Report Claims DNS Cache Poisoning Attack Against Brazilian Bank and ISP

OPINION: Attack shows the potential for serious spoofing attacks that could leave end users helpless. The only real solution is DNSSEC, which will take years to implement under the best of circumstances.

An unsubstantiated report claims that a successful DNS cache poisoning attack was conducted recently against Banco Bradesco, a Brazilian bank.

The reports are in Portuguese. This Google translation explains it in typically clumsy, broken English.

The actual DNS cache belonged to Brazilian ISP NET Virtua. DNS cache poisoning is an attack against DNS servers, usually through a vulnerability in the DNS software, allowing the attacker to change the IP addresses that users receive. In this case, they changed the entries for the Bradesco servers, redirecting users to a malicious Bradesco look-alike server. The same attack also poisoned the entries for Google's Adsense servers, with the purpose of installing a Trojan on the users' systems.

The goal of the Bradesco attack was to steal passwords. No details are provided, but in all likelihood the fake Bradesco site had only the log-on page, and users were probably sent to some error page after entering their username and password. As the Brazilian account says, many banks still don't protect their log-in pages with SSL (Secure Socket Layers), so users wouldn't necessarily even have the option of checking for an SSL connection to prevent such an attack, not that many users check it.

DNS cache poisoning attacks are difficult to pull off; either that or victim companies have done a good job of hushing them up. But they are an especially fear-inspiring class of attack among security experts because there is so little that end users can do to defend themselves against a well-executed one. To all outward appearances, things might be completely correct from the client's perspective.

The Kaminsky DNS vulnerability episode of last year brought the problem to greater light than it had received previously. That bug, which enabled cache poisoning attacks, affected the large majority of DNS implementations. Even though Kaminsky and the industry coordinated a series of simultaneous updates, there are still lots of unpatched servers out there.

The only systematic solution to the problem of DNS cache poisoning is DNSSEC, which uses public key encryption to authenticate the sources of DNS results. I think it's fair to say that everyone believes DNSSEC is necessary, but not a lot of people want to go to the considerable trouble and expense of implementing it.

The proposed Cybersecurity Act of 2009 (Senate bill S.773) orders the Department of Commerce to come up with a plan for implementing DNSSEC in government and "critical infrastructure" within three years. It could be a good idea, but if the implementation of DNSSEC stops there, then so does the protection; for example, if consumer ISP DNS servers and the consumers themselves are still on conventional DNS, then they can still be attacked in the same ways. In fact, if the DNS root itself is not signed, then the protection itself is inherently limited, and there are reasons to wonder if the root will ever be signed.

The Bradesco attack may say more about Brazil than anything else. We don't know enough yet to know how generally the lessons may be applied. I'm more inclined to believe that Brazil is the canary in coal mine here. The bad guys in this business have a habit of picking up on what works. It's unlikely that DNSSEC will ride to our rescue before we start getting attacks like this back home.

Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.