[ISN] RE: DNS attack could signal Phishing 2.0

From: InfoSec News (alerts@private)
Date: Sun Dec 16 2007 - 22:14:49 PST


Forwarded from The Unknown Security Guy

On Dec 13, 2007 3:05 AM, InfoSec News <alerts@private> wrote:
> Forwarded from: Crypto Admin <novembr5 (at) gmail.com>
>
> On 12/11/07, InfoSec News <alerts@private> wrote:
> > http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html
> >
> > By Robert McMillan
> > IDG News Service
> > December 11, 2007
> >
> > Researchers at Google and the Georgia Institute of Technology are
> > studying a virtually undetectable form of attack that quietly controls
> > where victims go on the Internet.
>
> Please read the comments on this article over at CircleID, where it is 
> pointed out that the data does not support any difficulties with open 
> recursive DNS servers, but rather with misconfigured DNS servers. Both 
> David A. Ulevitch and Brett Watson make the points far better than I 
> could.
>
> http://www.circleid.com/posts/malicious_open_recursive_dns_servers/
>
> The authors of this report would have done themselves a favor, had 
> they listened to their reviewers

I agree that it would make sense to point out that while DNSSEC 
( http://www.dnssec.net ) will help, upgrading from Bind 4 might 
also help out a bit..

While I do not know if Dagon and friends scanned for port 53 (possibly 
including DNS servers running on infected Comcast machines for example), 
or used NS and SOA records to locate servers, I think the method was 
most likely a mix of all methods: port 53 scans, mixed with watching 
traffic to gather name server addresses, as well as taking advantage 
of the hierarchical nature of DNS mixed with professional connections.

Still, it doesn't take many servers to create either DNS Poisoning 
or massive DDoS's via DNS amplification attacks, and 10's of thousands 
of "rogue" DNS servers are easily still enough to bring any TLD to its 
knees without the need for a massive botnet to do so (see: the death 
of blue security here: 
http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html 
and DNS Amplification Attacks here: 
http://www.securiteam.com/securityreviews/5GP0L00I0W.html )..

Even if its due to malicious installation, misconfiguration, out-of-date 
software, caching or recursive queries: these servers all pose a threat, 
and only contribute to the ability for one person to take out what seems 
to be the Internet's Achilles' heel: DNS. Combining these five types 
of "rogue" servers in an attack can lead vectors that boggle the mind.

The only reason we haven't seen many of the massive DNS Amplification 
Attacks on Major TLD's is that the InfoSec community is largely 
ineffectual when it comes to hurting spammers/botmasters and cleaning 
up the networks and thereby damaging the attackers bottom line. (I.E.: 
Whack-A-Mole is better than all-out war for their portfolio (and ours), 
which relies on the Internet to function for either of us to make any 
money). If our success at taking down botnets grows, we will see more 
of these attacks happen in order to show that whack-a-mole appeases 
everyone, while all out war hurts everyone (see blue security again :-).

In the meantime, while DNS Amplification Attacks are blasse' and would 
lead to all out war (bad for both sides), DNS Poisoning can further the 
game of whack-a-mole without really hurting either InfoSec or Phishers, 
only end users. Very likely to be a growing attack vector.

I guess I am agreeing with David's assessment of the situation.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Sun Dec 16 2007 - 22:28:06 PST