[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)

Peter Dambier peter at peter-dambier.de
Tue Jan 22 20:22:23 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I am troubled by this little typo:

Sorry I have to scramble or the mailer would tell my nasty things:

real domain "S:E:R:V:E:F:T:P:.:C:O:M"
typo domain "S:E:R:V:E:F:P:T:.:C:O:M"

remove the colons and make it lowercase.


; <<>> DiG 9.4.0 <<>> -t any echnaton.typo
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39153
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;echnaton.typo.         IN      ANY

;; ANSWER SECTION:
echnaton.typo.  3600    IN      A       66.45.252.236
echnaton.typo.  3600    IN      A       66.45.252.237

;; AUTHORITY SECTION:
typo.           172800  IN      NS      ns3.smartdamain.com.
typo.           172800  IN      NS      ns1.smartdamain.com.
typo.           172800  IN      NS      ns2.smartdamain.com.

;; Query time: 284 msec
;; SERVER: 7.19.30.36#53(7.19.30.36)
;; WHEN: Tue Jan 22 20:59:21 2008
;; MSG SIZE  rcvd: 137


I have alarmed no-ip.com support before christmas.

The result: I have lost my account.
The pharmer is celebrating pentecost.

He is even running his own root now:

; <<>> DiG 9.4.0 <<>> -t any . @ns1.smartdamain.com.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32334
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      ANY

;; ANSWER SECTION:
.                       2560    IN      SOA     ns. hostmaster. 1201030527 16384 2048 1048576 2560
.                       259200  IN      NS      ns.

;; Query time: 134 msec
;; SERVER: 64.20.39.26#53(64.20.39.26)
;; WHEN: Tue Jan 22 21:17:31 2008
;; MSG SIZE  rcvd: 77


Cheers
Peter


Gadi Evron wrote:
| Paul Vixie wrote:
|> in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
|>
|> January 22, 2008 10:19 AM PST
|> Drive-by pharming attack hits home
|> Posted by Robert Vamosi
|>
|> Whenever you type an address into an Internet browser, that address is
|> instantly resolved into the site's numerical Internet address by a DNS server
|> located somewhere in the world. On Tuesday, Symantec announced that online
|> criminals have started to remotely redirect your home network router's DNS
|> server so that whenever you type in a financial institution or other trusted
|> site, your browser will instead be redirected to a bogus or phishing Web
|> site.
|>
|> The practice, called pharming, usually attacks the DNS servers directly, but
|> this latest attack brings it all home (if you are using broadband
|> connectivity). Fortunately, the routers and institutions affected by this
|> current attack are limited to one country, Mexico, but Symantec warns that
|> word of this real-world attack could bring similar attacks elsewhere.
|
| I am unsure of what specific attack (malware?) they are talking about
| which is MX specific, but SYMC is good with PR. I am however
| increasingly concerned with the ease of compromising broadband routers.
|
| On the DNS side, without compromising (which can result in more botnets
| or wiretap concerns) I am especially concerned due to many of these CPE
| devices being recursive DNS servers.
|
| While DNS hijacking remains a threat and it is clear a significant
| number of ns world-wide are lying to us, it is not my main concern when
| these devices are discussed.
|
| 	Gadi.
| _______________________________________________
| dns-operations mailing list
| dns-operations at lists.oarci.net
| http://lists.oarci.net/mailman/listinfo/dns-operations


- --
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHllB9oQA0qetcyygRCsGcAJ0XZ1NGBnrLD3McDTA3F1so8dlxewCbBCDl
QAk+UngSEs94Q/VM37GPf6w=
=Rs+B
-----END PGP SIGNATURE-----

More information about the dns-operations mailing list