SAN FRANCISCO – Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones where they could be exposed to identity fraud, a new survey shows.
In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning, CNET.Com reported.
“That is almost 10 percent of the scanned DNS servers,” Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. “If you are not auditing your DNS servers, please start.?
The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person’s PC.
How does DNS get poisoned?
There are a few steps to go through before a DNS server starts redirecting Web surfers to bogus sites.
Most people’s PCs access a DNS server at an Internet service provider or within a company to map text-based Internet addresses to actual IP addresses. One DNS server can be used by thousands of Internet users.
For performance reasons, DNS servers cache the returned data, so that it takes less time to respond to the next request. When a DNS cache is poisoned, it affects all future lookups of the affected domain, for everyone who uses that particular DNS server.
To poison a DNS server:
First, the target machine has to be tricked into querying a malicious DNS server set up by the attacker. This can be done, for example, by sending an e-mail message to a nonexistent user at the target ISP. Another way is to send an e-mail with an externally hosted image to an actual user.
The target DNS server will then query the attacker’s DNS server. In the DNS reply, the scammer includes extra data that will poison the victim’s DNS cache. The extra information can be a malicious URL or even an entire domain space, such as .com.
If the target DNS server is not configured properly, it will accept the new numerical IP listing and delete the proper entry.
Once this has occurred, any queries sent to the DNS server for the affected URLs will be redirected to the replacement IP addresses set by the attacker. If a domain space is poisoned, all queries ending in that domain will be redirected.
Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam.
The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses.
In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.
As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats.
The poisoned caches act like “forged street signs that you put up to get people to go in the wrong direction,” said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. “There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade.”
There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.
The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests- something the distributor of the software specifically warns against.
“If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be,” Mockapetris said. “Running that configuration would be Internet malpractice.”
