DNS spoof successful
advICE :Intrusions : 2000408

Summary

Two responses were received when looking up a computer name. This might indicate an attempt to redirect the system from a well-known website to a hostile website.

Details

When visiting websites, such as http://www.example.com, the system must first resolve the name into an IP address using DNS. This is similar to how you must lookup someones name in the phone book in order to dial their telephone number.

There exists a hacker technique whereby they can sometimes force a duplicate reply to the DNS lookup. Using the phone book analogy, it is similar to calling 411/information for somebody's number and getting back two replies. Imagine a hacker breaking into the phone system such that the first number you heard was to the hacker. The hacker who broke into the telephone system might use this technique to redirect people buying with credit cards to his own phone number, then pretend to be the real vendor, then steal the credit card numbers. In much the same way, hackers use this DNS spoof in order to redirect people to their own website.

False Positives

This symptom is caused when two different copies of a DNS response have been received. However, we are finding that home users are seeing such behavior from ISPs. Some ISPs attempt to re-direct users through their own caching servers. Therefore, this "spoof" symptom doesn't actually indicate a hostile attack.

Details

See DNS spoofing for more information.

 
Version appeared: