far.
Reply to This
Parent
Re: (Score:3, Interesting)
I always hear people on Slashdot bitching about OpenDNS. Apart from running my own resolver, what are my other options?
unanimous multi-polling? (Score:5, Interesting)
Check our own ISPs name servers, openDNS's name servers, and we need a third independent name server pool.
Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.
Of course, I'm talking about DNS pools as if they already exist. But they should.
Interactions that need to be secured should also use independent multiple polling before exchanging tokens. Financial institutions, for instance, should keep their own private supernetwork, such that the customer queries their local branch to start login, then queries two other bank-owned check servers, to make sure the branch IP is what the bank says it should be. This would require dedicated browsers, but that's really a given. It's time to quit giving popular browser M, I, or E our credit card numbers to play with. The convenience is not worth it.
Reply to This
Parent
Re:unanimous multi-polling? (Score:4, Interesting)
Anything that's important will be using SSL, so even if someone does hijack your bank's DNS entries your browser will warn you that their certificate isn't signed by someone you trust. The only real worry is from typos or bad links, which is why it's recommended practice to never click links in emails to go to sites that you're going to have to log in to, but rather to use a bookmark or type and check the address yourself.
As for the "check against lots of different servers" idea, there's three main problems.
1. If the "pools" are very independent of each other (i.e. different management) then it just makes DoS attacks against certain sites very easy (get in the pool, behave for a while, then start serving nonsense results for www.example.com - voila, anyone using your server to verify addresses will reject that domain).
2. If the pools are under the same management, then they're very likely to be running the same software version on the same platform under the same firewall protection, etc. So an attacker may need to compromise some more servers, but they're all identical.
3. For your financial institutions example, how does the browser know which "check servers" to use? You can't rely on a single reply from one of their authoritative servers, since you don't trust them. If you ask a bunch of other servers, then you're trusting all of them not to be trying to DoS the site in question (and also not to be poisoned themselves).
I guess you could be intending that each bank supplies a browser for use with its website, but then you take a lot of the convenience out of using online banking; in particular, cross-platform support would be a problem.
Reply to This
Parent
Re: (Score:3, Interesting)
Olympic DNS poisoning (Score:3, Funny)
Someone's decided to make DNS poisoning an Olympic sport. Obviously the only place to do it at the moment is China.
I've got images in my head of a broken toothed Chinese geek running around Beijing with an EEE PC and a Linksys wireless router hooked to a 12V SLA battery, lights a-blinking, instead of the Olympic torch. Thank goodness the Olympics are about to end.
Reply to This
It's a big flaw (Score:5, Interesting)
It's a big flaw. Someone big was bound to fall foul of it eventually. And to be honest, I can't say that I'm at all surprised. In fact, I'm expecting a lot more.
I bet that there are still hundreds of large companies that are vulnerable worldwide and I bet that translates to hundreds of thousands, if not millions, of affected people. For instance, last time I checked the whole LGfL (London Grid for Learning) was vulnerable - and they provide DNS / Internet connectivity for every school in London (several million users, hundreds if not thousands of schools) with little alternative because they have been mandated as the recommended solution and thus all "interesting" content is in their private network.
If they ARE still compromised (and several days after the release of the information, they were still showing up as vulnerable on all those DNS tests and today I got: Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32768), that's virtually every school, staff member and student in London (we're probably talking close on a million people because it includes Greater London Boroughs but I'm not sure of the exact figure) which are in trouble because they use the upstream DNS from LGfL as their basis.
Have we heard anything through official channels? Nope.
Does everybody just trust LGfL to do their job transparently? Yep.
Have they done it? Apparently not.
Have they even heard of it? I don't know, but there have been zero advisories, zero visible configuration changes, that I can see.
Give it a few months, one of the students will download something and poison the whole of London's educational system and THEN maybe someone will bother to look into it.
When I heard about this flaw, the first thing I did was check all upstream servers that either my servers or my own home computers use - my cheap ISP (PlusNet) had apparently fixed the issue before I'd even caught wind of the "there may be a DNS problem" posts on Kaminsky's blog. Every other one just seems to be dragging their feet.
Reply to This
check your server (Score:4, Informative)
Reply to This
Just a warm-up (Score:3, Interesting)
If they were trying to do damage to china, wouldn't they have simply redirected everyone to anti-government propaganda sites instead?
Reply to This
Re: (Score:3, Insightful)
Re:Frosty Post!!1 (Score:5, Informative)
In fact Frosty Post AC has a point.
Chinese speakers (at least in Beijing) often use the word é£ä (neige) [sheik.co.uk] as a filler word; much in the same way as 'uh' or 'er' are used in the English language.
For anyone with no understanding of the Chinese language will often be confronted by the words 'nigga, nigga' when walking on the streets of Beijing.
Reply to This
Parent