[NNOT] Re: dns poisoning?

Joel rees at ddcom.co.jp
Fri Mar 11 01:46:03 UTC 2005 

On Thu, 10 Mar 2005 09:33:48 +0100
Iago Rubio <iago.rubio at hispalinux.es> wrote

> On Thu, 2005-03-10 at 11:08 +0900, Joel wrote:
> > Sorry for the cross-post.
> 
> It's off topic here.

Really? You don't want to talk about it on the developers' list if
someone might be attempting to subvert developers' resources to mount an
indirect attack on redhat's servers? 

> It's the fedora development list, not the redhat
> support list.
> 
> It even could be off topic for the redhat support crew, and you should
> contact your ISP reporting possible attacks on their DNS servers.

That's one place to contact, but the techniques talked about over last
weekend included using virii, spyware, etc., being used to compromise
_local_ dns caches.

> Only if you know the redhat DNSs have been taken down - hijacked - you
> should contact redhat - not the fedora's development list.

Two reasons for posting this to the two lists I did, one is that I felt
it warranted a general heads-up, the other is that I _personally_ wanted
to get a bead on the range of the attack. Since nobody else is
responding, I'm suspecting I need to dig into this stupid MSWxxx box's
registry and look around. 

Nonetheless, the heads-up is not particularly off-topic. I'm not the
only one who posts to this list from an MSWxxx box for the convenience
of the company.

> > I just tried to access bugzilla.redhat.com on a MSWxp box (Firefox) and
> > got a certificate dialog. (You know, "This certificate does not appear
> > to be valid. Etc." which is really poor wording, anyway.)
> 
> There are more words in the firefox certificate dialog.
> 
> > I panicked and cancelled (good) 
> 
> Bad, no need for panic, and you lost what had happened.

On this list I assumed that would go without saying.

But it is probably worth emphasizing that panicking is always bad, and
getting information should always take priority.

> Even while
> anyone was able to drive a man-in-the-middle attack, I'll not eat your
> box just for reading the certificate or going to the spoofed page.
> 
> To "panic and unplug" is one of the worst things you can do when an
> attack is in place. You will get clueless about what had happen.
> 
> > without looking at the certificate first
> > (bad). 
> 
> Agree.
> 
> > Shut down Firefox. Went to my FC box and tried from there. Access
> > completed as it has in the past, redirecting me successfully to https
> > without any certificate dialog. So I tried again from the MSWxp box and
> > this time there was no certificate dialog. It connected me via ssl the
> > way it usually does.
> > 
> > There was a lot of news yesterday about dns poisoning.
> 
> If both boxes used the same DNS server, both boxes should have been
> fooled.

 ... assuming the poison was not put in the MSWindows box's own cache by
some malware, which was one of the techniques mentioned last weekend.

> Frankly, I don't see a reason for anyone to spend the effort of driving
> a man-in-the-middle attack on bugzilla.
> 
> To harvest a bugzilla password ? Sounds weird, uh ?

Hey, since the reputation of Linux is now under attack, I'm not going to
assume anything is too weird to try. Besides, indirect attacks are known
to be at least as likely to find open doors as direct attacks.

> > Anyone else seen something like this?
> 
> Unfortunately you don't know what had happened so it's quite difficult
> to say if anyone seen ... what ?

And I'm still kicking myself for that. I'm _not_ looking forward to
taking a long hike through an MSWindows box's registry, particularly
when the boss is likely to insist that I not do it on company time. May
be cheaper in the boss's pov to just back out my data and re-install.
(Do I really need to be verbose about that, too?)

> I'll be better for the next time to try to pick all information you can
> to identify the problem.

Which is why I figured the heads-up was important. If someone else sees
this, hopefully they will remember to look at the cert before they
cancel.

--
Joel Rees   <rees at ddcom.co.jp>
digitcom, inc.   株式会社デジコム
Kobe, Japan   +81-78-672-8800
** <http://www.ddcom.co.jp> **

More information about the fedora-devel-list mailing list