New threat - DNS cache poisoning

Discussion in 'other security issues & news' started by Peaches4U, Apr 11, 2005.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    We now have something else to be concerned about...... :(

    The attempts by malevolent persons to force your PC to connect to their server is taking a new form. Up to now actions like browser hijacking and the clandestine installation of trojan or spy-ware onto individual PCs have been the norm. Unfortunately there are indications that these attacks are taking a new form that is very difficult to counter and has even more far reaching effects.

    To understand how this is all possible, a brief explanation of Domain Name Service (DNS) is necessary.

    1. All devices connected to the Internet are assigned an Internet Protocol (IP) Address
    3. IP Addresses are number blocks, like 23.101.212.10, that can be readily incorporated in packets of data that are launched onto the Internet and which are read by the various devices they pass through so they can be taken to their intended destination.
    4. Since IP Addresses are too complex for mere humans to handle comfortably, a domain name is used as a type of codename for the IP Address. For example, my domain "seniorshangout.org" is linked on DNS servers to an IP Address provided by my web host.
    5. When you direct your browser to connect to a valid site the browser has to substitute wildersecurity.com with its correct IP Address. To do this, the browser automatically connects to a DNS server, which contains a database linking domain names to IP Addresses and sends the IP Address matching a valid site back to your browser so it can now form the packets of data that will establish a connection with the server at that IP Address.
    6. Once an IP Address for a domain name has been obtained from a server, it can be stored in a PC's memory. This means that the next time that the PC's user wants to connect to that domain, it will look for the IP Address in its memory first before connecting to a DNS server.

    The new form of attack called DNS cache poisoning involves hacking a DNS server so that it links a request for a IP Address away from the correct one to an IP Address of the attacker's choice. In the past scum bags who receive revenue whenever someone clicks on a client's site have used various methods to get software installed on PCs that would make these connections. This new form of attack is potentially much more rewarding because the poisoning of a DNS server could potentially cause many more connections by healthy PCs. It is particularly diabolical because the evil IP Address may be stored in the PC's memory and the PC will be misdirected every time an attempt is made to connect to the legitimate site. There are other unsettling effects ... even non Windows users can be hijacked ... those who still use IE in the belief that they are safe because they only visit trusted sites can be hijacked.

    This form of attack is already occurring. http://isc.sans.org/diary.php?date=2005-04-10 Please note in this documented attack that the evil site tried to install viruses on the test computer.

    credit for the above info. is given to Admin at seniorshangout.org
     
    Peaches4U, Apr 11, 2005
    #1
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Oh great. Something else to worry about. :doubt:

    Rich
     
    richrf, Apr 11, 2005
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...