I don't see any way to protect against this aside from suggestions to use DNSSEC or SSL (or only use otherwise secured or switched networks.) In practice the attack might be complicated by the client. It's entirely possible the victim's resolver will get the 2nd response and cache that -- who knows.
> But wow, I'm amazed this doesn't happen more. It seems like this would be > the most obvious way to spread a virus. Indeed, I could imagine creating a > proxy that auto-infects every executable file that comes through it (just add > a silent rootkit installer that runs before the real installer). For one you're limited to attacking whomever happens to be installing software on your unencrypted wlan. MITM'ing some company's autoupdater is probably your best hope but those likely use SSL or some form of content verification before executing. The attack seems too limited to be a very effective virus propagator to me but I've never tried to propagate a virus. Might be a useful cookie fisher maybe, but they'd be non-SSL cookies so they're probably worthless. You could probably induced panic at your local Starbucks by spoofing cnn.com or something. Might be a good way to clear the place out if you need a seat. -Andy -----Original Message----- From: David Barrett [mailto:dbarr...@quinthar.com] Sent: Monday, May 25, 2009 3:53 PM To: theory and practice of decentralized computer networks Subject: Re: [p2p-hackers] DNS hijacking? True, but it seems unnecessarily hard core: it affects all your traffic, which means you need to do a lot more work than set up a simple HTTP gateway. Furthermore, the DNS approach lets you selectively hijack those specific domains that you have an attack package ready for: there's no value in hijacking a domain you aren't prepared to abuse, as it just increases the chance of detection. But wow, I'm amazed this doesn't happen more. It seems like this would be the most obvious way to spread a virus. Indeed, I could imagine creating a proxy that auto-infects every executable file that comes through it (just add a silent rootkit installer that runs before the real installer). -david Alex Pankratov wrote: > The exact same effect can be achieved with ARP spoofing. The hijacker > simply convinces your machine that he is a default gateway, and voila, > he has full access to all your Internet- bound traffic. > > Alex > >> -----Original Message----- >> From: p2p-hackers-boun...@lists.zooko.com [mailto:p2p-hackers- >> boun...@lists.zooko.com] On Behalf Of David Barrett >> Sent: May 25, 2009 2:47 PM >> To: theory and practice of decentralized computer networks >> Subject: Re: [p2p-hackers] DNS hijacking? >> >> It's not eavesdropping I'm concerned about. I'm thinking with this >> attack you could inject malicious code into otherwise innocuous HTTP >> traffic. For example, you might add a "Install the latest Google >> Toolbar!" link straight into the live, functional Google homepage, >> and even make that link look like it's coming straight from >> http://google.com, but then host a virus-infected version of Google >> Toolbar. >> >> -david >> >> Tien Tuan Anh Dinh wrote: >>>> I'm primarily thinking of a wifi office or internet cafe; can't >>>> everybody sniff everybody else's traffic (including DNS requests)? >> Does >>>> this mean that every wifi network is vulnerable to this really easy >>>> attack, and there's basically no defense other than upgrading all >>>> of >> DNS? >>> When your traffic is in plain-text while you're in a wifi cafe, you >> give >>> your privacy to the one operating that access point already. >>> >>> https was designed for these scenarios. When your traffic is >> sensitive, >>> use https. >>> >>> I'm wondering what would one gain by eavesdropping unimportant >> traffic >>> of others in an Internet cafe? I'm not sure if this attack can cause >> any >>> noticeable damage. >>> >>> A. >>> >>> >>> >>> >>> >>> _______________________________________________ >>> p2p-hackers mailing list >>> p2p-hackers@lists.zooko.com >>> http://lists.zooko.com/mailman/listinfo/p2p-hackers >> _______________________________________________ >> p2p-hackers mailing list >> p2p-hackers@lists.zooko.com >> http://lists.zooko.com/mailman/listinfo/p2p-hackers > > _______________________________________________ > p2p-hackers mailing list > p2p-hackers@lists.zooko.com > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers