DNS_Spoof_Success from local computer?

MIDIman

Diamond Member
Jan 14, 2000
3,594
0
0
I have a copy of BlackIce PC Protection, and I'm still trying to get the hang of software firewalls. My network is setup up with my router IP as 192.168.1.1, and I received an odd error today labelled "DNS_Spoof_Success." What exactly is this? I do have three machines hooked up so does it have something to do with file transfering?

Curious what other experiences people have had with BlackIce since I own a copy.

Thanks in advance.
 

Reel

Diamond Member
Jul 14, 2001
4,484
0
76
I have a personal distaste for many software firewalls like blackice and norton etc. I find that they tend to be alarmist in nature and make you feel safer by showing you all these awful things they found which really aren't so bad. On the other hand, they are better than nothing if you have no protection at all.

The specific problem that is mentioned: DNS Spoof success doesn't ring any bells to me but based on the name, it sounds like it implies someone pretended to be a DNS server? It seems like an odd message. Does it have a link with more info about that from the log?
 

MIDIman

Diamond Member
Jan 14, 2000
3,594
0
0
This is the link given:

Suspicious Activity - This signature detects a successful DNS spoofing attack.

2000408 : DNS poisoned NS attack

Nameservers that accept or return false Name Server (NS), Start of Authority (SOA), or Canonical Name (CNAME) records could allow an attacker to spoof DNS information. This allows an attacker to provide forged name services, circumvent name-based authentication (such as TCP wrappers), and redirect Web traffic.

How to remove this vulnerability

Upgrade your name server to the latest version, either from a vendor patch, or from the ISC.org FTP site. See References.


The Intruder address given is 192.168.1.1 (the address of my router). About 24 hours later, there's a TCP port scan from a specific IP, which I don't think I have ever had before.
 

Reel

Diamond Member
Jul 14, 2001
4,484
0
76
It sounds to me that it is accusing your NAT router of being a bad DNS server. I am not quite sure about this. It seems like a silly accusation. I have never heard of someone attacking like that. It is probably nothing to worry about. And port scans are another thing that aren't much to worry about. 99% of the time they end up being nothing to think about. A lot of the personal firewalls try to make it seem like port scans are evil and they are attempting to hack your computer but the firewall saved you. However, if anything, port scans are just the preliminary checking out of your computer.
 

MIDIman

Diamond Member
Jan 14, 2000
3,594
0
0
OK - now I'm a bit worried. I just got home and Black Ice is reporting three TCP_Hijacking_Tool around 3pm earlier today.

Again, I suppose my worry is how do I know if someone has gotten through my firewall somehow? Is that possible?


TCP_Hijacking_Tool

This signature detects the use of a TCP hijacking tool on your network. This indicates an attacker's attempt to determine the TCP sequence and acknowledgement numbers that two hosts are using in a communication session.

A number of publicly available tools exist to facilitate the hijacking of TCP sessions. Using such tools, an attacker can determine the TCP sequence and acknowledgement numbers that two hosts are using in a communication session. This information could enable the attacker to take over the legitimate network connection of an authorized user and inject commands into the session. This is particularly serious because most forms of one-time passwords do not prevent this access.

Most of these hijacking tools generate specific packets that can be detected by an intrusion detection system.