View Full Version : "DNS Cache poisoning attack"
Michael in SJ
April 3rd, 2012, 03:22 PM
I am getting this notice on an infrequent basis. I did a search for an answer but everything I found relates to internal addresses.
The "DNS Cache poisoning attack" is being reported for my ISP's (Comcast) DNS addresses 220.127.116.11 and 18.104.22.168.
April 3rd, 2012, 04:02 PM
Here is more background information concerning this.
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or other malware can be downloaded to the user's computer from the rogue location.
Cache poisoning can be transmitted in a variety of ways, increasing the rate at which rogue programs are spread. One tactic is the placement of compromised URLs within spam e-mail messages having subject lines that tempt users to open the message (for example, "Serious error in your tax return"). Images and banner ads within e-mail messages can also be vehicles by which users are directed to servers that have been compromised by cache poisoning. Once an end user's computer has been infected with the nefarious code, all future requests by that user's computer for the compromised URL will be redirected to the bad IP address -- even if the "victim" server resolves the problem at its site. Cache poisoning is particularly dangerous when the targets are well-known and trusted sites, such as those to which browsers are pointed when automatic virus-definition updates are performed.
Cache poisoning differs from another form of DNS poisoning, in which the attacker spoofs valid e-mail accounts and floods the inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning. In URL poisoning, also known as location poisoning, Internet user behavior is tracked by adding an identification (ID) number to the location line of the browser that can be recorded as the user visits successive pages on the s
Please consider OPENDNS
April 3rd, 2012, 04:07 PM
Did you follow the instructions in the Knowledgebase article, step 3:
If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, see solution 2 (http://kb.eset.com/esetkb/index?page=content&id=SOLN2933&ref=wsf#dnsflush).If the "DNS Flush tool" (solution 2) does not work, please let us know or open a case with Customer Care (http://www.wilderssecurity.com/www.eset.com/support/contact).
April 3rd, 2012, 04:14 PM
To flush DNS cache in Microsoft Windows (Win XP, Win ME, Win 2000):-- Start -> Run -> type cmd
- in command prompt, type ipconfig /flushdns
- Done! You Window DNS cache has just been flush.
How To Flush The DNS Cache In Windows 7
Step 1 – Launch cmd
Click the Windows Start Menu Orb and Type cmd into the search box. Right-Click the cmd link that appears under the Programs list and Select Run as administrator.
In the command line, type in the following command:
Your cache of resolved DNS’ should now be cleaned out! This is really handy if you were making changes to the HOSTS file in Windows or messing around with your web server, but there are plenty of other uses as well.
April 3rd, 2012, 04:15 PM
Flush your DNS (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ipconfig.mspx?mfr=true) - reboot, this is assuming you are not running a Hosts file (http://en.wikipedia.org/wiki/Hosts_(file)) then you would have to fully enable DNS in Services, (http://en.wikipedia.org/wiki/Windows_service) follow instructions as requested by ESET.
April 3rd, 2012, 04:30 PM
Thanks for answering this question so quickly. Regarding the code
the DNS-Flush.exe hosted on the ESET Knowledgebase runs the same commands with elevated rights and creates a log file to “All Users Desktop”\CC Support Logs\DNS.log." It then brings back all previously minimized windows.
We found that this tool is easier for users to run rather than performing each command.
April 3rd, 2012, 05:22 PM
You're welcome, foneil, I was not aware of the new ESET KB Article (http://kb.eset.com/esetkb/index?page=content&id=SOLN2933&ref=wsf). This helps in these situations.
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums