Exploit for DNS Cache Poisoning - RELEASED

Graeme Fowler graeme at graemef.net
Fri Jul 25 17:25:30 CDT 2008


On Fri, 2008-07-25 at 18:14 -0400, Pete Carah wrote:
> I saw much more than this *from the same address* starting two days ago, 
> and from several other blocks belonging to the same university starting 
> last week, to my home router and another server.  So far my better 
> connected servers haven't been hit hard. (and no non-auto answer from 
> "security" at that university...)

I saw this earlier in the week, along with queries for a domain name
which happens to have been registered by Dan Kaminsky, so I emailed him
about it. The addresses in question at Georgia Tech appear to be in use
as part of Doxpara's scan for unpatched systems, which he confirmed.

For those who are bothered, look out for queries from the same netblock
of the form:

rB6CIo_XgRlScY5K0iGISAAAAAAvygwAAAAAACujBAA=.ports.dns-integrity-scan.com/A/IN

It's probably obvious to one and all what they should be for. And the
fact that the queries are denied by correctly configured (ie. non-open)
resolvers makes it even less of a panic.

The sky isn't falling... yet.

Graeme





More information about the NANOG mailing list