[nsp-sec] DNS poisoning activity in the wild
Jose Nazario
jose at arbor.net
Wed Jul 30 10:36:44 EDT 2008
after seeing hdm blog this:
| After seeing the SBC/ATT server for Austin get poisoned, serve up
| advertisements, and eventually get taken offline, I decided to add a
| module to compare DNS results between two servers.
via http://blog.metasploit.com/2008/07/checking-for-cache-poisoning.html
now, hdm did this as a proof of concept. but i have to wonder: how much
actual DNS poisoning is occurring and where is it coming from?
so far i don't think we've bandied that info around in this community.
seems like, if it's going on, we should be talking about this.
at arbor we've seen a spike in version.bind. queries but our sensors
haven't been tuned to look for the poison attacks, so we don't know how
much of that is afoot.
thanks.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list