DNS cache poisoning attack

[Question2]

What is this and is there any way to stop someone from constantly using it on me? I keep seeing the message that ESET has blocked a DNS cache poisoning attack....

[Cudni]

could you post few lines from the log

[Question2]

Where is the log?

[Nidzo]

I can confirm this. Happens to me all day

http://i.imgur.com/G3iSC.jpg
Here is today log:

Code:

26.12.2011 17:08:52	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:55566	UDP			
26.12.2011 17:02:07	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:65511	UDP			
26.12.2011 17:02:05	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:49733	UDP			
26.12.2011 16:27:04	Detected unexpected data in protocol	8.8.8.8:53	192.168.0.112:55395	UDP			
26.12.2011 16:23:07	Detected unexpected data in protocol	8.8.4.4:53	192.168.0.112:58790	UDP			
26.12.2011 15:42:01	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:62918	UDP			
26.12.2011 15:17:05	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:49402	UDP			
26.12.2011 15:17:04	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:60914	UDP			
26.12.2011 15:16:33	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:50054	UDP			
26.12.2011 15:09:22	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:58842	UDP			
26.12.2011 14:26:12	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:50665	UDP			
26.12.2011 14:09:22	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:65481	UDP			
26.12.2011 14:07:51	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:53363	UDP			
26.12.2011 12:14:48	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
26.12.2011 12:14:47	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
26.12.2011 12:14:46	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
26.12.2011 12:14:46	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			

[Question2]

So...any idea what a dns cache poisoning attack is?

[agoretsky]

Hello,

DNS is the service which converts fully-qualified domain names like www.google.com into an IP address like 173.194.69.105.

DNS cache poisoning is when an attacker attempts to insert the wrong IP addresses for entries in the cache, thus redirecting the computer to an entirely different web site.

Regards,

Aryeh Goretsky

[patch]

Quote:

Originally Posted by agoretsky

DNS is the service which converts fully-qualified domain names like www.google.com into an IP address like 173.194.69.105.

Looking at his log this "poisoning" is coming from 8.8.8.8 and 8.8.8.4 which should be Google's public domain DNS http://code.google.com/speed/public-dns/docs/using.html

These are often used as default DNS addresses.
I had not expected the Google DNS to be a common true positive.
Is it possible his install of SS is confusing valid DNS updates with cache poisoning?

[agoretsky]

Hello,

Without seeing a capture of the network traffic it is difficult to say for certain, but it appears this could be a false positive alarm.

Regards,

Aryeh Goretsky

[hcbosman]

Quote:

Originally Posted by Question2

What is this and is there any way to stop someone from constantly using it on me? I keep seeing the message that ESET has blocked a DNS cache poisoning attack....

Quite a common problem:

http://forums.opendns.com/comments.php?DiscussionID=363
http://www.wilderssecurity.com/showthread.php?t=200137

[jeffshead]

How can one tell if this is a false positive or a real threat?

I am currently at a hotel and I keep getting that popup window and all DNS is being blocked so I can't surf the web.

This has never happened when I'm connected to my home network, aircard or any other public connection that I recall.

I normally have my Windows DNS settings set to auto but I tried manual setting several different DNS servers (e.g., 4.2.2.2) and all of them are being blocked by ESET so I’m thinking it’s a false positive.

Here is my ESET:

...
ESET Smart Security 5.0.95.0
Virus signature database: 7113 (20120505)
Update module: 1040 (20120313)
Antivirus and antispyware scanner module: 1353 (20120423)
Advanced heuristics module: 1121 (20111208)
Archive support module: 1145 (20120416)
Cleaner module: 1055 (20120424)
Anti-Stealth support module: 1026 (20110628)
Personal firewall module: 1079 (20120412)
Antispam module: 1021 (20120124)
ESET SysInspector module: 1221B (20110623)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1044 (20120223)
HIPS support module: 1042 (20120213)
Internet protection module: 1031 (20120123)
Web content filter module: 1009 (20110705)
Advanced antispam module: 1019 (20111202)
Database module: 1018 (20120203)
...

I wish they would fix this if it’s a false positive. How can I tell if this is a false positive?

[zfactor]

sometimes this happens when a cable modem or router is used along with another wireless router.. if the second router is not setup right i have found with eset it will throw out this message.. if both routers are setup to serve then this message will show up. only one should serve ip's (only one should bet to auto dhcp) this may not be your issue but i see this a lot with ess