DNS attack - 連往 www.InterNIC.net or www.AlterNIC.net ? (烏龍事件)
摘要說明:
舊版的 DNS server, 有蠻嚴重的 bug; 有心的網站, 可以用這些 bug 來搗蛋.
例如, 某網站, 原本想連往 site A, 卻變成連到 site B.
Path: netnews.NCTU.edu.tw!news2!not-for-mail
From: cschen@cc.nctu.edu.tw (C.S.Chen)
Newsgroups: tw.bbs.comp.network,tw.bbs.config
Subject: DNS spoofing attack against the InterNIC?
Date: 18 Jul 1997 03:19:36 GMT
Organization: National Chiao Tung University, Hsinchu, Taiwan
Lines: 73
Message-ID: <5qmnc8$ef9$1@news2.nctu.edu.tw>
NNTP-Posting-Host: localhost
X-Trace: 869195976 14825 cschen@localhost 127.0.0.1
X-Newsreader: TIN [UNIX 1.3 950824BETA+ANSI+COLOR PL8]
Xref: netnews.NCTU.edu.tw tw.bbs.comp.network:63214 tw.bbs.config:12178
Internet 上, DNS 的烏龍事件, 最近很多.
-- 國內, 國外都一樣.
InterNIC 最近被 AlterNIC 擺了一道.
前幾天, 有許多網路上所使用的 DNS server, 都被 AlterNIC 的傢伙, 所 run 的 DNS
server 搞鬼, 結果, 本來要連 "www.internic.net", 卻變成連到 "www.alternic.net".
目前初步證實, 使用最新版的 BIND 4.9.6-REL 和 BIND 8.1.1, 不會出現這種狀況.
-- InterNIC 的 13 root DNS server [a-m].root-servers.net, (幾乎?)已全 upgrade.
但網路上, 目前還是有很多 DNS server, 還是 run 舊版的 BIND 4.8.x, 4.9.x.
國內, top level 的 DNS server, "moevax.edu.tw" , "moesun.edu.tw" 已經
upgrade 到, BIND 8.1.1.
另外, 已經有許多單位得 DNS server, 已經 upgrade.
其他使用較新版的 BIND list ( partial), 請參見底下 URL
http://ns.nctu.edu.tw/DNS-misc/SiteNewBind.html
FYI:
---------------------------------------------------------
[ Article reposted from comp.protocols.dns.bind ]
[ Author was Mathias Koerber ]
[ Posted on Wed, 16 Jul 1997 07:11:10 +0800 (SST) ]
On Mon, 14 Jul 1997, Cricket Liu wrote:
| Date: Mon, 14 Jul 1997 00:40:15 GMT
| From: Cricket Liu
| Reply-To: bind-users-request@vix.com
| To: comp-protocols-dns-bind@nac.no
| Subject: DNS spoofing attack against the InterNIC?
|
| Does anyone else get weird results when loading
| http://www.internic.net/? My default name server
| (ce1.res.dns.psi.net, on PSINet) reports a non-authoritative answer of
| 207.51.48.15, which reverse maps to nyc.alternic.net. The
| authoritative name servers for internic.net map www.internic.net to
| 198.49.45.10, 204.159.111.101 and 204.179.186.65.
|
| (In case you don't have a web browser handy, loading
| http://www.internic.net/ with this setup brings up the AlterNIC's home
| page.)
|
| My best guess is that someone has mounted a DNS spoofing attack
| against one or more name servers on the Internet. Anyone else see
| this with their name servers? If so, any indications of which
| vulnerability the attacker capitalized on to spoof the name server?
The same one that apostols.org used in their highly publicized webpage
recently... Fixed in 4.9.6 and 8.1.1 :-)
|
| cricket
|
| Acme Byte & Wire | http://www.acmebw.com/
| cricket@acmebw.com | (303) 449-0484
|
Mathias Koerber | Tel: +65 / 471 9820 | mathias@staff.singnet.com.sg
SingNet NOC | Fax: +65 / 475 3273 | mathias@koerber.org
Q'town Tel. Exch. | PGP: Keyid: 768/25E082BD, finger mathias@singnet.com.sg
2 Stirling Rd | 1A 8B FC D4 93 F1 9A FC BD 98 A3 1A 0E 73 01 65
S'pore 148943 | Disclaimer: I speak only for myself
* Eifersucht ist eine Leidenschaft, die mit Eifer sucht, was Leiden schafft *
--
Joe. C.S.Chen, cschen@ns.nctu.edu.tw