By Joris Evers
Staff Writer, CNET News.com
August 3, 2005
Hundreds of thousands of Internet servers are at risk of an attack
that would redirect unknowing Web surfers from legitimate sites to
In a scan of 2.5 million so-called Domain Name System machines, which
act as the White Pages of the Internet, security researcher Dan
Kaminsky found that about 230,000 are potentially vulnerable to a
threat known as DNS cache poisoning.
"That is almost 10 percent of the scanned DNS servers," Kaminsky said
in a presentation last week at the Black Hat security event in Las
Vegas. "If you are not auditing your DNS servers, please start," he
The motivation for a potential attack is money, according to the SANS
Internet Storm Center, which tracks network threats. Attackers
typically get paid for each spyware or adware program they manage to
get installed on a person's PC.
Information lifted from victims, such as social security numbers and
credit card data, can also be sold. Additionally, malicious software
could be installed on a PC to hijack it and use it to relay spam.
The DNS servers in question are run by companies and Internet service
providers to translate text-based Internet addresses into numeric IP
addresses. The cache on each machine is used as a local store of data
for Web addresses.
In a DNS cache poisoning attack, miscreants replace the numeric
addresses of popular Web sites stored on the machine with the
addresses of malicious sites. The scheme redirects people to the bogus
sites, where they may be asked for sensitive information or have
harmful software installed on their PC. The technique can also be used
to redirect e-mail, experts said.
As each DNS server can be in use by thousands of different computers
looking up Internet addresses, the problem could affect millions of
Web users, exposing them to a higher risk of phishing attack, identity
theft and other cyberthreats.
The poisoned caches act like "forged street signs that you put up to
get people to go in the wrong direction," said DNS inventor Paul
Mockapetris, chairman and chief scientist at secure DNS provider
Nominum. "There have been other vulnerabilities (in DNS) over the
years, but this is the one that is out there now and one for which
there is no fix. You should upgrade."
There are about 9 million DNS servers on the Internet, Kaminsky said.
Using a high-bandwidth connection provided by Prolexic Technologies,
he examined 2.5 million. Of those, 230,000 were identified as
potentially vulnerable, 60,000 are very likely to be open to this
specific type of attack, and 13,000 have a cache that can definitely
The vulnerable servers run the popular Berkeley Internet Name Domain
software in an insecure way and should be upgraded, Kaminsky said. The
systems run BIND 4 or BIND 8 and are configured to use forwarders for
DNS requests--something the distributor of the software specifically
BIND is distributed free by the Internet Software Consortium. In an
alert on its Web site, the ISC says that there "is a current,
wide-scale...DNS cache corruption attack." All name servers used as
forwarders should be upgraded to BIND 9, the group said.
DNS cache poisoning is not new. In March, the attack method was used
to redirect people who wanted to visit popular Web sites such as
CNN.com and MSN.com to malicious sites that installed spyware,
according to SANS.
"If my ISP was running BIND 8 in a forwarder configuration, I would
claim that they were not protecting me the way they should be,"
Mockapetris said. "Running that configuration would be Internet
The new threat--pharming
Kaminsky scanned the DNS servers in mid-July and has not yet
identified which particular organizations have the potentially
vulnerable DNS installations. However, he plans to start sending
e-mails to the administrators of those systems, he said in an
"I have a couple hundred thousand e-mails to send," he said. "This is
the not-fun part of security. But we can't limit ourselves to the fun
stuff. We have to protect our infrastructure."
The use of DNS cache poisoning to steal personal information from
people by sending them to spoofed sites is a relatively new threat.
Some security companies have called this technique pharming.
Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic
DNS consultancy and software company Men & Mice. "It is very well
doable, and it has been done recently," he said.
Awareness around DNS issues in general has grown in the past couple of
years, Petursson said. Four years ago, Microsoft suffered a large Web
site outage as a result of poor DNS configuration. The incident cast a
spotlight on the Domain Name System as a potential problem.
"It is surprising that you still find tens of thousands or hundreds of
thousands vulnerable servers out there," Petursson said.
Kaminsky's research should be a wake-up call for anyone managing a DNS
server, particularly broadband Internet providers, Mockapetris said.
Kaminsky said he doesn't intend to use his research to target
vulnerable organizations. However, other, less well-intentioned people
could run scans of their own and find attack targets, he cautioned.
"This technology is known to a certain set of the hacker community,
and I suspect that knowledge will only get more widespread,"
Sept 16-18th, 2005
San Diego, California