DNS cache poisoning attack

Discussion in 'ESET Smart Security v4 Beta Forum' started by ashishtx, Nov 29, 2008.

Thread Status:
Not open for further replies.
  1. ashishtx

    ashishtx Registered Member

    Joined:
    Oct 7, 2005
    Posts:
    389
    Location:
    Houston,Texas
    My firewall log shows 3 instances where it says DNS cache poisoning attack. Can someone clarify what it means? Is it a bug?

    Capture1.JPG
     
  2. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    11/29/2008 9:45:38 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:62114 UDP
    11/29/2008 9:45:38 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:55440 UDP
    11/29/2008 9:45:28 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:49338 UDP
    11/29/2008 9:45:28 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:60008 UDP
    11/29/2008 9:35:03 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:34:58 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:34:53 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:34:48 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:33:49 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:50625 UDP
    11/29/2008 9:22:56 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:51905 UDP
    11/29/2008 9:19:55 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:19:50 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:19:45 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:19:41 PM Detected covert channel exploit in ICMP packet 192.168.1.10 199.202.238.18 ICMP
    11/29/2008 9:19:02 PM Detected DNS cache poisoning attack 203.99.163.240:53 192.168.1.10:59513 UDP
     
  3. ashishtx

    ashishtx Registered Member

    Joined:
    Oct 7, 2005
    Posts:
    389
    Location:
    Houston,Texas
    I guess, it is a bug.
     
  4. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    i contact eset support and they say send us wireshark log's so i send them log
    i think they will fix this bug
     
  5. ashishtx

    ashishtx Registered Member

    Joined:
    Oct 7, 2005
    Posts:
    389
    Location:
    Houston,Texas
    Thanks a lot. :)
     
  6. cocolucho

    cocolucho Registered Member

    Joined:
    May 8, 2008
    Posts:
    80
    27/11/2008 08:27:58 p.m. Incorrect IP packet checksum 0
    27/11/2008 05:36:46 p.m. Incorrect IP packet checksum 0
    27/11/2008 05:36:46 p.m. Incorrect IP packet checksum 0
    27/11/2008 03:56:06 p.m. Detected DNS cache poisoning attack 200.4.225.146:53 92.168.1.215:56864 UDP
    27/11/2008 03:17:33 p.m. Incorrect IP packet checksum 0
    27/11/2008 03:17:33 p.m. Incorrect IP packet checksum 0
    27/11/2008 02:49:59 p.m. Detected DNS cache poisoning attack 200.48.225.130:5 192.168.1.215:63823 UDP
    26/11/2008 09:39:10 p.m. Incorrect IP packet checksum 0
    26/11/2008 09:39:10 p.m. Incorrect IP packet checksum 0
    26/11/2008 08:14:22 p.m. Incorrect IP packet checksum 0
    26/11/2008 08:14:22 p.m. Incorrect IP packet checksum 0
    26/11/2008 06:47:23 p.m. Incorrect IP packet checksum 0
    26/11/2008 06:47:23 p.m. Incorrect IP packet checksum 0
    26/11/2008 03:18:55 p.m. Incorrect IP packet checksum 0
    26/11/2008 03:18:55 p.m. Incorrect IP packet checksum 0
    26/11/2008 01:41:15 p.m. Incorrect IP packet checksum 0
    26/11/2008 01:41:15 p.m. Incorrect IP packet checksum 0
    26/11/2008 08:04:23 a.m. Incorrect IP packet checksum 0
    26/11/2008 08:04:23 a.m. Incorrect IP packet checksum 0
    25/11/2008 01:19:20 p.m. Detected unexpected data in protocol192.168.1.215:14817 1.0.0.0 UDP
    25/11/2008 01:18:55 p.m. Detected unexpected data in protocol192.168.1.215:56439 1.0.0.0 UDP
    25/11/2008 01:17:12 p.m. Detected unexpected data in protocol 192.168.1.215:44082 1.0.0.0 UDP
     
  7. Dave16

    Dave16 Registered Member

    Joined:
    Apr 28, 2008
    Posts:
    45
    Whats weird in my case is that I use to get TONS of DNS cache poisoning attacks detected when I had ESS 3, I've been trying out the beta, and when I look through all the logs, theirs nothing their that's been detected in v4 in the personal firewall log.
     
  8. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    I am also experiencing this.
     

    Attached Files:

    • eset.GIF
      eset.GIF
      File size:
      60.3 KB
      Views:
      1,643
  9. stratoc

    stratoc Guest

    as has been said this issue is with v3 also, eset's reply to me was it was because i was using a router, either ignore it or disable dns poisoning detection in settings as the router does it anyway.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Always had it and always ignored it, it doesn't really matter. I can't understand people who get so hyped up and worried about it, I've even seen people remove ESS because of it. Ridiculous.
     
  11. Fixer

    Fixer Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    141
    Location:
    Bulgaria, EU
    This is bug or not?
     
  12. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Well I had the same problem with v3 so I started a thread: https://www.wilderssecurity.com/showthread.php?t=187648 and after some testing with wireshark logs they sent me this answer:

    "Hello,
    thank you for the log. Could you please create a new one with DNS poisoning attack detection turned off - first have a look at the ESS firewall log to be sure that it is constantly filled with DNS poisoning attack messages, then turn the DNS p. a. detection off and run wireshark for a while. According to the existing investigation, it seems that something is wrong with your router, however, from the next log we will be able to obtain more info. Thank you.
    Matus Smid"

    Which was later followed by another email that I'm sory to say got deleted, but in the end they confirmed that the problem was my router and not ESS, and in fact I changed the router (I have a wireles TP-Link now) and I rarely see those DNS cache poisoning attacks and when I do see then they come from the internet and are directed to my eMule ports so they really are attacks..

    Kudos Eset. Hope this is the same issue and not something else.
     
  13. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    If that is the case perhaps everyone getting these messages should list what router & firmware they are using so we can find out what ESS is & isn't compatible with.

    BTW
    My experience is ESS is incompatible with Windows 2000, Billion 7402vgp combination.

    Edit
    After installing ESS 4 beta, it appears to have improved from when I last tested it
    https://www.wilderssecurity.com/showpost.php?p=1260447&postcount=17
    https://www.wilderssecurity.com/showthread.php?p=1239069#post1239069

    Now I can leave "DNS poison attack" enabled and only get a few "attacks" from my router each day.
    (I run a full scan using Nod32 or ESS on all computers on the network each week).
     
    Last edited: Dec 7, 2008
  14. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    i have ESS v4
    OS:VISTA
    Router:Shiro DSL805E
     
  15. Teazle

    Teazle Registered Member

    Joined:
    Apr 7, 2007
    Posts:
    42
    I have the same problem, started happening a few days before christmas, and has resulted in no WAN connection whenever firewall is active.

    ESS v4 beta
    OS WinXP SP3
    Router: None, direct link to my ISP through ethernet-plug in apartment:

    2009-01-03 16:31:43 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:61356 UDP
    2009-01-03 16:31:40 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:56475 UDP
    2009-01-03 16:31:40 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:59752 UDP
    2009-01-03 16:31:25 Detected DNS cache poisoning attack 195.54.122.200:53 83.226.237.220:49219 UDP
    2009-01-03 16:31:25 Detected DNS cache poisoning attack 195.54.122.200:53 83.226.237.220:56070 UDP
    2009-01-03 16:31:10 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:50867 UDP
    2009-01-03 16:31:10 Detected DNS cache poisoning attack 81.26.227.3:53 83.226.237.220:49800 UDP
     
  16. cinek

    cinek Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    20
    I got plenty of these logs lol - using v3.0.684.0
     
  17. Teazle

    Teazle Registered Member

    Joined:
    Apr 7, 2007
    Posts:
    42
    Can we get an update on this soon? I haven't been able to turn on firewall without totaly loosing WAN connection since somewhere around christmas, it's getting rather annoying :)
     
  18. Novicex

    Novicex Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    72
    What i know, the problem with DNS poisoning attack could be solved by creating on your PC the DNS server(i hope you know how its works) or you can configure your modem to do that if it supported or you could even try to set up different DNS server addresses. Try OpenDNS https://www.opendns.com
     
  19. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    I get this thing tooo and a lot

    Ruben
     
  20. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Followin patch's suggestion: ESS v4 Beta1 working flawlesly here on Windows7 Ultimate Beta and a TP-Link 54m Wireless Router.

    The only DNS cache poisoning attack alets I get come from the web triyng to acces my eMule ports... so I guess Eset is doing it's job blocking them.
     
Thread Status:
Not open for further replies.