Vista machine attack on DNS system

Vista machine attack on DNS system
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Vista machine attack on DNS system Shera 03-03-2008
Posted by Shera on March 3, 2008, 7:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
A number of times we have seen windows vista hosts on our
Network "Attack" our DNS service.

Most of these events seem to involve a pair of machines sending large
numbers of data packets on dest port 53 > 4,000 per second to both
the primary and secondary DNS servers. Note the port is limited to
10mbps... I have wondered what would have happened if it was
100/1000!!


Investigations and packet captures have revealed:


- The machines are always vista machines


- The DNS requests are attached to a single process. This
appears to be "sharedAccess"


- There appear to be two separate states. Hosts which have
been involved seem to send abnormal numbers of DNS requests under
"normal" operation (state 1), roughly 10pps. Then, somehow an
interatction with another machine (I guess) causes the bombardment .


- The Vista machines seem to be "clean" of virus infection


- Whilst looking at said machines, I have been unable to
replicate an "attack event"


Has anyone seen similar and is it reparable in a service pack for
vista ?



Posted by Mr. Arnold on March 4, 2008, 7:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options


<snipped>

You might want to post to msnews.microsoft.com to the
MS.public.windows.vista security NG(s).


Posted by @lf on March 5, 2008, 6:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Shera wrote:
> A number of times we have seen windows vista hosts on our
> Network "Attack" our DNS service.

Read this: http://www.securesphere.net/download/papers/dnsspoof.htm

> - The machines are always vista machines

This is strange. Maybe attacker don't want to flood any machine or
himself (large amount of DNS replies), just perform DNS spoofing
"unnoticed", Vista need strong hardware.
Maybe he is aiming Vista machines.

What am I guessing? Attacker spoof DNS requests (choosing Vista machines
to receive replies) in a same time he is spoofing replies to your DNS
servers, thus poisoning your DNS records, and Vista DNS cache as well.

Maybe it is bug like this one http://support.microsoft.com/kb/939882

Are those DNS requests random or specific DNS name?

Well, best would be to contact MS support.



Similar ThreadsPosted
The machine died and came back November 14, 2004, 2:53 am
Repeated access attempts from my machine to 0.0.12.0:137 February 8, 2005, 10:05 pm
What Port is Opened on My Local Machine October 30, 2006, 11:45 am
wireless router hacked - "machine name" ...? May 2, 2007, 9:08 pm
Firewall and email/file servers on same machine? January 15, 2005, 11:33 am
Creating a loopback rule for all IP's bound to a machine? January 20, 2006, 6:06 am
Outpost attack from 192.168.1.47!? May 11, 2005, 2:39 pm
Need to stop an attack July 27, 2005, 12:36 pm
Intrusion Attack April 12, 2006, 8:10 am
Intrusion Attack April 12, 2006, 9:26 am

The site map in XML format XML site map

Contact Us | Privacy Policy