Imagine that you are buying your next pair of shoes from your favorite Internet shoe site. You've logged into your account, browsed a few dozen pairs, and made your selection. Now, it's time to check out with your market basket, enter in your credit card number, and close the transaction. Surprise! Because of the latest exploit on the Internet, you'll never receive your size double Es and your credit card number has escaped.
The culprit? DNS cache poisoning redirected your browser when you thought you were going to the checkout counter. This hacking technique, called "pharming," is the latest threat to an Internet infrastructure that is suffering some of the most chilling security threats in its history.
Recent Pharming Attacks
On March 3, 2005, the SysAdmin, Audit, Network, Security (SANS) Institute's Internet Storm Center (ISC) began receiving reports from multiple sites about DNS cache poisoning attacks. The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After conducting a complete analysis, the ISC surmised that the attack involved several technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least five UNIX Web servers. The ISC also received information indicating that the attack may have started as early as February 22, 2005, but probably affected only a small number of people.
Then, on March 24, the ISC received new reports of a different DNS cache poisoning attack. After monitoring the situation for several weeks, the ISC determined that the attackers were changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This second attack transformed into a third attack that redirected users toward different IP addresses. This third attack was still ongoing as of April 1, 2005.
DNS: What Is It?
DNS stands for Domain Name System, and it's a key infrastructural element of the Internet. What's it do? To understand the function of DNS, you have to understand a bit about how your Web browser uses Internet Protocol (IP) to find other computers.
IP starts with the assumption that every computer connected to the Internet has a unique address composed of octets. For instance, the IP address of the computer where you are reading this article is 184.108.40.206.
When you key in a URL, such as www.MCPressOnline.com, the Internet must figure out where on the World Wide Web it will find the physical computer that is hosting the Web site. It needs to intelligently equate the URL's name, www.MCPressOnline.com, with the server IP address of 220.127.116.11.
The cross-referencing mechanism that the Internet uses to equate URLs with IP addresses is DNS. Like a legion of excellent reference librarians, literally hundreds of thousands of DNS servers run on IP routers across the Internet, looking up IP addresses each time you key a URL into your Web browser. If the DNS server closest to you doesn't have the answer, it will refer you to another DNS server, which might.
Other DNS Functions
That's the part of DNS that everybody uses: looking up IP addresses. However, another equally important part of the DNS servers' job is distributing information about new IP addresses, URLs, and domains. As each DNS server receives this new information from another DNS server, it updates its own cross-reference library and then passes the information along to the next DNS server. When you initially acquire a Web domain name, the process can take more than 48 hours before your URL/IP address is universally accessible on the Internet: All of those DNS servers must propagate the new domain name to each of its neighbors. And like a telephone tree, DNS propagation is extremely effective for making the new domain names accessible to the billions of PCs across the Internet.
But what happens if a DNS server suddenly starts passing bad information to its neighbors? That's what DNS cache poisoning is about, and that's the latest mortal threat to the Internet.
What Is DNS Cache Poisoning?
How does DNS cache poisoning occur? The main method is for a hacker to break into an unprotected or compromised DNS server or DNS proxy server and begin changing the destination IP addresses of URLs in the cache of the server. Then, the hacker triggers a DNS query. There are several ways to accomplish this. A few easy methods are to send an email to a nonexistent user (which will generate a non-delivery response to the source domain), send spam email with an external image, or send banner ads served from another site. Once the trigger executes, the victim's site DNS server queries the corrupted DNS server. The attacker also includes extra information in the DNS reply packet, containing root entries for the entire .com domain.
If a victim DNS server is not configured properly, it will accept the new entries from the corrupted DNS server and delete the proper entries. Once this has occurred, any future queries that your DNS server makes against the corrupted addresses will send the user to the wrong IP address.
Meanwhile, the corrupted DNS server itself has begun sending users to Web servers that attempt to attach spyware to the users' PCs through exploits in Internet Explorer. These spyware modules then send information about the user's actions to other machines, creating a severe security breach.
Symantec's Enterprise Security Gateway was revealed to have a DNS cache poisoning vulnerability last summer, and the company issued a hotfix for its products. However, new hotfixes were issued on March 15, 2005, and include the following products:
- Symantec Gateway Security 5400 Series, v2.x
- Symantec Gateway Security 5300 Series, v1.0
- Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
- Symantec Enterprise Firewall v8.0 (Windows and Solaris)
- Symantec VelociRaptor, Model 1100/1200/1300 v1.5
In addition, there have been verified reports that Windows 2003 and NT4/2000 (with the proper registry key settings) are also vulnerable to DNS cache poisoning.
UNIX machines have the historical advantage of having fixed most DNS cache poisoning vulnerabilities long ago, and i5/OS seems to be invulnerable at the moment.
Cleaning Up After an Attack
- You need to be absolutely positive that you have not been infected with spyware. Many spyware/adware programs today will modify the DNS settings or local hosts file on Windows machines. So you should first run your favorite spyware/adware detection tool.
- Try to find out the IP address(es) of the malicious DNS server(s) and check the ISC Web site for a list of reported IP addresses. If the IP has not been reported, fill out a report at the ICS using the following URL: http://isc.sans.org/contact.php.
- You may need to block the IP address(es) of the corrupted DNS server(s) at your border routers/firewalls so that your cache does not become poisoned again.
- Cleaning up from a sitewide DNS cache poisoning may require flushing the cache on all of your DNS servers in your organization, probably starting with the most externally facing DNS boxes first.
- On Windows DNS servers, you can stop/start the DNS service to clear the cache. You can also use the dnscmd.exe /ClearCache command from the Resource Kit.
- On Windows 2000, XP, and 2003 clients, you can flush the client cache by running ipconfig /flushdns.
- On BIND 9, you can clear the cache by running the rndc command and executing the "flush" command. On BIND 8 or below, it appears that you have to restart the server.
How Near Is the End?
It's hard to believe that the World Wide Web is barely 13 years old, and it's amazing how the current technologies have transformed business in that short time. However, much of the infrastructure of the Internet is based upon protocols and technologies first conceived more that 30 years ago, and today many of the security vulnerabilities that continually challenge our infrastructure have their roots in those older areas of Internet.
Wouldn't it be great if--knowing what we know today about the holes in the infrastructure--our technologists and scientists could re-engineer those basic protocols? SMTP, POP3, DNS, and even TCP/IP and UDP could stand a significant beefing up in the area of security.
Yet, because the Internet is now an international phenomenon, the task of re-engineering basic protocols through standards committees and consortiums will be ongoing. And as a result, companies and individuals will be increasingly susceptible to new hacking schemes that place them at severe financial risk.
Here's what the final question will be: What price are we willing to pay for a bulletproof Internet? At the moment, this question isn't even being asked. Until it's answered, we'll continue to report on the progressive "death by a thousand hacks" that the Internet is currently experiencing.
Thomas M. Stockwell is editor in chief of MC Press Online, LP.