DNS Flaw Leads To Internet 'Poisoning' Attacks

A cache poisoning attack occurs when an outside hacker creates a fake message that the DNS will accept, which can trick the server into delivering an incorrect request.

The error, affecting numerous platforms and vendors, stems from a fundamental flaw in the in the DNS protocol. DNS provides a back and forth translation of host URLs to IP addresses. However, if the attacker is able to determine certain request functions, such as the source port and the query ID, the attacker could be able to send a phony response that is then cached by the DNS server.

While DNS cache poisoning as a cyber threat has been around for years, recent research has uncovered faster and more reliable means for hackers to rapidly figure out the query ID and source port in order to exploit these vulnerabilities.

"Tools and techniques have been developed that can reliably poison a domain of the attacker's choosing on most current implementations," the U.S. CERT advisory said.

"Consequently, Web traffic, e-mail and other important network data can be redirected to systems under the attacker's control."

Ultimately, the error enables cyber attackers to hijack certain Internet domains by redirecting a nameserver's client to contact a different, and possibly malicious, host site. In a successful attack, a criminal could redirect users' browsers to a Website with malicious or information stealing code that could allow an attacker to take complete control of their computer.

Numerous vendors have either developed or are currently working on fixes for the serious cross-platform flaw. Microsoft addressed the DNS server vulnerability with a patch issued during its scheduled monthly update cycle, which was released Tuesday. The Internet Systems Consortium published a similar patch for its own DNS server, BIND, and more are expected to follow in subsequent days.

U.S. CERT recommends that users apply some workarounds to address the error. Until a widespread and effective patch becomes available, the agency recommends that administrators limit or restrict sources that can ask for a recursion or disable altogether the recursion on any nameserver responding to DNS requests made by untrusted systems.

Users can also find more effective ways to filter Web traffic at the perimeter while also running a local DNS cache.

Security experts say that while the error might not be considered critical, they recommend that users patch this bug as soon as possible

"It's not necessarily a critical issue, but it is the first step in pulling of a hack on somebody else," said Eric Schultze, CTO of Shavlik Technologies. "Because it's a multi-vendor issue, it's going to get a lot of press and going to stern up a lot of consternation."