DNS cache poisoning attack

Discussion in 'ESET Smart Security' started by Question2, Dec 26, 2011.

Thread Status:
Not open for further replies.
  1. Question2
    Offline

    Question2 Registered Member

    What is this and is there any way to stop someone from constantly using it on me? I keep seeing the message that ESET has blocked a DNS cache poisoning attack....
  2. Cudni
    Offline

    Cudni Global Moderator

    could you post few lines from the log
  3. Question2
    Offline

    Question2 Registered Member

    Where is the log?
  4. Nidzo
    Offline

    Nidzo Registered Member

    I can confirm this. Happens to me all day
    G3iSC.jpg
    http://i.imgur.com/G3iSC.jpg
    Here is today log:
    Code:
    26.12.2011 17:08:52	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:55566	UDP			
    26.12.2011 17:02:07	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:65511	UDP			
    26.12.2011 17:02:05	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:49733	UDP			
    26.12.2011 16:27:04	Detected unexpected data in protocol	8.8.8.8:53	192.168.0.112:55395	UDP			
    26.12.2011 16:23:07	Detected unexpected data in protocol	8.8.4.4:53	192.168.0.112:58790	UDP			
    26.12.2011 15:42:01	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:62918	UDP			
    26.12.2011 15:17:05	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:49402	UDP			
    26.12.2011 15:17:04	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:60914	UDP			
    26.12.2011 15:16:33	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:50054	UDP			
    26.12.2011 15:09:22	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:58842	UDP			
    26.12.2011 14:26:12	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:50665	UDP			
    26.12.2011 14:09:22	Detected DNS cache poisoning attack	8.8.8.8:53	192.168.0.112:65481	UDP			
    26.12.2011 14:07:51	Detected DNS cache poisoning attack	8.8.4.4:53	192.168.0.112:53363	UDP			
    26.12.2011 12:14:48	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
    26.12.2011 12:14:47	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
    26.12.2011 12:14:46	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
    26.12.2011 12:14:46	Detected covert channel exploit in ICMP packet	192.168.0.112	87.248.197.16	ICMP			
  5. Question2
    Offline

    Question2 Registered Member

    So...any idea what a dns cache poisoning attack is?
  6. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    DNS is the service which converts fully-qualified domain names like www.google.com into an IP address like 173.194.69.105.

    DNS cache poisoning is when an attacker attempts to insert the wrong IP addresses for entries in the cache, thus redirecting the computer to an entirely different web site.

    Regards,

    Aryeh Goretsky
  7. patch
    Offline

    patch Registered Member

    Looking at his log this "poisoning" is coming from 8.8.8.8 and 8.8.8.4 which should be Google's public domain DNS http://code.google.com/speed/public-dns/docs/using.html

    These are often used as default DNS addresses.
    I had not expected the Google DNS to be a common true positive.
    Is it possible his install of SS is confusing valid DNS updates with cache poisoning?
  8. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    Without seeing a capture of the network traffic it is difficult to say for certain, but it appears this could be a false positive alarm.

    Regards,

    Aryeh Goretsky
  9. hcbosman
    Offline

    hcbosman Registered Member

  10. jeffshead
    Offline

    jeffshead Registered Member

    How can one tell if this is a false positive or a real threat?

    I am currently at a hotel and I keep getting that popup window and all DNS is being blocked so I can't surf the web.

    This has never happened when I'm connected to my home network, aircard or any other public connection that I recall.

    I normally have my Windows DNS settings set to auto but I tried manual setting several different DNS servers (e.g., 4.2.2.2) and all of them are being blocked by ESET so I’m thinking it’s a false positive.

    Here is my ESET:

    ...
    ESET Smart Security 5.0.95.0
    Virus signature database: 7113 (20120505)
    Update module: 1040 (20120313)
    Antivirus and antispyware scanner module: 1353 (20120423)
    Advanced heuristics module: 1121 (2011120:cool:
    Archive support module: 1145 (20120416)
    Cleaner module: 1055 (20120424)
    Anti-Stealth support module: 1026 (2011062:cool:
    Personal firewall module: 1079 (20120412)
    Antispam module: 1021 (20120124)
    ESET SysInspector module: 1221B (20110623)
    Self-defense support module: 1018 (20100812)
    Real-time file system protection module: 1006 (20110921)
    Translation support module: 1044 (20120223)
    HIPS support module: 1042 (20120213)
    Internet protection module: 1031 (20120123)
    Web content filter module: 1009 (20110705)
    Advanced antispam module: 1019 (20111202)
    Database module: 1018 (20120203)

    ...

    I wish they would fix this if it’s a false positive. How can I tell if this is a false positive?
  11. zfactor
    Offline

    zfactor Registered Member

    sometimes this happens when a cable modem or router is used along with another wireless router.. if the second router is not setup right i have found with eset it will throw out this message.. if both routers are setup to serve then this message will show up. only one should serve ip's (only one should bet to auto dhcp) this may not be your issue but i see this a lot with ess
    Last edited: May 5, 2012
Thread Status:
Not open for further replies.