Forwarded from The Unknown Security Guy On Dec 13, 2007 3:05 AM, InfoSec News <alerts@private> wrote: > Forwarded from: Crypto Admin <novembr5 (at) gmail.com> > > On 12/11/07, InfoSec News <alerts@private> wrote: > > http://www.infoworld.com/article/07/12/11/DNS-attack-could-signal-Phishing-2.0_1.html > > > > By Robert McMillan > > IDG News Service > > December 11, 2007 > > > > Researchers at Google and the Georgia Institute of Technology are > > studying a virtually undetectable form of attack that quietly controls > > where victims go on the Internet. > > Please read the comments on this article over at CircleID, where it is > pointed out that the data does not support any difficulties with open > recursive DNS servers, but rather with misconfigured DNS servers. Both > David A. Ulevitch and Brett Watson make the points far better than I > could. > > http://www.circleid.com/posts/malicious_open_recursive_dns_servers/ > > The authors of this report would have done themselves a favor, had > they listened to their reviewers I agree that it would make sense to point out that while DNSSEC ( http://www.dnssec.net ) will help, upgrading from Bind 4 might also help out a bit.. While I do not know if Dagon and friends scanned for port 53 (possibly including DNS servers running on infected Comcast machines for example), or used NS and SOA records to locate servers, I think the method was most likely a mix of all methods: port 53 scans, mixed with watching traffic to gather name server addresses, as well as taking advantage of the hierarchical nature of DNS mixed with professional connections. Still, it doesn't take many servers to create either DNS Poisoning or massive DDoS's via DNS amplification attacks, and 10's of thousands of "rogue" DNS servers are easily still enough to bring any TLD to its knees without the need for a massive botnet to do so (see: the death of blue security here: http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html and DNS Amplification Attacks here: http://www.securiteam.com/securityreviews/5GP0L00I0W.html ).. Even if its due to malicious installation, misconfiguration, out-of-date software, caching or recursive queries: these servers all pose a threat, and only contribute to the ability for one person to take out what seems to be the Internet's Achilles' heel: DNS. Combining these five types of "rogue" servers in an attack can lead vectors that boggle the mind. The only reason we haven't seen many of the massive DNS Amplification Attacks on Major TLD's is that the InfoSec community is largely ineffectual when it comes to hurting spammers/botmasters and cleaning up the networks and thereby damaging the attackers bottom line. (I.E.: Whack-A-Mole is better than all-out war for their portfolio (and ours), which relies on the Internet to function for either of us to make any money). If our success at taking down botnets grows, we will see more of these attacks happen in order to show that whack-a-mole appeases everyone, while all out war hurts everyone (see blue security again :-). In the meantime, while DNS Amplification Attacks are blasse' and would lead to all out war (bad for both sides), DNS Poisoning can further the game of whack-a-mole without really hurting either InfoSec or Phishers, only end users. Very likely to be a growing attack vector. I guess I am agreeing with David's assessment of the situation. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Sun Dec 16 2007 - 22:28:06 PST