dns cache poisoning attack

Discussion in 'ESET Smart Security' started by stratoc, May 2, 2008.

Thread Status:
Not open for further replies.
  1. stratoc

    stratoc Guest

    hi, i have found some previous threads on this but they prove inconclusive. are these reports in firewall log a bug? i recently upgraded to ess from nod v2.7 and comodo (with d+) i thought it would be a less nagging option using less resources, however comodo never reported any problems, im getting about 30 'dns poisoning attack warnings a day (in log) all from same address.
    should i ignore these or atke some action? thanks.
     
  2. stratoc

    stratoc Guest

    sorry, also have defender, spyware blaster (could this be culprit?) on vista 32 bit
     
  3. ASpace

    ASpace Guest

    Hi!

    I can't tell you if these alerts are real or not . However , if you have no noticable problems , you can believe ESS is doing its job and is protecting you from attacks.
     
  4. feld

    feld Registered Member

    Joined:
    Apr 11, 2008
    Posts:
    11
    I'm running into this too -- our DNS servers are being flagged in the reports. It's weird.

    I've also found that there was an issue with some Sun machines on our network that were doing some naughty things with ARP as I was getting ARP Cache Poisoning Attack messages in the log too. The Sun boxes are clean/freshly installed and updated, but weird nonetheless. I ended up putting them on their own VLAN....
     
  5. alphadog

    alphadog Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    35
    Ditto.

    Just upgraded this weekend from NOD32 v2 to the new Smart Security BE v3.0.566 on a dozen machines. One machine in the set is filling the firewall log on the console with DNA and ARP cache poisoning events from our internal AD/DNS servers. There are about a dozen events in the log every few minutes from that one machine.

    Furthermore, that machine is reporting an inability to acess external sites.

    Interestingly, it's the only Win2000 system in the set. All others are XP, and a couple of Vista boxes. Could just be conincidence.

    Any ideas why that poor box is misled into thinking its own DNS servers are malicious? o_O
     
    Last edited: May 6, 2008
  6. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Hasn't ESS gone to 3.0.650 by nowo_O
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Yes it has.
     
  8. stratoc

    stratoc Guest

    my version is 3.0.650.0
     
  9. GaryRW

    GaryRW Registered Member

    Joined:
    May 14, 2005
    Posts:
    141
    Location:
    OH, USA
    I'm running two separate comms:

    WinXPpro: OpenDNS, ESS v650, DSL
    Win2Kpro: OpenDNS, ESS v650, Dialup

    Both log DNS cache poisoning attacks. The DSL floods log with 90% of these. The dialup is much less. This has been going on for a long time over many revisions. I know I can turn off logging in IDS, but there this should only be a temporary fix.
     
  10. alphadog

    alphadog Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    35
    Yes, but I already had the installer for 566. I thought that the clients would update themselves, but that's another issue I am having. They are stuck at 566.

    However, my version does not seem to be the problem as others are having the same issue with the newer version.
     
  11. stratoc

    stratoc Guest

    dns poisoning part2

    hi i am getting loads of these reports they are all from 192.168.1.254:53 is this my router? it's puzzling me. i use vista behind bt home hub router (default block all inbound)
    ess firewall is set interactive with allow sharing ticked in zone.
    any clues on what this is, i have a feeling i may be set up wrong.
    many thanks.
     
  12. stratoc

    stratoc Guest

  13. stratoc

    stratoc Guest

    i guess my thread's been moved and no one can help. i really dont remember v2 staying this buggy for so long.
     
  14. stratoc

    stratoc Guest

    ok, just updated conan and 15 of these message appeared, what exactly does detected dns poisoning cache mean? has it blocked it, some information what?
    can i still use my new smart passwords to download nod av? which i upgraded to smart.
    thanks.
     
  15. stratoc

    stratoc Guest

    closed. reverted to alternative av, i just cant trust smart at this time.
     
  16. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    +1 :cool:
     
  17. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    +1
    As described https://www.wilderssecurity.com/showthread.php?p=1239069#post1239069

    When Windows 2000 becomes compatible with ESS would someone please post so I know it's worth trying ESS again

    BTW
    Fault is readily reproduced by having many tabs in firefox. That way when fire fox starts several DNS requests are issued. I suspect some are returned out of sequence, ESS DNS attack is triggers and from then on never reliably resynchronises with the real DNS

    Or that is my theory.
     
    Last edited: Jun 12, 2008
  18. stratoc

    stratoc Guest

    in short, stick with what you're good at, v2 was a fantastic av. every security company that was market leader in their own field, seem to be shooting themselves in the foot. i dont really want antispyware and a firewall, but sp1 caused me problems with v2 and as it's no longer a work in progress i upgraded.
    every av company seems to be moving into the same field of mediocre suites, give it a year and there wont be any difference in any of them!
    please excuse my spelling
     
  19. stratoc

    stratoc Guest

    to sum up, having removed eset and replaced with a well known suite which uses 2 processes and18k of ram, the differences i notice are the ram is 10k less than than smart, the web is slightly, but noticeably quicker, online games have a much lower latency.
    im posting this hoping it will help others with my problem, hoping it will get eset to look at this problem, i left the suite im with now for nod 2.7, i upgraded to smart due to problems with sp1 this program uses nearly twice the resources of the program i left for nod, i dont know wether this is because of my problem, nobody would tell me i found eset support to be quite patronising and unwilling to help, the only advice i got was to turn off elements, and if i have to do that, something is wrong.
    i had problems uninstalling the program also.
    i dont know wether all my problems were due to the firewall, maybe it's my system but something clearly needs a hell of a lot of work.
    good bye all, it's been a pleasure dealing with you all and thanks for all the help over the last 2 years.
    i have just got tired of trying!
     
Thread Status:
Not open for further replies.