[Sysops-list] [SANOG] Re: Fwd: US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

Bipin Gautam bipin.gautam at gmail.com
Thu Jul 10 00:12:20 EDT 2008 

On Thu, Jul 10, 2008 at 7:45 AM, Suresh Ramasubramanian
<suresh at hserus.net> wrote:
> Bipin Gautam [10/07/08 00:13 +0545]:
>>
>> A public exploit is yet to come but i am quiet sure about a  worm
>> outbreak in future that will try to exploit the bug.
>>
>> This is really something that has the potential to knock down the root
>> servers if exploited by a worm ....
>
> ?!? The root servers arent recursive resolvers. Certainly not going to get
> affected directly by this.
>

Definately, But I consider this as one of the quickest vector to try
make the above scenerio possible! This exploit is sure to get better
over time with reviews, re-reviews...

Lets consider this scenerio:
---------------------------------------

Someone is able to poison a some DNS cache servers. He would be able
to redirect the users in his network (who use the same DNS cache
server) to a malacious website. Not everyone have their IE or Firefox
patched with the latest. On top of that one could play "Social
Engineering",

#welcome valued customer, we are updating... you neet to install this
latest font to procead further! It could be just anything to lure the
users into clicking, downloading something, no big deal if the website
appears to be "trusted" !

Now get into victims computer, scan his address book, email itself,
try to propogate from IM, talk to its master for updates, and again
when a NEW victim gets infected try probe and cache poison its DNS
cache server and redirect the DNS of a list of popular websites of
that region to a malacious website .......propogate.......

{

(a) mail itself from a victim...

(b) Try to infect new users/computers ( social engineering/exploit)
     Vector of propogation: Email, IM, P2P etc

(c) Try to cache poison the "DNS cache server" of the victims infected from (b)

(d) If successful, redirect other unaware users in the network who
relie on the same  DNS cache server to some infected website. Get into
more computers ( with Social engineering, exploit)

(e) Get as many infection as possible.... get as many domain hijacked
as possible......... hack as many websites possible to to make the
attack redundant.

repeat.......... (a) - (e)

}

The question is, will a significant number of people be able to patch
the flaw when a worm is triggered or a public exploit is available!?



I am not saying this exploit can directly affect root server.

I am saying.... "if" a worm is able to exploit it in the wild before a
significant number of servers are able to patch, this exploit has the
potential to trigger a MASS infection as a consequence, using the
vector.

Then, its upto the attacker to use the botnet's "potential" to play
ping-pong on the internet or use it to dDOS on what he pleases!

:)

thanks,
-bipin

More information about the Sysops-list mailing list