MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MA-090.042005: MyCERT Special Alert - DNS Cache Poisoning Attack

Original Issue Date: 5th April 2005

MyCERT has received information from reliable and trusted sources regarding a new DNS cache poisoning attack where several poisonous DNS servers with the IP addresses of 218.38.13.108 and 216.127.88.131 are redirecting Internet traffic to malicious websites with the IP addresses of 209.123.63.168, 64.21.61.5, 205.162.201.11, and 217.16.26.148. These websites install malicious programs onto workstations that are surfing them.

The compromised DNS servers are poisoning the entire .COM domain around the globe. News of the attacks comes amid increasing reports of pharming scams and statistics that show at least 1,300 Internet domains were redirected to compromised Web servers in a similar attack that occurred in early March this year.

The impact of this attack is that these websites are installing malicious programs onto machines that surf to them.

Preventive measures against this attack are as below:

  1. Restrict access to the following IP addresses:

    1. 209.123.63.168 (Malicious website)
    2. 64.21.61.5 (Malicious website)
    3. 205.162.201.11(Malicious website)
    4. 217.16.26.148 (Malicious website)
    5. 218.38.13.108 (Malicious DNS server)
    6. 216.127.88.131 (Malicious DNS server)

    Access to the IP addresses can be blocked at firewall or router's Access Control List (ACL) to stop the redirection.

  2. If any of your DNS servers have been poisoned, please flush the cache as soon as possible to avoid redirection of request.

    More information on the latest DNS Cache Poisoning Attack is available at:

    1. http://isc.sans.org/
    2. E-Cop.Net
    3. http://www.computerworld.com/securitytopics/security/story/0,10801,100813,00.html

MyCERT advises Internet users to take this alert seriously and to take proper preventive measures against any unwanted incidents.

MyCERT can be reached for assistance at:

Web: http://www.mycert.org.my
Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801