Forgot your password?
typodupeerror
Security Bug The Internet

DNS Poisoning Hits One of China's Biggest ISPs 86

Posted by timothy
from the when-bad-childhoods-attack dept.
Support Code writes "ZDNet's Zero Day blog is reporting that a DNS server of one of China's largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits. The DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks' RealPlayer, Adobe Flash Player and Microsoft Snapshot Viewer. In this interview with CNet, Dan Kaminsky confirms that attacks are definitely going on in the field."
This discussion has been archived. No new comments can be posted.

DNS Poisoning Hits One of China's Biggest ISPs

Comments Filter:
  • by Anonymous Coward on Friday August 22, 2008 @01:44AM (#24701277)
    <iframe> is property of html, not Apple Inc.
    • Re:It's (Score:3, Insightful)

      Haha, I guess it's kind of become reflex now to capitalize anything coming after an i.
      • Re: (Score:3, Informative)

        by ChoboMog (917656)
        It may be like a reflex now, but at least the "iFrame" name is derived from what it actually is (an Inline Frame) and not just a letter stuck somewhere as part of a marketing or branding gimmick.
  • Odd, just a little probe from the NSA?

    Whenever attacks target specific countries, I wonder.... Yeah, I guess I'm feeling a little paranoid tonight.
  • It's a good thing nobody uses Real Player these days, isn't it!
  • Since when (Score:5, Funny)

    by narcberry (1328009) on Friday August 22, 2008 @02:03AM (#24701365) Journal

    Since when do I have to input my SSN to post to slashdot?

  • It's busy trying to paint a picture that the whole problem is only with BIND, not with DNS protocol and in particular not with M$ DNS.
  • by gzipped_tar (1151931) on Friday August 22, 2008 @02:20AM (#24701495) Journal

    ... I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers. (Disclaimer here: I'm not saying the OpenDNS service is recommended for security. It's just a matter about reputation.)

    The Chinese ISPs has been known to use manipulated DNS records as a censorship measure, too. See here: http://slashdot.org/article.pl?sid=07/11/18/1824230 [slashdot.org]

    • Re: (Score:3, Interesting)

      by QuantumG (50515) *

      So what makes you think OpenDNS were not the first DNS servers attacked?

      That's what I'd do.

    • by MavEtJu (241979)

      I feel a bit lucky because I never trust my ISP's name servers. I knew this day would come. If possible, I always use the OpenDNS servers.

      If you were really worried about it you would run your own resolving-server on your machines.

    • by xenobyte (446878) on Friday August 22, 2008 @03:09AM (#24701801)

      It's not only China that have ISP's that manipulate DNS records... Here in Denmark for instance most ISP's voluntarily manipulate DNS for a whole list of domains known to host kiddie porn causing a redirect to a warning page. But they also censor the net by 'preventing access' to domains like allofmp3.com and thepiratebay.org which were 'banned' by Fodgedretten, a commerce-oriented court, based on bogus claims of extending danish jurisdiction to foreign-based websites (Russia and Sweden). Unfortunately nobody has yet filed an appeal of these verdicts, so they stand - unvalidated.

      Anyway, this censorship has caused most somewhat technically-oritented people to switch to other nameservers than those provided by their ISPs, usually OpenDNS but also private nameservers they trust. I use our company's which I run (and keep patched!) so I can circumvent the censorship.

      • by jhol13 (1087781)

        known to host kiddie porn

        "known" or "alleged"?

        "to host" or "picasa" (or hacked sites)?

        "kiddie porn" or "gay porn"?

        In Finland they use same method and the black list is extremely idiotic (and most likely illegal - unfortunately government refuses to do anything about it).

    • by TorKlingberg (599697) on Friday August 22, 2008 @03:28AM (#24701911)
      OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.
      • by gzipped_tar (1151931) on Friday August 22, 2008 @03:48AM (#24702011) Journal

        Exactly. But there is a workaround. Just sign up for an OpenDNS free account and you can turn their "features" off in your preferences. Once configured OpenDNS works just like normal DNS servers that return NXDOMAIN on unknown domains, which is all I want.

        For dynamic IP users like me a bit more work is necessary: find a way to report the IP to OpenDNS so it knows it is you. I use the ddclient [sourceforge.net] daemon to update my IP information to OpenDNS and things are working reasonably well so far.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        They redirect www.google.com, not google.com. If this were news to me and I went to check your claim, I'd find that you lied and your criticism would not just be ineffective but counterproductive. Apart from that you're right though. Nobody should use OpenDNS.

        • Re: (Score:3, Interesting)

          by 3p1ph4ny (835701)

          I always hear people on Slashdot bitching about OpenDNS. Apart from running my own resolver, what are my other options?

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            There are other public DNS servers, but since DNS is currently an unauthenticated protocol, it is all a matter of trust. If you care enough about DNS to avoid your ISP's servers, you should run your own recursive resolver. It's not hard.

      • by rrohbeck (944847)

        OpenDNS has drawbacks too. They redirect Google.com and all non-existent domains to their own crappy search engine.

        Which causes my VPN (Nortel) not to work. DNS lookups to Intranet domains only work if they fail properly on the primary network adapter so they are tried on the virtual adapter. With OpenDNS all Intranet names are resolved to the same (OpenDNS I assume) IP address unless I change the DNS server ordering manually each time I connect.

    • by reiisi (1211052) on Friday August 22, 2008 @03:38AM (#24701969) Homepage

      Check our own ISPs name servers, openDNS's name servers, and we need a third independent name server pool.

      Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

      Of course, I'm talking about DNS pools as if they already exist. But they should.

      Interactions that need to be secured should also use independent multiple polling before exchanging tokens. Financial institutions, for instance, should keep their own private supernetwork, such that the customer queries their local branch to start login, then queries two other bank-owned check servers, to make sure the branch IP is what the bank says it should be. This would require dedicated browsers, but that's really a given. It's time to quit giving popular browser M, I, or E our credit card numbers to play with. The convenience is not worth it.

      • by Anonymous Coward

        Check all three before moving accepting the IP, and if there is any disagreement, just don't go. Also, send an automated warning to all three DNS pools to re-seed their random number generators and clear the contested IP from their cache.

        Fails to work with DNS-based load balancing. Next idea, please.

        • Re: (Score:2, Informative)

          Yeah, and I'm not sure how to fit dyndns.com's services into this idea, either.

          But certificates are not really appropriate for DNS when you're just surfing, even if Verisign hadn't trashed the current authorization space. Not unless ISPs start making server certificates part of their basic package. (In the end, everyone is going to have their own web server to take messages and host bulletin board/blogs.)

          Certificates can only work vertically (hierarchically) within an organization. In public, certificates h

      • by totally bogus dude (1040246) on Friday August 22, 2008 @04:36AM (#24702243)

        Anything that's important will be using SSL, so even if someone does hijack your bank's DNS entries your browser will warn you that their certificate isn't signed by someone you trust. The only real worry is from typos or bad links, which is why it's recommended practice to never click links in emails to go to sites that you're going to have to log in to, but rather to use a bookmark or type and check the address yourself.

        As for the "check against lots of different servers" idea, there's three main problems.

        1. If the "pools" are very independent of each other (i.e. different management) then it just makes DoS attacks against certain sites very easy (get in the pool, behave for a while, then start serving nonsense results for www.example.com - voila, anyone using your server to verify addresses will reject that domain).

        2. If the pools are under the same management, then they're very likely to be running the same software version on the same platform under the same firewall protection, etc. So an attacker may need to compromise some more servers, but they're all identical.

        3. For your financial institutions example, how does the browser know which "check servers" to use? You can't rely on a single reply from one of their authoritative servers, since you don't trust them. If you ask a bunch of other servers, then you're trusting all of them not to be trying to DoS the site in question (and also not to be poisoned themselves).

        I guess you could be intending that each bank supplies a browser for use with its website, but then you take a lot of the convenience out of using online banking; in particular, cross-platform support would be a problem.

        • Re: (Score:2, Informative)

          ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

          1. I'm talking about pools as in, your ISPs main and backup DNS servers are one pool. The openDNS servers you can choose to reference form another pool. The third pool would be like openDNS, but managed separately.

          The servers within the pool regularly check each other and flag and sequester rogues. When a client gets a mismatch, it would report that mismatch to all three

          • ssl -- you can only trust your bank if your bank can trust you. They have to see your certificate, too. Where do you get your certificate?

            Why can't you trust your bank if your bank can't trust you? My bank has an SSL certificate which does a reasonable job of ensuring that when I connect to online.westpac.com.au, I'm connecting to a server operated by Westpac, and not some other server that my hijacked DNS is mistakenly pointing me to, and that someone on a router between me and my bank isn't eavesdropping. It's unnecessary for my bank's server to trust me at this point; they trust me after I supply my customer number and password over the en

            • by reiisi (1211052)

              Well, I have to admit, the unanimous polling is probably overkill for web surfing, and overkill usually opens more holes. And it is all too easy to try to fix the social engineering vulnerabilities.

              You know the websites you visit regularly by pattern recognition, and "trust systems" have to be able somehow to take advantage of what the user knows. Maybe it would be better to provide an alternate opinion function. Press a button and your surfing browser asks two other DNS servers, preferably separately manag

              • Press a button and your surfing browser asks two other DNS servers, preferably separately managed, for a lookup of the name, and compares the IPs. Perhaps it also checks who owns the IPs, so that big sites can still load balance without using exotic tricks.

                If a user suspected a site was fake, they wouldn't be providing it their credentials in the first place. If they don't suspect it's a fake, why would they ask for a second (or third) opinion?

                I would assume that Akamai and Apple (for instance) should be able to arrange so that only IPs owned by Apple respond to requests for Apple's servers.

                This seems... impractical. In order for an organisation to fully leverage Akamai's network, they'd have to pay for at least one dedicated IP address at every major ISP in the world. Maybe when the whole internet is on IPv6 that could be viable, but you'd still need some highly scalable way of authoritatively identifying

                  • Okay, I forgot one important property of certificate-based authentication: even if you present your certificate to a hostile party, they can't use it to pretend to be you. That and mutual authentication pretty much negates phishing as an attack vector altogether, whether it's via social engineering, DNS spoofing or some other method of covertly hijacking communications between two parties. The only way to interfere with such a transaction would be to compromise the security of either the user's computer or

      • Re: (Score:3, Interesting)

        by OriginalArlen (726444)
        The only real fix available now for the fundamental vulnerability is DNSSEC. There's an excellent doc up on ISC's site called DNSSEC in Six Minutes [isc.org] for those who read bothered to read Kaminsky's actual presentation (especially the last 40 or so slides on subtle ways security systems like SSL break when you can't trust DNS), put that together with the ten hour exploit for patched servers [milw0rm.com], and realised we're not out of the woods yet by a long chalk...
  • by syousef (465911) on Friday August 22, 2008 @02:40AM (#24701625) Journal

    Someone's decided to make DNS poisoning an Olympic sport. Obviously the only place to do it at the moment is China.

    I've got images in my head of a broken toothed Chinese geek running around Beijing with an EEE PC and a Linksys wireless router hooked to a 12V SLA battery, lights a-blinking, instead of the Olympic torch. Thank goodness the Olympics are about to end.

  • It's a big flaw (Score:5, Interesting)

    by ledow (319597) on Friday August 22, 2008 @03:23AM (#24701881) Homepage

    It's a big flaw. Someone big was bound to fall foul of it eventually. And to be honest, I can't say that I'm at all surprised. In fact, I'm expecting a lot more.

    I bet that there are still hundreds of large companies that are vulnerable worldwide and I bet that translates to hundreds of thousands, if not millions, of affected people. For instance, last time I checked the whole LGfL (London Grid for Learning) was vulnerable - and they provide DNS / Internet connectivity for every school in London (several million users, hundreds if not thousands of schools) with little alternative because they have been mandated as the recommended solution and thus all "interesting" content is in their private network.

    If they ARE still compromised (and several days after the release of the information, they were still showing up as vulnerable on all those DNS tests and today I got: Your name server, at ***.***.***.***, appears vulnerable to DNS Cache Poisoning. All requests came from the following source port: 32768), that's virtually every school, staff member and student in London (we're probably talking close on a million people because it includes Greater London Boroughs but I'm not sure of the exact figure) which are in trouble because they use the upstream DNS from LGfL as their basis.

    Have we heard anything through official channels? Nope.
    Does everybody just trust LGfL to do their job transparently? Yep.
    Have they done it? Apparently not.
    Have they even heard of it? I don't know, but there have been zero advisories, zero visible configuration changes, that I can see.

    Give it a few months, one of the students will download something and poison the whole of London's educational system and THEN maybe someone will bother to look into it.

    When I heard about this flaw, the first thing I did was check all upstream servers that either my servers or my own home computers use - my cheap ISP (PlusNet) had apparently fixed the issue before I'd even caught wind of the "there may be a DNS problem" posts on Kaminsky's blog. Every other one just seems to be dragging their feet.

  • by OldMiner (589872)
    "iFrame"? Lower-case i, uppercase next letter? How odd. It's "inline frame", normally all caps ('IFRAME') or all lower-case ('iframe'). "iFrame" makes it sound like some new Apple-branded house support structure with built-in Internet-something.
  • check your server (Score:4, Informative)

    by the_denman (800425) <denner@gmail . c om> on Friday August 22, 2008 @03:32AM (#24701947) Homepage
    It may be a good idea to check your DNS server to see if it is vulnerable. Dan Kaminsky has a tool that shows vulnerability on his blog. [doxpara.com]
    • by chap_hyd (717718)
      these things make me paranoid of trusting any DNS server, as many ISPs are yet to patch their DNS servers. so i got my own personal dns on the xp box http://treewalkdns.com/ [treewalkdns.com] . now it feels much safe
  • Just a warm-up (Score:3, Interesting)

    by Ant P. (974313) on Friday August 22, 2008 @04:59AM (#24702367) Homepage

    If they were trying to do damage to china, wouldn't they have simply redirected everyone to anti-government propaganda sites instead?

    • Re: (Score:3, Insightful)

      by abirdman (557790)
      They're not trying "to do damage to China," they're trying to enlist more computers into botnets to spread email that sells fake \/iaGrA pills and penile enhancements to stupid people, and possibly to redirect unwitting browsers to ad-sponsored pages. It's motivated by Greed! It's the new (inter)nationalism, and unfortunately it knows no national boundaries.
  • "Basically, the problem exists in the DNS system, which translates Web addresses into numerical IP addresses and serves as the phone book for the Internet."

    I would have expected more from CNet. I guess thats what the internet is now: "The Web".

  • Just run your own caching resolver if you don't 100% trust any local ones. I use Unbound and choose not to worry about which external DNS server is "safer", and give myself (overall) faster resolves in the process.
  • ...lead poisoning, was it?

    Thank you, thank you, I'll be here all week.

  • 1. Buy gold
    2. Poison huge ISP DNS, redirecting to various sites with extreme info on chemical warfare
    3. ???
    4. Profit

    ... that is: Sell your gold after teh GW upgrades public "terrist" threat level.
  • So we know there is an exploit and it is being redirected to a website...but no one in law enforcement can determine where that IP is located? They're running the scam out in the public, for cripes sake. It's not even like the old shell scam on a card table, where you had to have compatriots looking around the corners for policmen on foot patrols. These scammers have their card tables set up in front of the precinct office.

    Yes it is a hole. Yes it needs to be fixed. But would the perps be that difficul

  • the only example on Websense is concerning "gogle.cn". I've just tried a nslookup using CNC DNS (and even with CT DNS) and nothing is wrong... so either, CNC has corrected its DNS (for this specific domain), either...

If a camel is a horse designed by a committee, then a consensus forecast is a camel's behind. -- Edgar R. Fiedler

Working...