The SiliconRepublic.com published a piecetoday where Eircom say that the attacks they suffered earlier this month were due to a “‘moderate attack’ known as cache poisoning” against their DNS Servers. Eircom also state that they have not seen any “further attempts at cache poisoning since last week”.
DNS Cache Poisoning is where attackers attempt to change DNS entries in order to redirect users to sites other than they intended. So for example, a criminal could poison the cache on a server to send customers wishing to access their online bank to a fake site impersonating their online bank in order for the criminal to capture the users’ financial details. A good explanation of how DNS poisoning works can be found here and there is also a slide-show available here explaining DNS cache poisoning and some ways to protect against it.
While it is good news to hear that Eircom appear to have dealt with these attacks it is extremely worrying to think that the DNS servers of the country’s largest ISP were vulnerable to this attack. Justin Mason speculates on his blog that the attacks were due to the DNS cache poisoning vulnerability discovered by Dan Kaminsky last year. If this is the case then Eircom need to hang their head in shame and conduct an urgent review of their security processes and procedures in particular their vulnerability, patch and incident management processes.
After the patch for the Dan Kaminsky vulnerability was released last year I blogged that there were at least 16 ISPs that had not applied the patch. If Eircom was one of those I certainly hope the other fifteen have gotten their act together.
The Irish Times published a piece in their edition on Saturday the 18th of July regarding this incident. The article, titled “Who’s Behind the Eircom Sabotage?“, includes quotations from Justin Mason and myself.