From: InfoSec News (alertsinfosecnews.org)
Date: Mon Dec 17 2007 - 00:14:49 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from The Unknown Security Guy

On Dec 13, 2007 3:05 AM, InfoSec News <alertsinfosecnews.org> wrote:
> Forwarded from: Crypto Admin <novembr5 (at) gmail.com>
>
> On 12/11/07, InfoSec News <alertsinfosecnews.org> wrote:
> > http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html
> >
> > By Robert McMillan
> > IDG News Service
> > December 11, 2007
> >
> > Researchers at Google and the Georgia Institute of Technology are
> > studying a virtually undetectable form of attack that quietly controls
> > where victims go on the Internet.
>
> Please read the comments on this article over at CircleID, where it is
> pointed out that the data does not support any difficulties with open
> recursive DNS servers, but rather with misconfigured DNS servers. Both
> David A. Ulevitch and Brett Watson make the points far better than I
> could.
>
> http://www.circleid.com/posts/malicious_open_recursive_dns_servers/
>
> The authors of this report would have done themselves a favor, had
> they listened to their reviewers

I agree that it would make sense to point out that while DNSSEC
( http://www.dnssec.net ) will help, upgrading from Bind 4 might
also help out a bit..

While I do not know if Dagon and friends scanned for port 53 (possibly
including DNS servers running on infected Comcast machines for example),
or used NS and SOA records to locate servers, I think the method was
most likely a mix of all methods: port 53 scans, mixed with watching
traffic to gather name server addresses, as well as taking advantage
of the hierarchical nature of DNS mixed with professional connections.

Still, it doesn't take many servers to create either DNS Poisoning
or massive DDoS's via DNS amplification attacks, and 10's of thousands
of "rogue" DNS servers are easily still enough to bring any TLD to its
knees without the need for a massive botnet to do so (see: the death
of blue security here:
http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html
and DNS Amplification Attacks here:
http://www.securiteam.com/securityreviews/5GP0L00I0W.html )..

Even if its due to malicious installation, misconfiguration, out-of-date
software, caching or recursive queries: these servers all pose a threat,
and only contribute to the ability for one person to take out what seems
to be the Internet's Achilles' heel: DNS. Combining these five types
of "rogue" servers in an attack can lead vectors that boggle the mind.

The only reason we haven't seen many of the massive DNS Amplification
Attacks on Major TLD's is that the InfoSec community is largely
ineffectual when it comes to hurting spammers/botmasters and cleaning
up the networks and thereby damaging the attackers bottom line. (I.E.:
Whack-A-Mole is better than all-out war for their portfolio (and ours),
which relies on the Internet to function for either of us to make any
money). If our success at taking down botnets grows, we will see more
of these attacks happen in order to show that whack-a-mole appeases
everyone, while all out war hurts everyone (see blue security again :-).

In the meantime, while DNS Amplification Attacks are blasse' and would
lead to all out war (bad for both sides), DNS Poisoning can further the
game of whack-a-mole without really hurting either InfoSec or Phishers,
only end users. Very likely to be a growing attack vector.

I guess I am agreeing with David's assessment of the situation.

__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]