We have kind of been breaking down the DNS cache poisoning exploit scenarios and have been dropping them into 3 different “piles”.
1) Massive poisoning attacks that would be used a denial of service style attack to attempt to “cut an organization off from the Internet” or at least key sites – the damage from this one could be low to medium and is obviously likely to be discovered fairly quickly, though tracking down the issue could be difficult for organizations without adequate technical support or on-site IT teams
2) Large scale attacks with malware intent – these would also be largely executed in an attempt to introduce malware into the organization, browser exploits, client-side exploits or forms of social engineering could be used to trick users into activating malware, likely these attempts would introduce bot-net agents into the organization giving attackers remote control of part or all of the environment
3) Surgical poisoning attacks – these attacks would be more focused and much more difficult to identify, in this case, the attackers would poison the cache of sites that they knew could be critical- this could be as obvious as the windows update sites or as focused as the banking sites or stock trade sites of executives, this attack platform is likely to be focused on specific effects and will likely be combined with social engineering to get insight into the specifics of the target
There certainly may be a myriad of additional scenarios or specific focus points for the attacks, but we wanted to give some examples so that folks can be aware of where attackers may go with their new toys and techniques.
Doing incident response and forensics on these attacks could be difficult depending on the levels of the cache time to live and logging that is done on the DNS systems. Now might be a good time to review both of these variables to make sure they will be adequate to examine any attack patterns should they be discovered now, or in the future from this or any other poisoning attack vector.
As we stated earlier, please do not rely on the idea that recursion is only available from internal systems as a defense. That might help protect you from the “click and drool” exploits, but WILL NOT PROTECT YOU from determined, capable attackers!