China's largest ISP gets hit with a DNS cache poisoning attack

[thewayne]

This is an attack that the common user of the internet, i.e. you and me, are powerless to do anything about. The DNS system is what allows you to enter www.livejournal.com and have your page requests go to the IP address 204.9.177.18. If I can compromise the DNS system of your ISP, such as is happening in China right now, I control where www.livejournal.com resolves to, and I can send your browser to www.reallyhorriblemalware.com and I'd have a good chance of compromising your computer.

Fun times for running bot farms!

http://it.slashdot.org/article.pl?sid=08/08/21/2343250

Comments

[silveradept]

Eww. Although, it makes sense to poison China, because they'd have the most potential for quickly getting zombies. I'm guessing that U.S. DNS servers are kept under fairly tight surveillance to check and make sure they're not being cache-poisoned, too, right?

...Right?

[thewayne.livejournal.com]

In a word, no.

There is a new DNS attack out that allows an amazing level of compromise of traffic. A guy named Kaspersky (IIRC) discovered it a while back and immediately started working with systems engineers to build fixes. He discussed it at the recent Black Hat conference, but only after a lot of core systems were patched.

The most recent numbers that I saw showed that maybe two-thirds of the DNS servers around the world had been patched.

Part of the patch includes cryptographic signatures of all updates, which theoretically would make such cache poisoning not possible.

[silveradept]

Okay. Is there anything the end-user can do to guard themselves against a cache-poisoning? Heck, is there any way of knowing before getting drilled with the malware that there's been a poisoning?