MA-090.042005: MyCERT Special Alert - DNS Cache Poisoning Attack
Original Issue Date: 5th April 2005
MyCERT has received information from reliable and trusted sources regarding a new DNS cache poisoning attack where several poisonous DNS servers with the IP addresses of 126.96.36.199 and 188.8.131.52 are redirecting Internet traffic to malicious websites with the IP addresses of 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124. These websites install malicious programs onto workstations that are surfing them.
The compromised DNS servers are poisoning the entire .COM domain around the globe. News of the attacks comes amid increasing reports of pharming scams and statistics that show at least 1,300 Internet domains were redirected to compromised Web servers in a similar attack that occurred in early March this year.
The impact of this attack is that these websites are installing malicious programs onto machines that surf to them.
Preventive measures against this attack are as below:
Restrict access to the following IP addresses:
- 126.96.36.199 (Malicious website)
- 188.8.131.52 (Malicious website)
- 184.108.40.206(Malicious website)
- 220.127.116.11 (Malicious website)
- 18.104.22.168 (Malicious DNS server)
- 22.214.171.124 (Malicious DNS server)
Access to the IP addresses can be blocked at firewall or router's Access Control List (ACL) to stop the redirection.
If any of your DNS servers have been poisoned, please flush the cache as soon as possible to avoid redirection of request.
More information on the latest DNS Cache Poisoning Attack is available at:
MyCERT advises Internet users to take this alert seriously and to take proper preventive measures against any unwanted incidents.
MyCERT can be reached for assistance at: