2 February 2005: Criminals use DNS spoofing to make money

Various Dutch media are carrying a story today from a new Dutch technology/lifestyle magazine called Bright about DNS spoofing: taking over the control of domain names. There reportedly is a group of online criminals that is doing this for money. The complete article can be found here; this summary by newspaper De Volkskrant pretty much mentions the most important bits:

Internet crime: one million visitors for $1000

Criminal hackers are manipulating vital Internet nodes for money. The hackers lead visitors to popular websites such as Google.com and Yahoo.com to other places, such as pornographic websites. According to Dutch experts, this abuse is “daily practice”.

In the latest issue of the technology magazine Bright, the webmaster of the sex site AskJolene.com told he was recently approached by an unknown American person with the question whether he wanted to buy ‘targeted visits’. “I can decide where people are being sent to on the internet”, Toine Verheul heared.

Remotely, the anonymous hacker showed his capacities. Verheul was asked to enter a search term with Google. Rather than seeing a list of references, he was directed to a sex website. This happened when Verheul clicked on references on the website of CNN.com as well.

The hackers are using a long-known weak spot in the domain name servers, large network computers what direct the traffic on the internet in the right direction. They function as a sort of ‘telephony central’, making sure a user who enters CNN.com is actually sent to the website of the American sattelite station. It is possible though, to temporarily suppy these traffic controllers with fake data. For a short period of time, users of certain websites are ‘hostaged’ to other places.

This phenomenon is called DNS cache spoofing or DNS cache poisoning, and according to the Dutch experts quoted in Bright, it is daily practice. The scale on which the manipulation takes place, is unknown to them. It’s the first time that there are clear indications that hackers are making money out of this Achilles heel of the internet.

The unknown America who approached AskJolene.com, said he represented a group of network managers who maintain the most important nodes on the internet. He asked for thousand dollar for directing a million visitors.

Domain hostaging can cause great damage to its victims. Last month the New York internet provider Panix disappeared of the radar for few days after an unkown person had ‘captured’ his its domain name. This caused the websites and e-mail addresses of tens of thousands of subscribers to become unavailable.

Simple cache spoofing

The article doesn’t make it completely clear how the IP spoofing happens. Basically, there are two different ways to do DNS cache spoofing: by including fake data in a valid answer, or by sending a fake answer.

The first method has been known for ages, and is in fact actually known to have exploited in practice. It requires having an internet domain name server. The way it works is this. Suppose you run the zone evil.org, and you want to poison the addresses of www.google.nl.

  • You send a query for, for example the www.evil.org. domain name to the DNS server you want to poison
  • The DNS server would then ask your DNS server about the addresses of www.evil.org..
  • Your DNS server then answers with “www.evil.org. is an alias for www.google.nl.”. As additional data in the answer, your DNS server would supply a hint saying “The address for www.google.nl. is (your address)”
  • The DNS server would accept this hint for www.google.nl., and remember it
  • The next time oneone sends a query about www.google.nl. to the DNS server, it will remember the answer your DNS server gave, and send it back
  • The client sending the query will then connect to the IP number you specified!

The interesting point of this list it is of course point 4. And believe it or not, but there are actually DNS servers that, despite of the fact that the evil.org. DNS servers have nothing to do with www.google.nl., would still accept the data. This is mainly old versions of BIND. BIND has been fixed long since, but according to a survey done by Men and Mice, 33% of all DNS servers on the internet is still vulnerable to this attack!

The solution here is simple: just upgrade to a recent version of basically any DNS server: recent versionf of BIND and MS-DNS, and all versions of other software such as Posadis, MaraDNS and DjbDNS do not have this (pretty stupid) problem.

If, on the other hand, you want to experiment with spoofing, you can: I wrote a small Posadis module which helps you poison buggy caches :)

Sending a fake answer with IP spoofing

Unfortunately, there is another way to inject fake data, which is much simpler to explain, but much harder to do in practice. This is done by IP spoofing: pretending to be an other server. A message sent over the internet passes many servers, and in theory, any server in between can modify DNS messages in between to have them contain other data (a so-called Man in the middle attack).

Worse yet, you don’t really need to be in between the client and the server. An answer to a DNS query has an ID, so if you’re not in between the client and the server, you don’t know the ID, and you can not spoof an answer to a query. But if you just start sending random answers with random IDs, you may get success some time. There are 65536 different possible IDs, and you need to guess the IP port a query is sent from, as well as the exact moment of the query, so you will need a lot of messages to have success, but it’s theoretically possible, though I’m not aware of this being done in practice.

There are several reasons why IP spoofing is particularly worrying for DNS, and less so for other procols, say HTTP or TCP. First, DNS is a connectionless protocol: a client sends one IP message to the server, and the server sends one IP message back with the answer. This means that only one IP message needs to be spoofed for the attack to be succesful. Communication with HTTP or FTP, or any other TCP-based protocol, consists of several IP messages, making the chance of it getting noticed bigger. Also, when a caching DNS server gets wrong data, it will remember it for some time, which means that one fake piece of data can be re-used for hours after hours.

There really isn’t a solution for this at the moment, except for making sure the ports and message IDs used by clients are as random as possible. Recent versions of DNS servers do this. This only makes a difference if the attacker is not between the client and the server. If the attacker is between the client and the server, for example if he controls an important internet, this does not matter.

What method was used?

The Bright article doesn’t make it really clear which spoofing method was used in this case. The article mentions that ‘various versions of popular nameserver-software [..] allow this kind of ‘spoofing’, which would refer to the old cache poisoning method

The fact that the hacker claimed to ‘represent a group of network managers who maintain the most important nodes on the internet’, and the fact that the attacker asked for the IP number of the victim, seems to strongly suggest a Man in the middle attack. If this is true, then this would be a very serious problem, because there is really nothing that can be done easily to fix it, and it could also be used to rob on-line banking users of their secret codes or credit card numbers.


Help is on the way though: over the last few years, there has been some pretty strong development on DNSsec, a system in which DNS messages would be digitally signed, and could thus be verified for their integrity. This helps solving the second kind of DNS spoofing, because a middle man can not change a DNS message without that being noticed. Still, it does not help if the DNS servers themselves are hacked into, which may be the case in the current situation.

Currently, DNSsec is supported by the one dominant player on the DNS market: BIND. I am planning to add support for DNSsec to Posadis eventually. Also, DNSsec won’t be useful until major registrars will start using it. This may take some more years.

The Dutch domain registrars are pretty busy implementing DNSsec, but it’s hard to do that until people get a feeling this is a serious problem. Since the whole story of being contacted over IRC by unknown Americans does seem a little remarkable, here’s for my little conspiracy theory: the good people at Nlnetlabs, who are pretty busy with DNSsec, are behind this to get the insecurity of DNS out in the media. Think about it: they had the motive, because they want to get DNSsec implemented, and the means: being involved with the Amsterdam Internet Exchange, they could trivially control DNS traffic for specific IP numbers in the Netherlands. Time will tell… This article certainly has helped them getting the DNS security problems noticed by the media. Wonder whether the news tonight is going to mention this…


After the publication of the article, weblogs GeenStijl and GoedZo reported that the news article was apparently a hoax to attract attention to the first edition of the magazine.

SANS, an authority on internet security, called the article FUD:

The article itself claims people on the net offer shady sites traffic skimmed off of the normal flow, one hit a victim, one URL, inside a site like Google of CNN … pretty advanced sounding scheme if it is true. However the article next jumps to DNS tricks like cache poisoning. True, DNs cache poisoning is real and they have plenty of experts to talk about DNS issues. But the thing is that no DNS trick will redirect just one URL of CNN.com. Something else will be needed to achieve that.

The weak point of “just one URL” refers to this part of the article:

Verheul was asked to go to the website of CNN, and to click on a particular link.

This in itself is no proof the article is fake, since the link could have been to another domain name inside the CNN website (e.g. europe.cnn.com), or the “particular” word is wrong and the user was asked to click any link. When asked, people at Bright claimed:

Indeed, the fact that DNS spoofing exists is not news; it has existed for some time. What is news, is the fact that criminals are now actually offering it.

Nothing new here; the article never claimed that DNS spoofing was really new. Still, the fact that the story of the criminals offering spoofing is backed by only one person makes that claim a bit weak.

As a side note, the author of the article, self-proclaimed Internet guru Francisco van Jole, has a weekly column in a Dutch television programme on lies and errors in the media called “De Leugen Regeert”, which would make it particularly interesting if Van Jole himself would have made up stories in one of his articles. The story seems to have died away by now, but I’ll keep you posted if there’s more news.

  dns/news/20050202-bright-ip-spoofing.txt · Last modified: 2005/02/27 17:08
Copyright © Meilof Veeningen, 2002-2005 - About Posadis.org