24
Mon, Jun
3 New Articles

How the Internet Is Dying

Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Imagine that you are buying your next pair of shoes from your favorite Internet shoe site. You've logged into your account, browsed a few dozen pairs, and made your selection. Now, it's time to check out with your market basket, enter in your credit card number, and close the transaction. Surprise! Because of the latest exploit on the Internet, you'll never receive your size double Es and your credit card number has escaped.

The culprit? DNS cache poisoning redirected your browser when you thought you were going to the checkout counter. This hacking technique, called "pharming," is the latest threat to an Internet infrastructure that is suffering some of the most chilling security threats in its history.

Recent Pharming Attacks

On March 3, 2005, the SysAdmin, Audit, Network, Security (SANS) Institute's Internet Storm Center (ISC) began receiving reports from multiple sites about DNS cache poisoning attacks. The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After conducting a complete analysis, the ISC surmised that the attack involved several technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least five UNIX Web servers. The ISC also received information indicating that the attack may have started as early as February 22, 2005, but probably affected only a small number of people.

Then, on March 24, the ISC received new reports of a different DNS cache poisoning attack. After monitoring the situation for several weeks, the ISC determined that the attackers were changing their methods and toolset to point at different compromised servers in an effort to keep the attacks alive. This second attack transformed into a third attack that redirected users toward different IP addresses. This third attack was still ongoing as of April 1, 2005.

DNS: What Is It?

DNS stands for Domain Name System, and it's a key infrastructural element of the Internet. What's it do? To understand the function of DNS, you have to understand a bit about how your Web browser uses Internet Protocol (IP) to find other computers.

IP starts with the assumption that every computer connected to the Internet has a unique address composed of octets. For instance, the IP address of the computer where you are reading this article is 64.124.46.96.

When you key in a URL, such as www.MCPressOnline.com, the Internet must figure out where on the World Wide Web it will find the physical computer that is hosting the Web site. It needs to intelligently equate the URL's name, www.MCPressOnline.com, with the server IP address of 64.124.46.96.

The cross-referencing mechanism that the Internet uses to equate URLs with IP addresses is DNS. Like a legion of excellent reference librarians, literally hundreds of thousands of DNS servers run on IP routers across the Internet, looking up IP addresses each time you key a URL into your Web browser. If the DNS server closest to you doesn't have the answer, it will refer you to another DNS server, which might.

Other DNS Functions

That's the part of DNS that everybody uses: looking up IP addresses. However, another equally important part of the DNS servers' job is distributing information about new IP addresses, URLs, and domains. As each DNS server receives this new information from another DNS server, it updates its own cross-reference library and then passes the information along to the next DNS server. When you initially acquire a Web domain name, the process can take more than 48 hours before your URL/IP address is universally accessible on the Internet: All of those DNS servers must propagate the new domain name to each of its neighbors. And like a telephone tree, DNS propagation is extremely effective for making the new domain names accessible to the billions of PCs across the Internet.

But what happens if a DNS server suddenly starts passing bad information to its neighbors? That's what DNS cache poisoning is about, and that's the latest mortal threat to the Internet.

What Is DNS Cache Poisoning?

DNS cache poisoning is a dramatic phrase that simply means progressively corrupting the DNS cross-reference library across the infrastructure of the Internet.

How does DNS cache poisoning occur? The main method is for a hacker to break into an unprotected or compromised DNS server or DNS proxy server and begin changing the destination IP addresses of URLs in the cache of the server. Then, the hacker triggers a DNS query. There are several ways to accomplish this. A few easy methods are to send an email to a nonexistent user (which will generate a non-delivery response to the source domain), send spam email with an external image, or send banner ads served from another site. Once the trigger executes, the victim's site DNS server queries the corrupted DNS server. The attacker also includes extra information in the DNS reply packet, containing root entries for the entire .com domain.

If a victim DNS server is not configured properly, it will accept the new entries from the corrupted DNS server and delete the proper entries. Once this has occurred, any future queries that your DNS server makes against the corrupted addresses will send the user to the wrong IP address.

Meanwhile, the corrupted DNS server itself has begun sending users to Web servers that attempt to attach spyware to the users' PCs through exploits in Internet Explorer. These spyware modules then send information about the user's actions to other machines, creating a severe security breach.

Known Vulnerabilities

Symantec's Enterprise Security Gateway was revealed to have a DNS cache poisoning vulnerability last summer, and the company issued a hotfix for its products. However, new hotfixes were issued on March 15, 2005, and include the following products:

  • Symantec Gateway Security 5400 Series, v2.x
  • Symantec Gateway Security 5300 Series, v1.0
  • Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
  • Symantec Enterprise Firewall v8.0 (Windows and Solaris)
  • Symantec VelociRaptor, Model 1100/1200/1300 v1.5

In addition, there have been verified reports that Windows 2003 and NT4/2000 (with the proper registry key settings) are also vulnerable to DNS cache poisoning.

UNIX machines have the historical advantage of having fixed most DNS cache poisoning vulnerabilities long ago, and i5/OS seems to be invulnerable at the moment.

Cleaning Up After an Attack

The ISC provides the following recommendations if you think your system's DNS service has been compromised:

  • You need to be absolutely positive that you have not been infected with spyware. Many spyware/adware programs today will modify the DNS settings or local hosts file on Windows machines. So you should first run your favorite spyware/adware detection tool.
  • Try to find out the IP address(es) of the malicious DNS server(s) and check the ISC Web site for a list of reported IP addresses. If the IP has not been reported, fill out a report at the ICS using the following URL: http://isc.sans.org/contact.php.
  • You may need to block the IP address(es) of the corrupted DNS server(s) at your border routers/firewalls so that your cache does not become poisoned again.
  • Cleaning up from a sitewide DNS cache poisoning may require flushing the cache on all of your DNS servers in your organization, probably starting with the most externally facing DNS boxes first.
  • On Windows DNS servers, you can stop/start the DNS service to clear the cache. You can also use the dnscmd.exe /ClearCache command from the Resource Kit.
  • On Windows 2000, XP, and 2003 clients, you can flush the client cache by running ipconfig /flushdns.
  • On BIND 9, you can clear the cache by running the rndc command and executing the "flush" command. On BIND 8 or below, it appears that you have to restart the server.

How Near Is the End?

It's hard to believe that the World Wide Web is barely 13 years old, and it's amazing how the current technologies have transformed business in that short time. However, much of the infrastructure of the Internet is based upon protocols and technologies first conceived more that 30 years ago, and today many of the security vulnerabilities that continually challenge our infrastructure have their roots in those older areas of Internet.

Wouldn't it be great if--knowing what we know today about the holes in the infrastructure--our technologists and scientists could re-engineer those basic protocols? SMTP, POP3, DNS, and even TCP/IP and UDP could stand a significant beefing up in the area of security.

Yet, because the Internet is now an international phenomenon, the task of re-engineering basic protocols through standards committees and consortiums will be ongoing. And as a result, companies and individuals will be increasingly susceptible to new hacking schemes that place them at severe financial risk.

Here's what the final question will be: What price are we willing to pay for a bulletproof Internet? At the moment, this question isn't even being asked. Until it's answered, we'll continue to report on the progressive "death by a thousand hacks" that the Internet is currently experiencing.

Thomas M. Stockwell is editor in chief of MC Press Online, LP.

Thomas Stockwell

Thomas M. Stockwell is an independent IT analyst and writer. He is the former Editor in Chief of MC Press Online and Midrange Computing magazine and has over 20 years of experience as a programmer, systems engineer, IT director, industry analyst, author, speaker, consultant, and editor.  

 

Tom works from his home in the Napa Valley in California. He can be reached at ITincendiary.com.

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: