DNS Cache Poisoning....

[|tera|]

I just saw in my Eset Smart Security Firewall Logs that there has been about 10 DNS Cache Poisoning attack attempts to my laptop today.

The "source" is my router, generally I would assume so.

The question however is. Is Telkom too stuffed in it's fricken skull to have patched their DNS servers for this yet?

I see about 8 ARP Cache attacks as well.

I'm switching to OpenDNS again..........

Logs:

2008/08/15 10:49:41 PM Detected DNS cache poisoning attack 192.168.x.xxx:53 192.168.x.xxx:60819 UDP
2008/08/15 10:49:37 PM Detected DNS cache poisoning attack 192.168.x.xxx:53 192.168.x.xxx60819 UDP
2008/08/15 10:49:35 PM Detected DNS cache poisoning attack 192.168.x.xxx:53 192.168.x.xxx:60819 UDP
2008/08/15 10:49:34 PM Detected DNS cache poisoning attack 192.168.x.xxx:53 192.168.x.xxx:60819 UDP
2008/08/15 10:49:33 PM Detected DNS cache poisoning attack 192.168.x.xxx:53 192.168.x.xxx:60819 UDP
2008/08/14 10:30:23 AM Detected ARP cache poisoning attack 0
2008/08/14 10:30:23 AM Detected ARP cache poisoning attack 0
2008/08/13 03:49:53 PM Incorrect IP packet checksum 0
2008/08/13 03:49:53 PM Incorrect IP packet checksum 0
2008/08/13 03:49:53 PM Incorrect IP packet checksum 0
2008/08/13 03:49:53 PM Incorrect IP packet checksum 0
2008/08/12 02:23:59 PM Incorrect IP packet checksum 0
2008/08/12 02:23:59 PM Incorrect IP packet checksum 0
2008/08/12 02:23:59 PM Incorrect IP packet checksum 0
2008/08/12 02:01:57 PM Incorrect IP packet checksum 0
2008/08/12 02:01:57 PM Incorrect IP packet checksum 0
2008/08/12 02:01:57 PM Incorrect IP packet checksum 0
2008/08/11 06:03:43 PM Detected ARP cache poisoning attack 0
2008/08/11 05:28:19 PM Incorrect IP packet checksum 0
2008/08/11 05:28:19 PM Incorrect IP packet checksum 0
2008/08/11 05:28:19 PM Incorrect IP packet checksum 0
2008/08/07 01:11:28 PM Detected ARP cache poisoning attack 0
2008/08/07 01:11:28 PM Detected ARP cache poisoning attack 0
2008/08/07 01:11:28 PM Detected ARP cache poisoning attack 0
2008/08/07 01:11:28 PM Detected ARP cache poisoning attack 0
2008/08/07 12:14:20 PM Detected ARP cache poisoning attack 0
2008/08/07 12:14:20 PM Detected ARP cache poisoning attack 0
2008/08/07 12:14:20 PM Detected ARP cache poisoning attack 0
2008/08/07 12:14:20 PM Detected ARP cache poisoning attack 0
2008/08/07 12:14:20 PM Detected ARP cache poisoning attack 0

Removed IP details..

 

[|tera|]

For those people using an SAIX DNS server:

Switch to OpenDNS: www.opendns.com

Open a Command Prompt (cmd) window and type: ipconfig /flushdns

Use the following command to delete your ARP Cache: netsh interface ip delete arpcache

Don't take the risk.

 

[w1z4rd]

Does your router not run bind as well? Is it not vunrable?

 

[|tera|]

Does your router not run bind as well? Is it not vunrable?

It's a Billion 7300M, I don't know what it's running. I sent Billionsa an email with a link to this thread earlier.

 

[w1z4rd]

I think I mentioned when this exploit was let know, that unless there are firmware update, I think routers running dns services will also be nailed. Though I am not sure.

 

[|tera|]

The thing is. DNS servers use Port 53, I can see it in my logs.

The port isn't "forwarded" and the firewall is enabled. Basically they need to "mask" the DNS port or just plain right add new rules to it, to only allow certain requests.

 

[|tera|]

Could I ask the experts here if the steps I took on the other systems to clear the DNS and ARP cache is the only thing I need to do?

I'd appreciate any advice.

No reply from Billion yet.

 

[BILLION Tech]

Hi Teraside,

Sorry for the late reply,

• Would you be able to send me a copy of you’re config file?
1. Log into the Web interface of the Router Eg(192.168.1.254)
2. Go to Configiration>>System>>Backup/Restore>> Create a backup file.

It sounds like the Router is relaying the DNS request. But as you specified port 53 is not “forwarded” on you’re packet filter so this should not happen.

We will further investigate as soon as we receive the config file.

 

[w1z4rd]

Aaah, so the routers are exploitable if they do DNS relay?

 

[The_Unbeliever]

Interesting.

And scary as well.

Luckily my Smoothies are patched

 

[|tera|]

Hi Teraside,

Sorry for the late reply,

• Would you be able to send me a copy of you’re config file?
1. Log into the Web interface of the Router Eg(192.168.1.254)
2. Go to Configiration>>System>>Backup/Restore>> Create a backup file.

It sounds like the Router is relaying the DNS request. But as you specified port 53 is not “forwarded” on you’re packet filter so this should not happen.

We will further investigate as soon as we receive the config file.

Thanks BT, I've just responded to your email

Cheers,
tera

 

[|tera|]

Thanks to BillionTech for the help with all this.

He has sent me some revised firmware and I'm currently on SAIX DNS since yesterday and so far Eset hasn't reported anything

If anyone has a 7300M, just go the BillionSA site, fill in the support contact form and ask for the firmware.

Ciao

tera

 

[|tera|]

Sent you another email BillionTech, problem still persists unfortunately.

 

[BILLION Tech]

We have looked into this DNS cache poisoning attackes and found that the attaches would only take place if the DNS server does not resolve the DNS quiries correctly.

The issue can be overcome by using a realible anti-virus solution that would Stop the DNS cache Poisining attackes by verifying the certificates and setting up certain condition that need to be complied with.

 

[|tera|]

So in other words. Use OpenDNS and not SAIX?

This isn't a problem that can be sorted out through the hardware, but software?

If that's the case, I think hardware manufacturers need to think about products they sell to the public. We can give you security, but only a basic level, don't expect to be secure on your network?

 

[RichardG]

Neotel have the same and I have asked them countless times to fix it.
I relay on OpenDNS, much more stable always on and have no lag issues.

 

[|tera|]

Neotel have the same and I have asked them countless times to fix it.
I relay on OpenDNS, much more stable always on and have no lag issues.

Problem is though, on ADSL no sites work on OpenDNS with local only accounts.

 

[RichardG]

Problem is though, on ADSL no sites work on OpenDNS with local only accounts.

Can you not try other gateway of Telkom, that are patched or non of them are as yet.

 

[|tera|]

Can you not try other gateway of Telkom, that are patched or non of them are as yet.

SAIX were supposed to patch their servers, but many of them aren't.

Problem is though, companies like Billion just pass the buck and tell us to use a software firewall, which isn't the way it works.

As the internet shows, these DNS attacks didn't originate from 2008, it's been documented for a few years. Billion is just too lazy to update their firmware, thereby their firewall software on the router, so they tell me to use a static DNS or software firewall.

Stuff that man. I will use a software firewall, because at least those companies give a damn to stay up to times with the current threats, but this will be the last Billion router I buy ever, won't recommend them either.

 

[HavocXphere]

tera, just keep in mind that a router loses a lot of its "protective properties" if you are running bridge/half-bridge connections.

Not sure how the DNS attacks work from a technical perspective, so I don't know whether the router firewall/NAT will catch it.