hi there, We obviously got some cache poisoning recently. FYI: we are using MS DNS. Anyone got the same problems??? I've seen nothing on our IDS... PS: I CCed dnsmasterat_private just to check if he's aware of this... here's the stuff: It looks definitely like the old DNS cache poisoning trick: > HERE: > > C:\WINDOWS>ping www.vmyths.com > > Pinging www.vmyths.com [212.69.172.16] with 32 bytes of data: > > Reply from 212.69.172.16: bytes=32 time=97ms TTL=241 > Reply from 212.69.172.16: bytes=32 time=43ms TTL=241 > Reply from 212.69.172.16: bytes=32 time=27ms TTL=241 > Reply from 212.69.172.16: bytes=32 time=27ms TTL=241 > > Ping statistics for 212.69.172.16: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 27ms, Maximum = 97ms, Average = 48ms > > > THERE: > > www.vmyths.com > Name: vmyths.com > Address: 216.217.111.18 > Aliases: www.vmyths.com > > let's see if this comes from some poisoning and so on... > > > if we look the SOA records from a distant site, we get this: > > > set q=SOA > > vmyths.com > vmyths.com > origin = dns9.register.com > mail addr = root.register.com > serial = 2000011705 > refresh = 10800 (3H) > retry = 86400 (1D) > expire = 604800 (1W) > minimum ttl = 3600 (1H) > vmyths.com nameserver = dns9.register.com > vmyths.com nameserver = dns10.register.com > > whereas if we look at them from our point of view: > > > set q=SOA > > vmyths.com vmyths.com > origin = ns3.domainname.at > mail address = dnsmaster.ns3.domainname.at > serial = 1009665720 > refresh = 1800 (30M) > retry = 600 (10M) > expire = 1800 (30M) > minimum ttl = 1800 (30M) > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 08:22:05 PST