Veolus
Account Closed
- Impact
- 13
Hello,
My site is currently undergoing a DNS cache poisoning attack and i'm doing everything possible to circumvent and rectify the problem but I would like to know if there is any way to prevent these types of attacks from happening in future
Your help is appreciated :tu:
What happens to my site when i visit it is i get a blank page with an iframe redirecting to - http://www.thh.jp which is suspected to be the culprit of this attack. I've searched "tbh.jp" on Google and i've found that there are some other hosts that have suffered DNS cache poisoning attacks from the same person. If you would happen to know more about tbh.jp, your say would be appreciated
When i first went to my site, I was like "What the hell!" I viewed the source code and thought that someone had supposedly hacked the server and screwed around with the .htaccess file but it wasn't the case here, after extensive research, I realized that it was a DNS cache poisoning attack and all sites hosted on my server are effected by the attack aswell so i have to get it fixed A.S.A.P and notify all customers about the attack and let them know that it will be fixed soon.
Have you guys ever encountered these types of attacks?
Heres information about DNS cache poisoning attacks:
########################################################################
## What exactly is DNS cache poisoning?
########################################################################
Basically, it is method for an attacker to change the IP address that a
hostname resolves to. For instance the hostname www.cisco.com points to
the IP address 198.133.219.25. A DNS cache poisoning attack allows an
attacker to change the IP address for a host/domain and point it to a
different IP address.
If the above paragraph didn't make any sense, then take a step back and
understand that DNS (Domain Name System) is the method by which you can
resolve a human name like www.google.com into an IP address. An IP
address is a computer's unique location on the Internet. For a very
good explanation of how the global DNS system works, refer to this
article:
http://computer.howstuffworks.com/dns.htm/printable
Second, you must understand that most end-users on the Internet use a
DNS server that is close to them (at their ISP or within their
organization's firewalls) to lookup names for them. For performance
reasons, these DNS servers cache the returned data so that it takes less
time to respond to the next client. If there is a vulnerability or
misconfiguration in the software on these DNS servers, then the cache
poisoning attack is possible. When a victim DNS cache is poisoned, the
attacker will be affecting ALL future lookups of any domain name he
chooses for ALL users of that DNS server. Large ISPs may have thousands
of users referencing a single DNS resolver. So an attack against a
resolver could affect thousands of users, without those users having
done anything wrong.
Here is how the attack works. First, there needs to be a trigger that
forces the victim site's DNS server to query the evil DNS server. There
are several ways to accomplish this. A couple of easy methods are
e-mail to a non-existant user (which will generate an NDR to the source
domain), spam e-mail with an external image, banner ads served from
another site, or perhaps triggering it from a bot network or installed
base of spyware.
Once the trigger executes, the victim's site DNS server queries the evil
DNS server. The attacker includes extra information in the DNS reply
packet. In both attacks, the reply packets contained root entries for
the entire .COM domain. If your DNS server is not configured properly,
then it will accept the new entries for .COM and delete the proper
entries for the Verisign servers (who runs the .COM domain). Once this
has occurred, any future queries that your DNS server makes for .COM
addresses will go to the malicious DNS server. The server can give you
any address it wants. In this attack, any hostname that you request is
returned with a couple of IP addresses that are running a webserver and
attempting to exploit client-side bugs in Internet Explorer to install
spyware.
It is important to note that this attack could be used to hijack other
domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA
or .DE. The attacker could hijack all of them. A smart attacker would
potentially just hijack specific hostnames and then return the correct
information for all other queries. This type of attack would not be as
noticeable and could potentially be very dangerous.
SOURCE: http://isc.sans.org/presentations/dnspoisoning.php
My site is currently undergoing a DNS cache poisoning attack and i'm doing everything possible to circumvent and rectify the problem but I would like to know if there is any way to prevent these types of attacks from happening in future
Your help is appreciated :tu:What happens to my site when i visit it is i get a blank page with an iframe redirecting to - http://www.thh.jp which is suspected to be the culprit of this attack. I've searched "tbh.jp" on Google and i've found that there are some other hosts that have suffered DNS cache poisoning attacks from the same person. If you would happen to know more about tbh.jp, your say would be appreciated
When i first went to my site, I was like "What the hell!"
I viewed the source code and thought that someone had supposedly hacked the server and screwed around with the .htaccess file but it wasn't the case here, after extensive research, I realized that it was a DNS cache poisoning attack and all sites hosted on my server are effected by the attack aswell so i have to get it fixed A.S.A.P and notify all customers about the attack and let them know that it will be fixed soon.Have you guys ever encountered these types of attacks?
Heres information about DNS cache poisoning attacks:
########################################################################
## What exactly is DNS cache poisoning?
########################################################################
Basically, it is method for an attacker to change the IP address that a
hostname resolves to. For instance the hostname www.cisco.com points to
the IP address 198.133.219.25. A DNS cache poisoning attack allows an
attacker to change the IP address for a host/domain and point it to a
different IP address.
If the above paragraph didn't make any sense, then take a step back and
understand that DNS (Domain Name System) is the method by which you can
resolve a human name like www.google.com into an IP address. An IP
address is a computer's unique location on the Internet. For a very
good explanation of how the global DNS system works, refer to this
article:
http://computer.howstuffworks.com/dns.htm/printable
Second, you must understand that most end-users on the Internet use a
DNS server that is close to them (at their ISP or within their
organization's firewalls) to lookup names for them. For performance
reasons, these DNS servers cache the returned data so that it takes less
time to respond to the next client. If there is a vulnerability or
misconfiguration in the software on these DNS servers, then the cache
poisoning attack is possible. When a victim DNS cache is poisoned, the
attacker will be affecting ALL future lookups of any domain name he
chooses for ALL users of that DNS server. Large ISPs may have thousands
of users referencing a single DNS resolver. So an attack against a
resolver could affect thousands of users, without those users having
done anything wrong.
Here is how the attack works. First, there needs to be a trigger that
forces the victim site's DNS server to query the evil DNS server. There
are several ways to accomplish this. A couple of easy methods are
e-mail to a non-existant user (which will generate an NDR to the source
domain), spam e-mail with an external image, banner ads served from
another site, or perhaps triggering it from a bot network or installed
base of spyware.
Once the trigger executes, the victim's site DNS server queries the evil
DNS server. The attacker includes extra information in the DNS reply
packet. In both attacks, the reply packets contained root entries for
the entire .COM domain. If your DNS server is not configured properly,
then it will accept the new entries for .COM and delete the proper
entries for the Verisign servers (who runs the .COM domain). Once this
has occurred, any future queries that your DNS server makes for .COM
addresses will go to the malicious DNS server. The server can give you
any address it wants. In this attack, any hostname that you request is
returned with a couple of IP addresses that are running a webserver and
attempting to exploit client-side bugs in Internet Explorer to install
spyware.
It is important to note that this attack could be used to hijack other
domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA
or .DE. The attacker could hijack all of them. A smart attacker would
potentially just hijack specific hostnames and then return the correct
information for all other queries. This type of attack would not be as
noticeable and could potentially be very dangerous.
SOURCE: http://isc.sans.org/presentations/dnspoisoning.php
Last edited:
