[ad]
It’s somewhat ironic that shortly after the Kaminsky DNS bug went wild and almost immediately got ported into Metasploit that it was then used to attack HD Moore’s very own company BreakingPoint.
It happened just a couple of days ago, it doesnt seem to have been a targeted attack though more like mass spammers/scammers leveraging on this flaw (as expected) to divert people to scam sites.
It happened on Tuesday morning, when Moore’s company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what’s known as a cache poisoning attack on a DNS server on AT&T’s network that was serving the Austin, Texas, area. One of BreakingPoint’s servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore’s company.
When Moore tried to visit Google.com, he was actually redirected to a fake page that served up a Google page in one HTML frame along with three other pages designed to automatically click on advertisements.
It seems more of a problem with the ISP than BreakingPoint itself, but it still shows, if you rely on your ISPs DNS servers you don’t know what kind of fake content is getting served up to you.
Better safe than sorry right?
The flaw has to do with the way that DNS programs share information over the Internet. In a cache poisoning attack, the attacker tricks a DNS server into associating malicious IP addresses with legitimate domains, such as Google.com. Security experts say that this type of flaw could lead to very successful phishing attacks against Web surfers whose ISPs have not patched their servers.
Because of the nature of the AT&T hack, Moore doesn’t believe that he was targeted by the hackers. Even BreakingPoint employees didn’t realize that their internal DNS server had been configured to use the AT&T machine. Instead, he thinks that the hackers were simply trying to make a quick buck.
AT&T representatives were not immediately available to comment on the incident.
Moore believes that this type of attack may be going on at other ISPs as well.
I wonder if they managed to con anyone? And I wonder if AT&T has fixed this problem yet? It’s surprising that such a large ISP is still susceptible to this flaw after the amount of publicity the DNS bug has gotten.
Just be on the watch out!
Source: InfoWorld (Thanks Navin)
Morgan Storey says
I was thinking this might be some DNS patchers trying to buy themselves some time by stopping the first tool to hack their DNS servers.
Devices behind NAT are still shown to be vulnerable so we need a fix there too people.
@Darknet: Have fun on holidays.
Navin says
cheers!! :)
BTW have fun on your break…. believe me, U deserve it!!
CG says
old news and over hyped
“It seems more of a problem with the ISP than BreakingPoint itself”
…tisk tisk for your post title
zupakomputer says
I may have a dewy-eyed view of Malaysia but it must be hard picking a better holiday destination when you’re in a tropical paradise already! Iceland perhaps, something a bit different…..or it works out better cause you don’t have to travel at all, just holiday in the same country.
This DNS thing – what if you tried to complain to your ISP that their caching was poisoned, but their own website was redirecting to a fake ad site too……
Brill says
Today was the lecture of Dan Kaminsky at Black Hat, altough his presentation is not available yet at Black Hat site, you can find it in Dan’s site http://www.doxpara.com/DMK_BO2K8.ppt
Has anyone attended who can provide some feedback?.
Morgan Storey says
@Brill: yeah I found a link to the MP3, I just downloaded it from here http://blackhat.com/html/webinars/kaminsky-DNS.html
It is pretty long, I’ll listen to it at lunch tomorrow. I should have listened to the webcast live.
Darknet says
Just relax, nothing disappears, posting the same thing 10 times then I have to go through each one and see which ones are the same and which ones are different and which one I should post and which I should delete – now that’s annoying. Everything will get through, just wait I’m on holiday.
lyz says
weehee.. This post is just in time for my re-echo of the Hackacon 2008 event I’ve attended here in our country.
Brill says
@Morgan, Thanks for the link!!… Linking it with the presentation it will be the nearest I will have to be at any Black Hat presentation.
I will try to save some time to hear it with calm…
This one received a lot of publicity but, Does anyone of the lucky guys that could attend recomend any other presentation?
Brill says
Here you have some recent news!! it seems that the patch for this security hole doesn’t solve the vulnerability!!…. there have been some sucessfull test on servers already patched and not with just a proof o concept but with a whole functional exploit.
Here the overall comment from NY Times
http://www.nytimes.com/2008/08/09/technology/09flaw.html
And here the original comment in the post of the Russian physicist who discover it.
http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html
Morgan Storey says
@Brill: Yeah NAT negates the patch in most parts as the NAT doesn’t randomise the port. Dan even said the patch doesn’t 100% fix it, just makes it harder to guess the next port. So it was only a matter of time before someone “brute forced” the port. Scary that they did it this fast, but really they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20…
I blogged about this, I think we need to have signed or ssl DNS forwarding and root servers, it wouldn’t be that hard to implement.
Morgan Storey says
so I am the first to admit I have gaps in my knowledge.
Never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain “Not Found” and add it to the RFC, done.
I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.