2 MINUTES ON… DNS cache poisoning

A recent spate of Domain Name System (DNS) cache poisoning has security experts worried that the devious attack technique has become a new tool for identity thieves.

DNS cache poisoning allows an attacker to change the DNS records that resolve domain names into IP addresses so that a user is redirected to a spoofed, malicious site.

Alan Paller, research director at the SANS Institute, describes it as "the most vicious method right now for stealing information."

Researchers at the SANS Internet Storm Center (ISC) recently tracked three DNS cache poisoning attacks. Two took users to sites that tried to install spyware and adware, while the other went to a site selling medications.

ISC estimates that between 500 and 1,000 midsize to large organizations were affected.

"This is pretty much a money-making scheme," says Johannes Ullrich, ISC chief research officer, adding that it appears a Russian group was behind the attacks.

DNS cache poisoning has been around for about ten years, say experts, but is more worrisome now because the perpetrators have changed.

"We're not dealing with egocentric teenage hackers, but criminal outfits that have a different type of motivation, which is money," says Scott Chasin, CTO of email security supplier MX Logic. His firm coined the term pharming to describe DNS cache poisoning as the next generation of phishing "because it can happen on such a wide scale, affecting hundreds of thousands, if not millions, of internet users," he says.

DNS poisoning is not as frequent as other types of attacks and is hard for attackers to carry out, but is "potentially much more damaging," according to Gregg Mastoras, senior security analyst at anti-virus firm Sophos.

Vulnerable DNS servers are configured poorly or use vulnerable software, believe experts. But Chasin thinks the problem mainly stems from the inherent insecurity of the DNS protocol.

"If I'm a bad guy looking for ways to exploit the weaknesses of the internet, I would certainly focus on DNS, because it has the ingredients for disaster," he says.

DNSSEC, an effort to secure DNS, has been approved by an industry group but will require widespread deployment to work, adds Chasin.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.