Overcoming a DNS Attack
30 11 08 - 00:53Last summer Kaminsky outlined a flaw in DNS that could be used to make DNS cache poisoning attacks easier. The public comment period for the introduction of DNSSEC has ended, but it hasn’t been implemented yet. This weekend, I found myself unable to visit Yahoo! services when all the DNS entries came out wrong. Was it a DNS poisoning attack, or just a misconfiguration? I don’t know, but I wasn’t about to spend Sunday without my live Fantasy scores updating. Here’s how I worked around the problem, and how you could “fix” an attack against your favorite servers, too.
My first clue that something was wrong came when clicking my bookmark for Yahoo! Fantasy Sports came up with a DNS error. This is a good reason not to allow your browser to provide “Friendly errors” like IE does by default — it’s not enough to know a site isn’t available, you should want to know why a site isn’t available. After two days, I was curious why it hadn’t come back up, and a quick Google revealed nobody else was having the problem. This tells me it’s probably localized DNS issue, where my ISP has a bad DNS cache. Could this be a DNS attack in progress? Perhaps, but I’m not going to investigate that, I just want my Yahoo! back!
The first thing I did was to verify that indeed the site was functional. Using TOR, I verified that I could log into the site from England. That confirms it — it’s a localized problem. I could just use TOR to check my fantasy scores, but that’s slow and abusive of TOR’s limited bandwidth. I switched TOR off at this point, having verified that I just needed to correct my ISP’s faulty DNS servers.
Next I hopped over to DNS Tools, one of hundreds of free web sites that allow DNS queries to be entered via the web. By using a DNS server other than my ISP’s, I will get different, and hopefully correct, results. Sure enough, fantasysports.yahoo.com gave me an IP address while querying my ISP’s server gave me nothing. Success!
I then edited my hosts file (on Linux it’s /etc/hosts, older versions of Windows have it at /Windows/hosts, newer versions put it at /WINNT/system32/drivers/etc/hosts). All I need is one line telling my computer not to query a DNS server for this site, but to use a static IP address:
98.136.70.92 fantasysports.yahoo.com
Loaded my bookmark in Opera, and it works! Success! Except I click on the link to log in, and then it dies again. I notice that it’s trying for a different server, so I repeat the process twice more until I get this:
98.136.70.92 fantasysports.yahoo.com
98.136.70.92 football.fantasysports.yahoo.com
98.136.60.78 sports.yahoo.com
Now everything seems to be working fine. I can browse through all my fantasy pages without any hitches. But what about the Flash applet that tracks scores in real time? Can I get to it? I click the button, and no… Just a blank page. Not even an error. Now it’s getting more complicated. I turn to the web hacker’s favorite tool – “View Source”. What I find is a new server hosting the Flash applet:
embed src=“http://aud.sports.yahoo.com/nfl/nfl125.swf”
aud.sports.yahoo.com ? I look that one up in DNS Tools, and stick it into my hosts file. Click reload, and my applet loads up! I feel really proud of myself, until I notice that all my players are listed as having a bye week, and the score is zero-zero despite having played games on Thursday. Something is definately not right, and it’s time for a new tactic.
I can’t easily view the source of a Flash applet, so I decide to do the next best thing. I fire up WireShark, a protocol analyzer/packet sniffer. I start capturing all the traffic on my network, press reload, then stop the capture, grabbing only 129 packets. That’s a small enough sample that it’s really easy to look through… Especially since I’m only looking for DNS queries. It turns out there are eight DNS queries, all sent in rapid succession, and all for the same server — aud1.sports.mud.yahoo.com. Okay, so that’s easy to fix, right? One more entry into the hosts file.
If you were curious, the eight queries all got responses from my DNS server. The server responded back with a response that had no error codes, yet the IP field in the packet was blank. Go figure. Does this mean it’s an attack or a misconfiguration? I don’t know.
So I click reload, and … no dice. I still see all my players as having a bye week. Undeterred, I turn Wireshark back on, and do another capture. As I suspected, this time it went to aud4.sports.yahoo.com. A little trial and error with DNS Tools confirmed that aud1 through aud10 were valid domain names, and they went to sequential IP addresses. I put all ten into my hosts file, and … it works! Like magic, everything is working flawlessly.
In case you got here through a Google attempt to fix Yahoo! sports, here’s the end result in my hosts file:
98.136.70.92 fantasysports.yahoo.com
98.136.70.92 football.fantasysports.yahoo.com
98.136.60.78 sports.yahoo.com
209.191.123.12 aud.sports.yahoo.com
64.215.156.33 us.i1.yimg.com
209.191.123.227 aud1.sports.mud.yahoo.com
209.191.123.228 aud2.sports.mud.yahoo.com
209.191.123.229 aud3.sports.mud.yahoo.com
209.191.123.230 aud4.sports.mud.yahoo.com
209.191.123.231 aud5.sports.mud.yahoo.com
209.191.123.232 aud6.sports.mud.yahoo.com
209.191.123.233 aud7.sports.mud.yahoo.com
209.191.123.234 aud8.sports.mud.yahoo.com
209.191.123.235 aud9.sports.mud.yahoo.com
209.191.123.236 aud10.sports.mud.yahoo.com
This all took a lot longer to explain than to do. Total time to fix this problem was about five minutes, and now you can do the same if you find your ISP’s domain servers are broke. If your ISP’s domain server is REALLY hosed, add 74.52.112.155 in as dnstools.com, so you can do your queries off their servers. Simple, right?
Trackback link:Please enable javascript to generate a trackback url