Reader Feedback on 'DNS Poisoning'
I received some thoughtful feedback from a few well-informed readers in support of my recent post on the DNS cache poisoning attacks. Several readers took issue with some of the folks mentioned in the posting who quibbled over the scope and seriousness of the attacks.
Excerpted versions of the comments are below (the names and identifying information have been withheld upon request):
We're a Fortune 500 company and one of the world's largest gaming device manufacturers. We've been impacted three times by this since the beginning of March. Only our two US Internet gateways have been impacted, we've not experienced the issue at our international Internet gateways.
The guy from CyberTrust must get hung up on the "if a tree falls in the woods and nobody is there to hear it does it make a sound" question. Just because they are not seeing evidence of the attack does not mean it's not happening - what a myopic view. And you are correct, poison the DNS for a big company's address space and a hacker can receive all of their email or they could spoof a banking site and steal the customer logon information.
And then there's this from an IT manager from a medium-sized construction company:
It was with great relief that I read your blog posting today. I noticed it when a website I usually visit for news updates (I'm in Arizona, and the site is the online presence of the Arizona Republic newspaper) showed what appeared to be a generic search page hosted in Laos..
Since I use Firefox as my primary browser, I didn't immediately guess the malware-infecting nature of the site. I thought it was just a curiosity. As I investigated further, I determined I had been victimized by DNS cache poisoning. Later, I used a sacrificial lamb test configuration to visit the generic search site and verified it was being used to inject malware.
Imagine my consternation when I saw your quote from Russ Cooper. I'm using Windows 2000 and Service Pack 3 and 4 on my network, and I was definitely affected until I started blocking the offending servers at my routers.
I called Cooper again today to put these comments to him. He said he respects the fact that other people may be affected by the problem, but that CyberTrust is still not seeing evidence of a large-scale attack. "We just have absolutely no evidence it's actually occuring out there in any of the places we keep track of. The risk, as far as we're concerned, is still not high and the evidence is not convincing that this is being done on a large-scale basis," Cooper said.
I think it's clear that this threat is affecting at least some companies, and I will continue to follow this story as it develops. I don't believe this is a problem that will go away anytime soon, and I think we may soon have a better handle on what sort of criminal enterprise is behind these attacks. With that said, anyone who wants to take issue with me and other experts about just how serious the DNS poisoning threat actually is, send me an e-mail.
SANS has since posted an update that explains in greater detail what they believe is going on here.
The comments to this entry are closed.