Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS cache poisoning: still works and still makes lots of damage

Published: 2011-06-27
Last Updated: 2011-06-27 19:19:08 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
5 comment(s)

I was teaching this week at University. It was a pretty normal class until I heard the following from one of my students:

What happened to google?

A couple of seconds after, many people started to make the same complaint and one minute after nobody had access to google. I typed the google URL from my computer and got the following screen:

Strange google appearance

First thing I though was that google suffered an attack. Looking further, I queried for the current google IP and found the following:

Changed google ip

When I looked for the owner of that IP address, ARIN says it is not precisely google. I performed a nslookup from another domain and got the correct ip address for google:

Correct IP address for google

At this time I found out we were victim of a DNS cache poisoning attack.Since the network admin was not at his office because class was in the night, there was nothing I could do but wait for the DNS cache to expire.

How this attack works and How we can protect ourselves

The DNS process works as follows to resolve ip address from a fully qualified domain name (FQDN):

  • Client sends a query to the internal DNS looking for an ip address for a machine name.
  • Internal DNS server performs recursion and if it's not present in the cache looks for the IP address on the internet from the authoritative nameserver of the domain.
  • The authoritative nameserver answers the IP address requested.
  • The Internal DNS server answers the IP address to the client.

The attack works as follows:

  • Attacker queries the target DNS server for a FQDN not present in the cache.
  • Target DNS server performs recursion and looks for the IP address on the internet from the authoritative nameserver of the domain.
  • Attacker floods the target DNS server with fake responses for the query.
  • Target DNS server updates the cache and begins serving the fake ip address every time the FQDN is requested.

How do we protect ourselves from the attack?

  • Use the last version of your DNS server (I really like BIND) as it randomize the source port of your queries.
  • Do not allow recursion from outside of your network. Allow it only from your corporate network computers.
  • Use DNSSEC. The root servers support it since July 15 2010 and the protocol allows to authenticate valid records from domains zones.

Any other protection measure you want to share with us? Please use our contact form.

Manuel Humberto Santander Peláez | |

5 comment(s)
Diary Archives