Viral DNS Attack, DDos Idea

[Major Variola (ret)]

At 05:46 PM 8/15/03 -0700, Bill Stewart wrote:
>At 01:19 PM 08/15/2003 -0700, Major Variola (ret.) wrote:
>>Suppose malware appends a bogus entry to an infected machine's
>>/etc/hosts (or more likely, MSwindows' \windows\blahblah\hosts file).
>>(This constitutes a DNS attack on the appended domain name, exploiting

>>the local hosts' name-resolution prioritization.)
>>If the appended IP address points to the
>>same victim (66.66.66.66) on all the virus-infected machines,
>>and the appended (redirected) domain name is popular ("google.com"
>
>Cute, but sounds like a lot of work compared to other obvious attacks
>you could do if you're spreading a virus anyway.

Yes if you have virally owned a machine you can do much nastier.
But this attack has the advantage that its effects would not be
immediately recognized, nor could they be fixed in one spot
once detected.

Evolved diseases don't kill their hosts.  Google is too useful
to redirect.  On the other hand, you can redirect an entire
TLD (eg .mil), albeit on one machine at a time. Try doing that
to one of The DNS Roots (pbut).

>The more popular version of this attack is to try to hack DNS servers,
>or poison DNS requests, so that DNS requests for google report the
wrong thing.

Yes I've followed discussions about SecDNS etc before.

The cute part of the local hostsfile attack is that local machines
are *not* administered competently, whereas DNS servers
(and even ISP caches) are more likely tended better.

>One problem with hacking the hosts files is that
>different versions of Windows tend to put them in different places,
>though perhaps if you target XP and 2000 and ME and 98
>it's consistent enough to work.

OS detection is trivial once in.. as is file/path detection.  I bet a
javascript
program could do it, if the client security settings (ACLs) were poor.

>The real question is whether the bad guys would redirect to a victim,
>or to a fake web server run by them, so they could hand out
>bogus responses, such as redirects to various places around the web,
>potentially along with some advertising banners.

That's the virus author's choice, of course.  In fact, I first thought
of
the attack as a DNS-redirect on domain names ---intending on random
(or even localhost) misdirection.  Upon thinking about it, the
utility of all those 9AM Monday clicks became apparent.

Diagnosing the situation would be a bushel of fun in the first hours
either way.

>If it's a virtual server machine, though, you can't do that
>without disrupting all the clients on it, which is too bad;

Hadn't thought of virtual servers... "all your eggs in one basket" :-)

>If it's a router, that's a more interesting problem,

You're right, routers merely drop port 80 incoming,
any router DoS depends on sheer bandwidth --say
routing the NYTimes.com clicks to Podunk-BackwaterTimes.com

>because many routers have wimpy CPUs and do the routine work in ASICs -

ASICs are great except for exception handling, which is a vulnerability.

I was working on Intel's network processors earlier
this year.  Amazing chips--they have hardware support for everything you

do in an IP stack, buttloads of memory controllers, I/O up the kazoo,
and a dozen hardware-supported
thread contexts (hyperthreading) on each of a dozen high-clockrate RISC
engines.
But they all defer exception packet processing to the onboard ARM, which
might
alert the host system or at least log the exception by incrementing a
counter.  But the ARM is not as fast as the threads
and could perhaps be overwhelmed.  Perhaps the subject of a future
Gedanken Design Idea.

-----

"When the rotary telephone first came out, people
said, 'You mean I have to dial seven numbers?' "