FW: Hack - DNS cache poisoning resurfacing on MS DNS?

From: Vidovic,Zvonimir,VEVEY,GL-IS/CIS (Zvonimir.Vidovicat_private)
Date: Thu Jan 17 2002 - 06:32:10 PST

  • Next message: David Ulevitch: "Re: FW: Hack - DNS cache poisoning resurfacing on MS DNS?"

    hi there,
    
    We obviously got some cache poisoning recently.
    FYI: we are using MS DNS.
    Anyone got the same problems???
    
    I've seen nothing on our IDS...
    
    PS: I CCed dnsmasterat_private just to check if he's aware of
    this...
    
    here's the stuff:
    It looks definitely like the old DNS cache poisoning trick:
    
    
    > HERE:
    > 
    > C:\WINDOWS>ping www.vmyths.com
    > 
    > Pinging www.vmyths.com [212.69.172.16] with 32 bytes of data:
    > 
    > Reply from 212.69.172.16: bytes=32 time=97ms TTL=241
    > Reply from 212.69.172.16: bytes=32 time=43ms TTL=241
    > Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
    > Reply from 212.69.172.16: bytes=32 time=27ms TTL=241
    > 
    > Ping statistics for 212.69.172.16:
    >     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    > Approximate round trip times in milli-seconds:
    >     Minimum = 27ms, Maximum =  97ms, Average =  48ms
    > 
    > 
    > THERE:
    > 
    > www.vmyths.com
    > Name:    vmyths.com
    > Address:  216.217.111.18
    > Aliases:  www.vmyths.com
    > 
    > let's see if this comes from some poisoning and so on...
    > 
    > 
    > if we look the SOA records from a distant site, we get this:
    > 
    > > set q=SOA
    > > vmyths.com
    > vmyths.com
    >         origin = dns9.register.com
    >         mail addr = root.register.com
    >         serial = 2000011705
    >         refresh = 10800 (3H)
    >         retry   = 86400 (1D)
    >         expire  = 604800 (1W)
    >         minimum ttl = 3600 (1H)
    > vmyths.com      nameserver = dns9.register.com
    > vmyths.com      nameserver = dns10.register.com
    > 
    > whereas if we look at them from our point of view:
    > 
    > > set q=SOA
    > > vmyths.com
    	vmyths.com
    >         origin = ns3.domainname.at
    >         mail address = dnsmaster.ns3.domainname.at
    >         serial = 1009665720
    >         refresh = 1800 (30M)
    >         retry   = 600 (10M)
    >         expire  = 1800 (30M)
    >         minimum ttl = 1800 (30M)
    > 
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 08:22:05 PST