【翻譯】DNS伺服器–Internet的一個致命弱點

DNS servers--an Internet Achilles' heel

DNS伺服器--Internet的一個致命弱點

（endurer註：an/one's Achilles heel　　致命傷
Achilles,是希臘之神中的其中一位“阿基裡斯”。傳說，阿基裡斯的腳踝看來很小，但卻是致命的弱點。可參考：http://vweb.cycnet.com/cms/2004/englishcorner/practical/t20050623_23574.htm）

by  Joris Evers
作者：Joris Evers
翻譯：endurer

Keywords: Servers | Security | Internet

關鍵字：伺服器 | 安全 | Internet

http://techrepublic.com.com/2100-1009_11-5816061.html?tag=nl.e116

Takeaway:
Scan finds that hundreds of thousands of the servers that act as the white pages of the Net are vulnerable to attack.

概述：
掃描發現成千上萬的擔當網路白頁的伺服器易受的攻擊。

Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.

成千上萬的Internet伺服器正處於把未知web瀏覽者從合法網站重新導向到惡意網站的攻擊（endurer註：at the risk of 冒...之危險）危險中。

In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning.

在掃描的250萬個擔當Internet白皮書的網域名稱解析系統機器中，安全研究員Dan Kaminsky發現其中大約23萬可能受到名為DNS緩衝中毒的威脅。

"That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said.

“這是幾乎佔了被掃描的DNS伺服器的10%”，Kaminsky在上個星期洛杉磯駭客安全活動上說。“如果你們沒有審核DNS伺服器，請開始審核罷，”他說。

The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person's PC.

按照跟蹤網路威脅的SANS Internet風暴中心的觀點，潛在攻擊的動機是金錢。攻擊者通常從安裝到個人電腦上的每個間碟程式或廣告軟體獲得報酬。

Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam.

從受害者竊取資料，例如社會安全號碼（SSN）和信用卡，可以出售。另外，惡意軟體可以被安裝到PC以劫持它，並用它來轉播垃圾郵件。

The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses.

我們所討論的DNS是公司和網際網路服務提供者用來把文本Internet地址轉換成數字IP地址。每台機器的緩衝用於web地址的本機存放區。

In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.

在DNS緩衝中毒攻擊中，歹徒用惡意網站的數字IP地址替換儲存在機器上的流行網站的數字IP地址。這個陰謀把人們重新導向到仿冒網站，在仿冒網站上，人們可能被詢問敏感資訊或者人們的電腦被安裝上有害軟體。專家說，這個技術也能用來重新導向電子郵件。

As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats.

由於每個DNS伺服器可以被數以千計的公司用來尋找Internet地址，這個問題可能影響到上百萬的使用者，使他們暴露在釣魚攻擊，身份證失竊和其他網路威脅的風險之中。

The poisoned caches act like "forged street signs that you put up to get people to go in the wrong direction," said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. "There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade."

中毒緩衝的行為類似於“建造偽造街牌使人們走向錯誤的方向”，DNS發明人、安全DNS供應商Nominum主席和首席科學家Paul Mockapetris說。“這些年來，在DNS上存在其他缺陷，但現在這個到戰場了，而且無沒有修複補丁，你需要升級。”

There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Internet中大約有9百萬個DNS伺服器，Kaminsky說。使用Prolexic Technologies提供的進階-頻寬串連，他檢驗了250百個。其中，23萬台被確定可能易受攻擊，6萬台很像是為這類攻擊被開啟，1.3萬台可能有明確中毒的緩衝。

The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against.

易受攻擊的伺服器以不可靠的方式運行Berkeley Internet Name Domain（BIND）軟體，並且需要升級，Kaminsky說。運行 BIND 4 和 BIND 8並被配置用於響於DNS請求--軟體發行者特別告誡不要的轉換器的系統。

BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.

BIND是互連網軟體聯盟(Internet Software Consortium，ISC) 免費發布。在它的網站的一個警告中，ISC說有“流行的、大規模的...DNS緩衝溢出攻擊”，所有用作轉換器的名伺服器需要升級到BIND 9，這個團體說。

DNS cache poisoning is not new. In March, the attack method was used to redirect people who wanted to visit popular Web sites such as CNN.com and MSN.com to malicious sites that installed spyware, according to SANS.

按照SANS的觀點，DNS緩衝中毒不新鮮。在3月，這個攻擊方式被用於將想訪問諸如CNN.com和MSN.com之類公用網站的人重新導向到安裝間碟軟體的惡意網站。

"If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be," Mockapetris said. "Running that configuration would be Internet malpractice."

“如果我的ISP（網際網路服務提供者） 正按轉換器配置運行BIND 8，我將聲稱他們不能盡職地保護我。”Mockapetris說，“那樣配置將是Internet的弊端。”

The new threat--pharming
Kaminsky scanned the DNS servers in mid-July and has not yet identified which particular organizations have the potentially vulnerable DNS installations. However, he plans to start sending e-mails to the administrators of those systems, he said in an interview.

新的威脅--域欺騙/網址嫁接(pharming)
Kaminsky在7月中旬掃描了DNS伺服器，也沒有確定哪個特別的組織有潛在易受攻擊DNS裝置。然而，他計劃開始給這些系統的管理員發電子郵件，他在一次會談時說。

"I have a couple hundred thousand e-mails to send," he said. "This is the not-fun part of security. But we can't limit ourselves to the fun stuff. We have to protect our infrastructure."

“我有二十萬封電子郵件要發送”，他說，“這是安全中沒有趣味的部分。但是我們不能將自己限制於有興趣的材料。我們只能保護我們的基礎結構。”

The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming.

把人們發送到哄騙網站以竊取個人資訊的DNS緩衝中毒的使用是相對較新的威脅。一些安全公司稱其為technique pharming（網域名稱攻擊/域欺騙/網址嫁接）。

Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic DNS consultancy and software company Men & Mice. "It is very well doable, and it has been done recently," he said.

使DNS緩衝中毒並不困難，冰島的DNS 諮詢和軟體廠商Men & Mice的首席執行官Petur Petursson說。“這是很好做的，而且最近已經被做了”，他說。

Awareness around DNS issues in general has grown in the past couple of years, Petursson said. Four years ago, Microsoft suffered a large Web site outage as a result of poor DNS configuration. The incident cast a spotlight on the Domain Name System as a potential problem.

在過去的二年裡，有關DNS問題的認識不斷增長，Petursson說。4年前，微軟經曆了因缺乏DNS配置導致一個大網站關閉。這個事故拋出了網域名稱系統是個潛在問題的聚光燈。

"It is surprising that you still find tens of thousands or hundreds of thousands vulnerable servers out there," Petursson said.

“仍然發現大量易受攻擊的伺服器是令人驚訝的，”Petursson說。

Kaminsky's research should be a wake-up call for anyone managing a DNS server, particularly broadband Internet providers, Mockapetris said. Kaminsky said he doesn't intend to use his research to target vulnerable organizations. However, other, less well-intentioned people could run scans of their own and find attack targets, he cautioned.

Kaminsky研究將是DNS伺服器管理者的警鐘，特別是寬頻Internet提供者，Mockapetris說。Kaminsky說他不打算用他的研究來攻擊易受攻擊的組織。但是，缺少善意的的人可以自己掃描並找到攻擊對像，他警告說。

"This technology is known to a certain set of the hacker community, and I suspect that knowledge will only get more widespread," Mockapetris said.

“這個技術確實為駭客社區所知，我懷疑這個知識將會更普遍。”Mockapetris說。