RE: pharming.. dns cache insertion...

more curiousity....

i know that there are, i believe 7 or 13 master/root dns servers across the
net. is there a reasonable 'list'/compilation of all dns ip addresses? is
this list available to the public? just talking about the external/public
ones, not the ones behind some nat router (192.168.x.x)

thanks

bruce


-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org]On
Behalf Of Brad Knowles
Sent: Thursday, April 07, 2005 6:10 PM
To: bedouglas@earthlink.net
Cc: comp-protocols-dns-bind@isc.org
Subject: Re: pharming.. dns cache insertion...


At 5:03 PM -0700 2005-04-07, bruce wrote:

> i've started seeing articles that talk about pharming, and dns insertion,
> for use by hackers. can someone explain to me (or point to
> articles/information that can) how someone can modify a dns server, aside
> from physically/remotely accessing the server to insert/update
information?

Here's how it basically works.


You muck about with either the forward DNS for your domain, or
the reverse DNS for your IP address. You do something nasty like
claim that a.root-servers.net is one of your authoritative servers,
but then you also claim that a.root-servers.net has one or more
different IP addresses (ones that you own), and you give this
information a very long time-to-live. You also make sure that these
machines are very fast to respond to any DNS query.

Now, you go do a spam run. Every machine you contact will try to
do a reverse DNS lookup on your IP address, or try to look up some
information on your domain. If they are vulnerable, then they will
record in their records that a.root-servers.net has the IP address
information you've provided. The next time they go to look up any
information that is not already in their cache, odds are pretty good
that they'll end up going up to the root nameservers to try to follow
the chain down, and a.root-servers.net is one of the root nameservers.

However, you've lied to them and told them that this system has
many IP addresses (other than the real one), and you make sure that
your boxes are very quick to answer. So, they learn to start
contacting your boxes every time they want to talk to the root
nameservers because they are fast, and you've always got what they
think is "good" information.

Of course, once you've got all these people contacting your
machines and believing that you are the preferred root nameserver,
you can answer any question you want any way you want, so
www.bankofamerica.com can resolve to any IP address you like. On
that box, you run a web proxy which snarfs all userids and passwords
that are entered. Of course, Bank of America might notice something
weird going on, so what you do is you then redirect them to the real
IP address for www.bankofamerica.com after you report an "error", and
then they log into the website none the wiser.

Meanwhile, you've got these millions of online banking passwords
that you've stolen.

That's one form of DNS cache poisoning, in a nutshell.

Note that this method does not assume that the machine in
question is an open recursive nameserver -- those can be subverted
directly by the spammer sending their own DNS queries direct to the
system. No, this form of cache poisoning would hit any vulnerable
caching-only server that was used by a web server or mail server
anywhere in the world, even if that machine were behind a firewall
and otherwise kept secure.


Alternatively, you run customized ActiveX programs on these proxy
servers, and these machines infect any vulnerable web client that
comes along.

--
Brad Knowles, <brad@stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755

SAGE member since 1995. See <http://www.sage.org/> for more info.