pharming.. dns cache insertion...

Brad Knowles brad at stop.mail-abuse.org
Fri Apr 8 01:09:41 UTC 2005 

At 5:03 PM -0700 2005-04-07, bruce wrote:

>  i've started seeing articles that talk about pharming, and dns insertion,
>  for use by hackers. can someone explain to me (or point to
>  articles/information that can) how someone can modify a dns server, aside
>  from physically/remotely accessing the server to insert/update information?

	Here's how it basically works.


	You muck about with either the forward DNS for your domain, or 
the reverse DNS for your IP address.  You do something nasty like 
claim that a.root-servers.net is one of your authoritative servers, 
but then you also claim that a.root-servers.net has one or more 
different IP addresses (ones that you own), and you give this 
information a very long time-to-live.  You also make sure that these 
machines are very fast to respond to any DNS query.

	Now, you go do a spam run.  Every machine you contact will try to 
do a reverse DNS lookup on your IP address, or try to look up some 
information on your domain.  If they are vulnerable, then they will 
record in their records that a.root-servers.net has the IP address 
information you've provided.  The next time they go to look up any 
information that is not already in their cache, odds are pretty good 
that they'll end up going up to the root nameservers to try to follow 
the chain down, and a.root-servers.net is one of the root nameservers.

	However, you've lied to them and told them that this system has 
many IP addresses (other than the real one), and you make sure that 
your boxes are very quick to answer.  So, they learn to start 
contacting your boxes every time they want to talk to the root 
nameservers because they are fast, and you've always got what they 
think is "good" information.

	Of course, once you've got all these people contacting your 
machines and believing that you are the preferred root nameserver, 
you can answer any question you want any way you want, so 
www.bankofamerica.com can resolve to any IP address you like.  On 
that box, you run a web proxy which snarfs all userids and passwords 
that are entered.  Of course, Bank of America might notice something 
weird going on, so what you do is you then redirect them to the real 
IP address for www.bankofamerica.com after you report an "error", and 
then they log into the website none the wiser.

	Meanwhile, you've got these millions of online banking passwords 
that you've stolen.

	That's one form of DNS cache poisoning, in a nutshell.

	Note that this method does not assume that the machine in 
question is an open recursive nameserver -- those can be subverted 
directly by the spammer sending their own DNS queries direct to the 
system.  No, this form of cache poisoning would hit any vulnerable 
caching-only server that was used by a web server or mail server 
anywhere in the world, even if that machine were behind a firewall 
and otherwise kept secure.


	Alternatively, you run customized ActiveX programs on these proxy 
servers, and these machines infect any vulnerable web client that 
comes along.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list