Security lab warns of possible Chinese ISP DNS exploit
An apparent case of DNS poisoning in the caches of a major China-based ISP is causing extra concern today, in light of security engineer Dan Kaminsky's recent warnings about just how serious a cache poisoning exploit could become.
Visual evidence posted by security company WebSense earlier this week shows DNS resolution calls placed to the IP address of Chinese ISP Netcom using the command line tool nslookup, redirected to a completely different source whose IP address is linked to China. There, WebSense says, instead of the user's regular home page or Web mail, he'll see instead some links to exploits for RealPlayer, Adobe Flash Player, and Microsoft Snapshot Viewer.
Although it publishes its own financial status like a public corporation, China Netcom is one of four pillars of that country's state-run telecommunications system, which collectively reaps the equivalent of $160.2 billion in revenue per year, according to a report by China's Xinhua press released just today. In an annual report last March, China Netcom reported serving 19.768 million broadband subscribers, at an annual growth rate of 37%; and 110.82 million dial-up subscribers, declining by 2.8% annually.
DNS cache poisoning is certainly not a new concept. In fact, it could very well date back to the Master's thesis of then-Purdue student Christoph Schuba in 1993. "Because the Domain Name System is distributed among many thousands of hosts, it can be a critical mistake to blindly trust the resolved binding," Schuba wrote 15 years ago. "This thesis shows that under some assumptions it is no major effort to falsify the host name and authorization for a system."
Despite that fact, many press sources today came to the conclusion that the Netcom incident was caused by the specific exploit discovered by Doxpara security researcher Dan Kaminsky, whose details, he admitted, were revealed by way of public speculation late last month. WebSense's research has only uncovered evidence that a DNS exploit had occurred through cache poisoning, though it is probably impossible to discern through that evidence alone whether the method used was Kaminsky's.
A check of the accuracy of routing to Netcom's IP address via its DNS address by BetaNews this afternoon, revealed no address thwarting was taking place.