DNS Poisoning Hits One of China's Biggest ISPs

Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."

Re:As a Chinese Internet user...

[AnyoneEB]

Because OpenDNS never had the flaw in the first place [zdnet.com].

Re:Frosty Post!!1

[SensiMillia]

In fact Frosty Post AC has a point.

Chinese speakers (at least in Beijing) often use the word é£ä (neige) [sheik.co.uk] as a filler word; much in the same way as 'uh' or 'er' are used in the English language.

For anyone with no understanding of the Chinese language will often be confronted by the words 'nigga, nigga' when walking on the streets of Beijing.

Re:As a Chinese Internet user...

[TorKlingberg]

OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

check your server

[the_denman]

It may be a good idea to check your DNS server to see if it is vulnerable. Dan Kaminsky has a tool that shows vulnerability on his blog. [doxpara.com]

Re:As a Chinese Internet user...

[gzipped_tar]

Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.

For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient [sourceforge.net] daemon to update my IP information to OpenDNS and things are working reasonably well so far.

Re:It's

[ChoboMog]

It may be like a reflex now, but at least the "iFrame" name is derived from what it actually is (an Inline Frame) and not just a letter stuck somewhere as part of a marketing or branding gimmick.

Re:Cyberparanoia

[jonaskoelker]

I know you're just trying to be funny, but allow me still to (hopefully) educate some of your readers.

If anyone was wiretapping and using reasonably well-designed equipment, you wouldn't hear clicks, since clicks can be avoided. I think "high-impedance circuitry" was the phrase used to justify that claim.

Also, if the wiretappers are playing by the rules, you can just press C on your phone (or play back two tones with the corresponding frequencies but less amplitude than your phone does) to shut down the recording equipment at the other end.

Source: Matt Blaze, http://www.usenix.org/events/lisa05/tech/mp3/blaze.mp3 [usenix.org], http://www.usenix.org/events/lisa05/tech/ [usenix.org].

Interesting to know, if you plan on being wiretapped. What's also interesting to know is that wiretapping equipment is (usually) illegal to posses, yet can be bought from law enforcement agencies on ebay :)

Re:unanimous multi-polling?

[Joseph_Daniel_Zukige]

Yeah, and I'm not sure how to fit dyndns.com's services into this idea, either.

But certificates are not really appropriate for DNS when you're just surfing, even if Verisign hadn't trashed the current authorization space. Not unless ISPs start making server certificates part of their basic package. (In the end, everyone is going to have their own web server to take messages and host bulletin board/blogs.)

Certificates can only work vertically (hierarchically) within an organization. In public, certificates have to function peer-to-peer to have any real meaning at all. (Witness that huge clot in your browser cert cache.) Identity doesn't work by remote.

It may be that this multiple polling scheme is only useful for secure connections

Re:unanimous multi-polling?

[Joseph_Daniel_Zukige]

ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

1. I'm talking about pools as in, your ISPs main and backup DNS servers are one pool. The openDNS servers you can choose to reference form another pool. The third pool would be like openDNS, but managed separately.

The servers within the pool regularly check each other and flag and sequester rogues. When a client gets a mismatch, it would report that mismatch to all three pools, and the pools would send messages around to all servers to unwedge their caches for that IP address.

If the pools don't end up in agreement, that IP gets effectively DOSsed until a human admin can clear it.

Rogues in one pool would have to somehow gang up with rogues in each of the other pools to defeat the agreement requirement.

(Yeah, I need to think this out some more, but that's the general idea.)

2. Of course not under the same management.

3. Yes, each bank supplies a dedicated browser for its own customers, which means most people would have one browser for each bank they use, in addition to the general purpose surfing browser. Not a big deal, you can get cross platform browsers with most of the necessary functionality as library classes in Java and Perl, and probably other languages.

The most time intensive part of the implementation is generating either the list of one-time passwords or customer certificate that the customer takes home with the browser install mini-CD.