Comments on: DNS servers do hackers' dirty work

New twist on denial-of-service attacks could intensify cybercriminals' threat to online business.

[ba_oren]

I use CallingID that automatically protects me from DNS spoofing

CallingID is a toolbar for Internet Explorer and Firefox that automatically protects users from Internet fraud. It uses 55 verification tests to check that it is OK to send personal or confidential information to a site and if any test fails it alerts me. DNS spoofing is one of the tests

[darbien]

bad choice....

this is an classic example of a smoke and mirror product. they show you a nice GUI interface and fool consumer into thinking they are secured..

how do they actually detect pharming? checking the domain name certainly doesn't do it, and not their 52 rules of checking (hey why not make it 521 rules, it sounds better)

I wouldn't waste $ on this crap if I were you.

[baswwe]

Porn sites on the Margin? I thought ..

I thought they were the ones rakin in the money!

[n3td3v]

Little note for the so-called experts

http://www.google.co.uk/search?hl=en&q=Akamai+attack&spell=1

http://www.google.co.uk/search?hl=en&q=Akamia+attack&meta=

http://www.google.co.uk/search?hl=en&q=Akamai+attack+n3td3v&spell=1

[n3td3v]

2 years ago

1. Thats 2 years ago. And how long before that did the attacker(s) have the idea? And today these small time experts like Gadi are posting on FD claiming they know it all. You guys at Cnet really are quoting the best folks to be asking about such techniques.

2. And theres still the Yahoo Slurp disclosure that Gadi and the others can't work out.

I guess that'll come up two years later too...

When folks like Gadi on FD can't work something out on FD, they call you a troll or tell you to goto school.

Its funny.

[hawkeyeaz1]

I don't think

I don't think this means recursive DNS is
irresponsible, I think it highlights that we
need to move beyond IPv4 to something that
doesn't just assume a connection is legit. If a
connection is made apparently from ___, then the
ACK of receipt used in file transfers (i.e.,
packet received) could serve as a "you did send
this, right?". IPv6 has some improvements over
IPv4 as well.

[Jeremiah256]

RE: IPV6

Agreed but there is no pressure to move to IPv6.

[PAStheLoD]

Why they can spoof their IP ?

Why routers at the last mile allow this? Simply because ISP-s don't care.. if this kind of attack can be done, that's because the hackers are able to spoof their IPs and that's not so hard to detect at the first few routers while the packet is inside the network of the originating ISP.

So think.

[interboogie]

Yawn

If the reporter had done more checking he would've found out that this is nothing new. It's just being "exploited" by new people in terms of utilizing for professional gain - like reporters quoting them in stories about old stuff.

[stealt403]

haha

if you would have done more checking you would have found that this point has already been made by at least two other posters.

[rdeutch]

What are the options for protecting againsts this?

It appears that Simple DNS Plus is one.
See http://blogs.jhsoft.com/jhsoft/PermaLink,guid,f43ae4a8-b3cb-43ba-b9c0-261f4a4b509c.aspx

Anyone know of anything else?

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[wbenton]

Problem has been solved...

For those whom have invested in the proper hardware and software from Cisco... this problem has been forwarned for several years now and Cisco has a resolution.

Reverse lookups performed by hardware allow the latest Cisco devices (those employed with the Supervisor 32 or Supervisor 720 module) can determine whether the sender is valid or spoofed and it will drop spoofed DNS requests.

That said... this article should have been written with the title... "For those not willing to invest in proper protection... DNS continues to plage them!!!

The problem has been known for several years adn a valid solution exists... but it's only for those whom invest properly in the correct security equipment!!!

Walt

[rdeutch]

Not really...

If the Cisco device does a reverse DNS lookup on the spoofed IP address, it will still get a correct result. So how does this solve anything?

If an IP packet with a spoofed origin IP address reaches its target (or the firewall in front of it), then there is no way to tell if the packet really came from the claimed IP address or not.