Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings

Tony Finch <dot@dotat.at> Fri, 07 March 2014 09:21 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BD41A0115 for <dnsop@ietfa.amsl.com>; Fri, 7 Mar 2014 01:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KMw9Pb4JxDS for <dnsop@ietfa.amsl.com>; Fri, 7 Mar 2014 01:20:59 -0800 (PST)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f40]) by ietfa.amsl.com (Postfix) with ESMTP id 804BC1A012B for <dnsop@ietf.org>; Fri, 7 Mar 2014 01:20:59 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:57629) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1WLqxX-0005KX-kE (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Fri, 07 Mar 2014 09:20:51 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WLqxX-0000vY-7q (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Fri, 07 Mar 2014 09:20:51 +0000
Date: Fri, 7 Mar 2014 09:20:51 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.10.1403070357140.10354@bofh.nohats.ca>
Message-ID: <alpine.LSU.2.00.1403070910170.19416@hermes-1.csi.cam.ac.uk>
References: <CF3EB0AB.69171%york@isoc.org> <alpine.LFD.2.10.1403070357140.10354@bofh.nohats.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1870869256-770812748-1394184051=:19416"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/NlfqErpY56i7Ve0mQ8w7k97m9GY
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Dan York <york@isoc.org>
Subject: Re: [DNSOP] DNS privacy and Team Cymru's report on 300, 000 SOHO routers with compromised DNS settings
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 09:21:02 -0000

Paul Wouters <paul@cypherpunks.ca> wrote:
> On Thu, 6 Mar 2014, Dan York wrote:
>
> > I don't even see DNSSEC helping much here, either, given that the
> > attacker could just strip out the DNSSEC info (unless, perhaps, the
> > home computers were running full (vs stub) recursive resolvers that
> > also did DNSSEC-validation).
>
> If the domains were signed, even if you used the rogue DNS as forwarder,
> you would at least notice you are under attack.

As I understand it from the CERT Polska report, the aim of the malware is
to send people to a phishing site instead of to legit banking sites etc.

http://www.cert.pl/news/8019/langswitch_lang/en
(if you get a redirect try reloading the link)

If properly deployed, with validation on the users' end hosts, DNSSEC
would absolutely have prevented this attack from successfully stealing
banking credentials.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Northwest FitzRoy, Sole: Northerly, backing southerly later, 4 or 5,
increasing 6 or 7, perhaps gale 8 later. Rough or very rough. Rain or drizzle.
Moderate occasionally poor.