Recently a technique that allows an attacker to mount successful DNS cache poisoning attacks with low complexity tools and low traffic requirements was dicsovered. This technique exploits a weakness in most implementations of the DNS protocol.
The urgency of patching recursive DNS servers has increased significantly after technical details about this issue were leaked to the public. Proof of concept code has been published on blogs and mailing lists. In light of these developments, administrators are advised to apply the necessary updates immediately.
DNS Cache Poisoning – The Problem in a Nutshell
Joe Consumer, using his home banking service, will go onto the requesting DNS server of his Internet Service Provider (ISP) to use his home banking services at his bank’s authenticating DNS server. Even if his bank and its ISP have implemented all of the necessary patches to mitigate this potential exploit, Joe Consumer’s ISP may have done nothing to fix or monitor the exploit. If that’s the case and the requesting DNS server is infected, then the consumer can be redirected to an undetectable fraudulent bank website.
What makes this exploit so dangerous is that there’s nothing the bank can do to protect their customers. The customers have to figure out on their own if their DNS server is safe, or to fix the DNS problem by switching to a secure DNS server. Biggest concern: How many consumers know how to do that?
The threat is real and three exploits have been identified already. Security experts expect it to pick up steam over the weekend and we may see some attacks as early as next week.
What is Cache Poisoning?
Simply put, cache poisoning is the ability to pass along incorrect information to the DNS database, which would then be used by computers accessing web sites. This "redirection" could be to a web site for the purpose of malicious activity, such as capturing proprietary information and/or downloading code. So, you could think you were going to h t t p : / / w w w . g o o g l e . c o m when in fact you were being taken to another web address.
How Bad Is It?
There have been comments which have made their way into the press (such as "the internet as we know it will end on August 7th when the vulnerability is made public and explicitly detailed") which are predicting that this could be a significant event. While this opinion of course does have some merit, it is not necessarily a viewpoint shared by all security experts. What is true is that the vulnerability announced is indeed a valid and a serious one. However, the ability to redirect internet users from one site to another is not new and this is yet another potential risk that we have to take actions on, monitor, assess, and take additional actions as necessary.
Do we believe the internet will stop on August 7th? Based on the current information and the actions currently being taken by companies who have recognized the potential threat from this vulnerability, we do not believe that will happen. However, all companies should be aware, well prepared, and take any and all actions necessary to protect systems, data, and brand in the event there are any attacks that result from the vulnerability.
Recommendations for financial institution customers:
Computer security best practices (patching of the underlying OS and applications as well as running up-to-date controls such as anti-virus, personal firewalls, IPS, etc.) are recommended for our customers to help reduce the risk related to this vulnerability.
Additional Recommendations:
• Detecting Attacks
• Vulnerability scanning
• IDS and IPS signatures
• Network traffic probes to capture DNS related traffic (anomalies and blacklist matches analysis)
• Monitor DNS logs for excessive random domain requests
For more information:
http://www.pcworld.com/businesscenter/article/148854/attack_code_released_for_new_dns_attack.html
To determine whether your DNS system is vulnerable, you can click on the following link and follow directions to one of two tests:
http://news.cnet.com/8301-1009_3-9998625-83.html