[unisog] DNS Cache Poisoning

Michael Holstein michael.holstein at csuohio.edu
Fri Apr 8 13:20:53 GMT 2005


1) did you examine the link? In many "phish" emails, this is hosted by a 
dynamic DNS provider.

2) If the link can be verified to be static DNS, cache posioning can be 
tested through use of the 'dig' command, provided you know what the 
authorative answer "really" is (use a public and known-good DNS server 
for comparison .. such as 4.2.2.2 .3 or .4).

AFIK, It would be possible to inititate a cache poision via email -- the 
way that comes to mind is via use of the <IMG> tag in an HTML email 
(same trick as web-bugs).

~Mike.

Mike Honeycutt wrote:
> I hesitate to mention this since I'm not sure
> if it was DNS cache poisoning, but I saw the following
> about a month:
> 
> - Receive a typical phishing email.
> - Traced the IP to a hacked server used by
> 	a small city in Wisconsin.
> - Made a few phone calls (it was Saturday),
> 	and finally spoke to the webmaster.
> - He cleaned up his server, and to test it,
> 	clicked on the link again.
> -  This time, the link took us to a hacked server
> 	in Sweden.
> 
> Since I'm not an expert in this area, I chalked it
> up to some quirk of the Internet I didn't understand.
> I wonder if this was a poisoned cache since the
> switch to the server in Sweden was instantaneous.
> 
> Mike Honeycutt
> 
> 
> ======================== 
> 
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of BACHAND, Dave (Info. Tech. Services)
> Sent: Thursday, April 07, 2005 10:27 AM
> To: UNIversity Security Operations Group
> Subject: RE: [unisog] DNS Cache Poisoning
> 
> We've been seeing DNS attack attempts, but no evidence yet of poisoned
> caches on our Windows boxes.
> 
> Are there any good descriptions out there of what these attempts look like? 
> 
> 
> ++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Bill Martin
> Sent: Thursday, April 07, 2005 9:29 AM
> To: unisog at lists.sans.org
> Subject: [unisog] DNS Cache Poisoning
> 
> Has anyone seen attemp on this in the EDU name space yet?  The article can
> be viewed at slash dot and SANS has escallated this.  
> 
> -Bill Martin-
> Sr. Systems Analyst
> Loyola University Chicago
> bmartin at luc.edu
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 


More information about the unisog mailing list