DNS cache poison
advICE :Intrusions : 2000402

Summary

The attacker has sent a query to the DNS server that also contains a response. This may be an attempt to compromise the DNS server. It is also frequently seen from ISPs who redirect their customers to proxy servers.

Details

This is likely an intrusion against the system.

In order to improve performance, DNS servers attempt to "cache" names locally on the system. They look at all packets coming into the system for a response section (every packet contains both a query and response section). The servers then remember these responses for a short period of time in case anybody else needs that information.

The obvious problem is that somebody can lie. In particular, someone could send a query to the DNS server that contains additional response information as well (which triggers this alert). Older servers would accept that information, cache it, and give that as a response to anybody else who asks. (Newer DNS servers have fixed this, but there are still a lot of older servers on the net).

Response

If your DNS servers have been updated to the latest versions, then the attack didn't succeed.

You should examine the details of this attack. The event itself contains parameters as to the name that was cached, and the evidence tracefiles contain the packet in question. This could help you determine exactly which names have been poisoned, and where they point to.

Defense

Make sure your DNS servers have been updated to the latest versions.

More importantly, remember that caches are inherently insecure. Therefore, UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.

 
Version appeared: