ISC Explains Microsoft Server Poisoning Vulnerabilities

The Internet Storm Center Thursday clarified details of the ongoing DNS cache poisoning attack, and how hackers are infecting Windows servers.

After consultations with Microsoft and after receiving additional reports from users on tested methods of protecting Windows servers, the ISC posted a document that outlines its recommendations. Microsoft also revised a Knowledgebase article on its support site.

The design flaw ISC mentioned Wednesday relates to when Windows servers have forwarding enabled. Apparently, Windows DNS servers expect the upstream server -- the one sending data to a second server -- to scrub any cache poisoning attacks, and so accepts all data, regardless of its current setting to protect against cache poisoning.

ICS is asking for help in pinning down under which circumstances this forwarding can create a vulnerability. So far, said ISC analyst Kyle Haugsness, it appears that upstream servers running BIND4 and BIND8 do not clean the poisoned cache before sending to down to the Windows DNS server, while BIND9 does.

Specific recommendations for various BIND configurations have been posted by Haugsness on the Thursday's front page of the ISC Web site.