New threat - DNS cache poisoning

Discussion in 'other security issues & news' started by Peaches4U, Apr 11, 2005.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Nov 22, 2002
    At my computer
    We now have something else to be concerned about...... :(

    The attempts by malevolent persons to force your PC to connect to their server is taking a new form. Up to now actions like browser hijacking and the clandestine installation of trojan or spy-ware onto individual PCs have been the norm. Unfortunately there are indications that these attacks are taking a new form that is very difficult to counter and has even more far reaching effects.

    To understand how this is all possible, a brief explanation of Domain Name Service (DNS) is necessary.

    1. All devices connected to the Internet are assigned an Internet Protocol (IP) Address
    3. IP Addresses are number blocks, like, that can be readily incorporated in packets of data that are launched onto the Internet and which are read by the various devices they pass through so they can be taken to their intended destination.
    4. Since IP Addresses are too complex for mere humans to handle comfortably, a domain name is used as a type of codename for the IP Address. For example, my domain "" is linked on DNS servers to an IP Address provided by my web host.
    5. When you direct your browser to connect to a valid site the browser has to substitute with its correct IP Address. To do this, the browser automatically connects to a DNS server, which contains a database linking domain names to IP Addresses and sends the IP Address matching a valid site back to your browser so it can now form the packets of data that will establish a connection with the server at that IP Address.
    6. Once an IP Address for a domain name has been obtained from a server, it can be stored in a PC's memory. This means that the next time that the PC's user wants to connect to that domain, it will look for the IP Address in its memory first before connecting to a DNS server.

    The new form of attack called DNS cache poisoning involves hacking a DNS server so that it links a request for a IP Address away from the correct one to an IP Address of the attacker's choice. In the past scum bags who receive revenue whenever someone clicks on a client's site have used various methods to get software installed on PCs that would make these connections. This new form of attack is potentially much more rewarding because the poisoning of a DNS server could potentially cause many more connections by healthy PCs. It is particularly diabolical because the evil IP Address may be stored in the PC's memory and the PC will be misdirected every time an attempt is made to connect to the legitimate site. There are other unsettling effects ... even non Windows users can be hijacked ... those who still use IE in the belief that they are safe because they only visit trusted sites can be hijacked.

    This form of attack is already occurring. Please note in this documented attack that the evil site tried to install viruses on the test computer.

    credit for the above info. is given to Admin at
  2. richrf

    richrf Registered Member

    Dec 11, 2003
    Oh great. Something else to worry about. :doubt:

Thread Status:
Not open for further replies.