Cache poisoning-attack (130.94.139.201)

Sigurd Urdahl sigurdur-bind at linpro.no
Wed Nov 7 14:23:20 UTC 2001



Hi,

We recently had a DNS cache-poision incident, and I thought it would
be right to share the info here.

It was first noticed when an email that should was to be delivered to
one of our servers bounced with a "Relaying denied". The bounced
showed that the MTA tried to deliver it to our server, but with an
alien IP-adress (we're in 213.203.57.*, the bounce came from
130.94.139.201). This happened Sunday 28 Oct 2001 05:16:21 CET
(GMT+1).

Later we found that a few other emails had aloso bounced, and that a
few local services had failed due to erronous hostname to IP
translation. Monday morning things got really obvious when start of
the week surfing started and random hosts was resolved to the same
adress we bounced mail on earlier. The host ran a webserver that
happily served a rather nice 404-page with four close to naked girls
inviting you to see more of them elsewhere on the net. One of the
adresses that sent you there was www.slashdot.org (slashdot.org on the
other hand resolved as it should)[1]. 

The effect was very much the one I would wexpect if someone had been
able to intrioduce a bogus rootserver with some kind of wildcard.

Unfortunatly the cache was flushed before anyone got around to do "ndc
dumpdb", and we have no good logs from when this happened. 

Investigation have been quite slow due to the lack of good logs (yes
we now log more agressivly:), and also because I dedicated a lot of
time on something I thought was the an attack that turned out
completely benign..)

But I have managed to get correlations from others, leading me to
believe that this might have been more than a single incident.

The correlations are from a swedish online newspaper -www.dn.se-
(having about half their customers ending up with the pr0n-404), one
person on the intrusions at incidents.org-list, one poster mentioning it
on in a thread on comp.unix.solaris and one thread going on both a
Novell and a Windows newsgroup [1].

This shows that the problem is seen on both BIND (we run 8.2.3-rel
from Debian potato (so it might have some stuff backported fron the
newer ones), on Novell Netware 5 DNS and on Microsoft DNS. 

Since this to quite some extent weakens my initial theories about us
being targetted, or that a flaw in our name servers was exploited in a
more general attack not directly targetted, it at least opens up to
the possibility that the problem _might_ have been on root-server
level. Which makes me feel a bit more than normally uncomfortable...


So has anyone else seen this? And if so, do you have a cachedump or
useable logs of the incident? Do you know what actually happened?

regards,

-sig

[1] where did slashdot go?

bash-2.03$ host www.slashdot.org
www.slashdot.org        A       130.94.139.201
bash-2.03$ host slashdot.org
slashdot.org            A       64.28.67.150



[2] Correlations

intrusions at incidents.org
http://www.incidents.org/archives/intrusions/msg02328.html

A mentioning of www.zfreehost.com
http://groups.google.com/groups?hl=en&selm=DnYD7.46%24hi1.1343%40burlma1-snr2

Novell and Windows
http://groups.google.com/groups?hl=en&threadm=VqSD7.1895%24o82.8150%40prv-forum2.provo.novell.com&rnum=3&prev=/groups%3Fq%3Dzfreehost.com%26hl%3Den

-- 
Sigurd Urdahl                           sigurdur at linpro.no
Systemkonsulent | Systems consultant
Linpro A/S                                   www.linpro.no


More information about the bind-users mailing list