DNS cache poisoning attack

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by HealingStargate, Jun 22, 2011.

Thread Status:
Not open for further replies.
  1. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I am getting a huge amount of DNS cache poisoning attack notices. I must get over 20 a day.
    Any suggestions or thoughts?
    Is it something to be concerned about?
    KOR-
     
    Last edited: Jun 22, 2011
  2. stratoc

    stratoc Guest

    you will probably find it's from your routers address, it was a bug for me for the first 3 releases of v4, if you are not getting lag or disconnects it's not important and if router firewall protects against these attacks you can turn it off in settings to stop the never ending pop ups, they fixed it in v4 so shouldnt take too long to sort, hopefully..
    I now get about 8 each time I exit a game in v5, it was the same with first releases of v4.
     
  3. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    Thank for your reply.
    I do not use a router, I have a direct connection. The notices are in the 'firewall log'.
    I don't notice any lag nor do I have any dis-connect. The attacks or so called attacks seem to be most prevalent when I call up my email on Outlook.

    KOR-
     
  4. ashishsingh1508

    ashishsingh1508 Registered Member

    Joined:
    May 27, 2011
    Posts:
    125
    Location:
    Pune
    My personal suggestion is use Outpost Firewall Pro 7.5 without antispyware with nod32
     
  5. stratoc

    stratoc Guest

    The point of a beta forum is to sort out problems with the beta software.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please do the following:
    - enable logging of blocked connections in the IDS setup
    - clear the firewall log
    - start capturing the network communication using Wireshark (without any filter)
    - reproduce the problem
    - stop the capturing
    - save the firewall log to a text file or xml
    - compress the fw log along with the Wireshark log to an archive

    When done, upload it somewhere (ftp server, Dropbox, file sharing service,etc.) and PM me the link to the archive.
     
  7. VidKo

    VidKo Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    41
    Location:
    Slovenia
    I have the same problem, although I am behind the router and I'm getting it from the router's IP 192.168.1.1 and port 53. Using Smart Security 5.0.84.0 RC1
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please see my response above. If you would like me to confirm or deny that the attack detection is correct, create and supply me with the necessary logs mentioned above.
     
  9. stratoc

    stratoc Guest

    It looks to me to be exactly the same issue I used to have with v4, support told me they were aware of it and as my router already detected dns poisoning I should turn it off.
    What I cannot understand is, is it not the same firewall module as v4? I only get these attacks (and a lot of them) with v5, nothing with v4.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The firewall module is same for v3/4/5. Not sure if this is one of the things that started working 100% properly in v5 but it could be the case and thus you can see certain attacks that might not have been reported earlier.
    I've seen a DNS cache poisoning attack from 2 computers recently and checking a Wireshark log confirmed that it was not a FP. Of course, such attacks are not necessarily generated by malware.
     
  11. stratoc

    stratoc Guest

    I get them when exiting on line games, I get one when closing world of warcraft and about 10 when I exit rift, clean install a month ago. This is exactly what I used to get in the first few versions of v4, a firewall update fixed it I think (it was when it went to 4.2 if that helps) I cannot replicate it with any other activity only when I close these games. My router firewall e mails me when it logs an attack and all it's logs are clear, its a netgear 480 aka virgin super hub.
     
  12. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I have traced my DNS cache poisoning firewall notices. They come ONLY when I call up Outlook for my emails and they originate from my Internet provider.
    I looked up the location of the IP see it is 'Charter provider IP' and wonder why it comes through as a poisoning attack notice.
    Nothing to be concerned about I would guess.
    KOR-
     
  13. ashishsingh1508

    ashishsingh1508 Registered Member

    Joined:
    May 27, 2011
    Posts:
    125
    Location:
    Pune
    Actually with my Outpost Firewall Pro 7.5, most of the attack blocked is from my ISP or other ISPs from my country. I don't know why they do it but they really do it... Probably to trace your activity or may be something else
     
  14. NoobStick

    NoobStick Guest

    Joined:
    Jun 23, 2011
    Posts:
    0
    Hello,
    I was reading my daily email, and under that session Eset popped up with a notification saying : DNS cache poisoning attack. The ip address is coming from my internet vendor which I have had for many years,and is definitely trusted. I have not received this notification before, not even with Ess 4. I have received this message two times while being on the net today .
    I am using RC 5.0.84.0 , database 6250, Windows 7 64 bit Service Pack 1 , intel i5, 8gb dd3 ram. Everything is on default mode on this machine. No other security software is running in this environment.

    Take Care ;)

    NoobStick
     

    Attached Files:

    • nu.png
      nu.png
      File size:
      29.3 KB
      Views:
      3,326
  15. HealingStargate

    HealingStargate Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    160
    Location:
    USA
    I have been getting DNS cache poisoning attack notices and as I have said before in this thread I have found them to come from my Internet provider and they seem to only happen when I call up my emails through OutLook.
    I UNclicked the box for notifying of DNS cache poisoning and will wait till there is a fix with another version of ESET 5.

    KOR-
     
Thread Status:
Not open for further replies.