NEWS FROM THE LAB - Friday, December 3, 2004

When is a defacement not a defacement? Posted by Mikko @ 06:31 GMT

Continuing on the status of the controversial www.makelovenotspam.com site: We have been discussing the case with the maintainers of this site (who are in Sweden). They've checked their systems several times and have found no evidence of a defacement or of an intrusion of any kind.

Regardless of that, we've had several users report a defacement to us, even sending us screenshots like this:

Make defacements not spam

So, what's happening here?

Well, there are basically two choices. One is that some internet operators are not allowing traffic from their IP range to this website - instead, they are referring it to a site with this 'educational' message.

The other choice is DNS poisoning. DNS poisoning is an attack where a malicious attacker floods a domain name server with DNS requests and fake responses to them. The target is to convince a specific DNS server that domain FOO.BAR should point to when it really should point to, or so. However, such an attack isn't global - only users behind a specific DNS server would access the wrong site. But for those users it would be nearly impossibly to notice.

This vulnerability has been known for ages. It used to be fairly easy to do, but then random number generators used by BIND and other DNS tools got improved, making it much harder.

However, it is still doable. For more details, read a good paper on the subject, written by Joe Stewart (of LURHQ fame).