【翻译】DNS服务器--Internet的一个致命弱点

DNS servers--an Internet Achilles' heel

DNS服务器--Internet的一个致命弱点

（endurer注：an/one's Achilles heel　　致命伤
Achilles,是希腊之神中的其中一位“阿基里斯”。传说，阿基里斯的脚踝看来很小，但却是致命的弱点。可参考：http://vweb.cycnet.com/cms/2004/englishcorner/practical/t20050623_23574.htm）

by  Joris Evers
作者：Joris Evers
翻译：endurer

Keywords: Servers | Security | Internet

关键字：服务器 | 安全 | Internet

http://techrepublic.com.com/2100-1009_11-5816061.html?tag=nl.e116

Takeaway:
Scan finds that hundreds of thousands of the servers that act as the white pages of the Net are vulnerable to attack.

概述：
扫描发现成千上万的担当网络白页的服务器易受的攻击。

---

Hundreds of thousands of Internet servers are at risk of an attack that would redirect unknowing Web surfers from legitimate sites to malicious ones.

成千上万的Internet服务器正处于把未知web浏览者从合法站点重定向到恶意站点的攻击（endurer注：at the risk of 冒...之危险）危险中。

In a scan of 2.5 million so-called Domain Name System machines, which act as the White Pages of the Internet, security researcher Dan Kaminsky found that about 230,000 are potentially vulnerable to a threat known as DNS cache poisoning.

在扫描的250万个担当Internet白皮书的域名解析系统机器中，安全研究员Dan Kaminsky发现其中大约23万可能受到名为DNS缓存中毒的威胁。

"That is almost 10 percent of the scanned DNS servers," Kaminsky said in a presentation last week at the Black Hat security event in Las Vegas. "If you are not auditing your DNS servers, please start," he said.

“这是几乎占了被扫描的DNS服务器的10%”，Kaminsky在上个星期洛杉矶黑客安全活动上说。“如果你们没有审核DNS服务器，请开始审核罢，”他说。

The motivation for a potential attack is money, according to the SANS Internet Storm Center, which tracks network threats. Attackers typically get paid for each spyware or adware program they manage to get installed on a person's PC.

按照跟踪网络威胁的SANS Internet风暴中心的观点，潜在攻击的动机是金钱。攻击者通常从安装到个人电脑上的每个间碟程序或广告程序获得报酬。

Information lifted from victims, such as social security numbers and credit card data, can also be sold. Additionally, malicious software could be installed on a PC to hijack it and use it to relay spam.

从受害者窃取数据，例如社会安全号码（SSN）和信用卡，可以出售。另外，恶意软件可以被安装到PC以劫持它，并用它来转播垃圾邮件。

The DNS servers in question are run by companies and Internet service providers to translate text-based Internet addresses into numeric IP addresses. The cache on each machine is used as a local store of data for Web addresses.

我们所讨论的DNS是公司和Internet服务提供商用来把文本Internet地址转换成数字IP地址。每台机器的缓存用于web地址的本地存储。

In a DNS cache poisoning attack, miscreants replace the numeric addresses of popular Web sites stored on the machine with the addresses of malicious sites. The scheme redirects people to the bogus sites, where they may be asked for sensitive information or have harmful software installed on their PC. The technique can also be used to redirect e-mail, experts said.

在DNS缓存中毒攻击中，歹徒用恶意站点的数字IP地址替换存储在机器上的流行网站的数字IP地址。这个阴谋把人们重定向到仿冒站点，在仿冒站点上，人们可能被询问敏感信息或者人们的电脑被安装上有害软件。专家说，这个技术也能用来重定向电子邮件。

As each DNS server can be in use by thousands of different computers looking up Internet addresses, the problem could affect millions of Web users, exposing them to a higher risk of phishing attack, identity theft and other cyberthreats.

由于每个DNS服务器可以被数以千计的公司用来查找Internet地址，这个问题可能影响到上百万的用户，使他们暴露在钓鱼攻击，身份证失窃和其他网络威胁的风险之中。

The poisoned caches act like "forged street signs that you put up to get people to go in the wrong direction," said DNS inventor Paul Mockapetris, chairman and chief scientist at secure DNS provider Nominum. "There have been other vulnerabilities (in DNS) over the years, but this is the one that is out there now and one for which there is no fix. You should upgrade."

中毒缓存的行为类似于“建造伪造街牌使人们走向错误的方向”，DNS发明人、安全DNS提供商Nominum主席和首席科学家Paul Mockapetris说。“这些年来，在DNS上存在其他缺陷，但现在这个到战场了，而且无没有修复补丁，你需要升级。”

There are about 9 million DNS servers on the Internet, Kaminsky said. Using a high-bandwidth connection provided by Prolexic Technologies, he examined 2.5 million. Of those, 230,000 were identified as potentially vulnerable, 60,000 are very likely to be open to this specific type of attack, and 13,000 have a cache that can definitely be poisoned.

Internet中大约有9百万个DNS服务器，Kaminsky说。使用Prolexic Technologies提供的高级-带宽连接，他检验了250百个。其中，23万台被确定可能易受攻击，6万台很像是为这类攻击被打开，1.3万台可能有明确中毒的缓存。

The vulnerable servers run the popular Berkeley Internet Name Domain software in an insecure way and should be upgraded, Kaminsky said. The systems run BIND 4 or BIND 8 and are configured to use forwarders for DNS requests--something the distributor of the software specifically warns against.

易受攻击的服务器以不可靠的方式运行Berkeley Internet Name Domain（BIND）软件，并且需要升级，Kaminsky说。运行 BIND 4 和 BIND 8并被配置用于响于DNS请求--软件发行者特别告诫不要的转换器的系统。

BIND is distributed free by the Internet Software Consortium. In an alert on its Web site, the ISC says that there "is a current, wide-scale...DNS cache corruption attack." All name servers used as forwarders should be upgraded to BIND 9, the group said.

BIND是互联网软件联盟(Internet Software Consortium，ISC) 免费发布。在它的站点的一个警告中，ISC说有“流行的、大规模的...DNS缓存溢出攻击”，所有用作转换器的名服务器需要升级到BIND 9，这个团体说。

DNS cache poisoning is not new. In March, the attack method was used to redirect people who wanted to visit popular Web sites such as CNN.com and MSN.com to malicious sites that installed spyware, according to SANS.

按照SANS的观点，DNS缓存中毒不新鲜。在3月，这个攻击方式被用于将想访问诸如CNN.com和MSN.com之类公共站点的人重定向到安装间碟软件的恶意站点。

"If my ISP was running BIND 8 in a forwarder configuration, I would claim that they were not protecting me the way they should be," Mockapetris said. "Running that configuration would be Internet malpractice."

“如果我的ISP（Internet服务提供商） 正按转换器配置运行BIND 8，我将声称他们不能尽职地保护我。”Mockapetris说，“那样配置将是Internet的弊端。”

The new threat--pharming
Kaminsky scanned the DNS servers in mid-July and has not yet identified which particular organizations have the potentially vulnerable DNS installations. However, he plans to start sending e-mails to the administrators of those systems, he said in an interview.

新的威胁--域欺骗/网址嫁接(pharming)
Kaminsky在7月中旬扫描了DNS服务器，也没有确定哪个特别的组织有潜在易受攻击DNS装置。然而，他计划开始给这些系统的管理员发电子邮件，他在一次会谈时说。

"I have a couple hundred thousand e-mails to send," he said. "This is the not-fun part of security. But we can't limit ourselves to the fun stuff. We have to protect our infrastructure."

“我有二十万封电子邮件要发送”，他说，“这是安全中没有趣味的部分。但是我们不能将自己限制于有兴趣的材料。我们只能保护我们的基础结构。”

The use of DNS cache poisoning to steal personal information from people by sending them to spoofed sites is a relatively new threat. Some security companies have called this technique pharming.

把人们发送到哄骗站点以窃取个人信息的DNS缓存中毒的使用是相对较新的威胁。一些安全公司称其为technique pharming（域名攻击/域欺骗/网址嫁接）。

Poisoning DNS cache isn't hard, said Petur Petursson, CEO of Icelandic DNS consultancy and software company Men & Mice. "It is very well doable, and it has been done recently," he said.

使DNS缓存中毒并不困难，冰岛的DNS 咨询和软件厂商Men & Mice的首席执行官Petur Petursson说。“这是很好做的，而且最近已经被做了”，他说。

Awareness around DNS issues in general has grown in the past couple of years, Petursson said. Four years ago, Microsoft suffered a large Web site outage as a result of poor DNS configuration. The incident cast a spotlight on the Domain Name System as a potential problem.

在过去的二年里，有关DNS问题的认识不断增长，Petursson说。4年前，微软经历了因缺乏DNS配置导致一个大站点关闭。这个事故抛出了域名系统是个潜在问题的聚光灯。

"It is surprising that you still find tens of thousands or hundreds of thousands vulnerable servers out there," Petursson said.

“仍然发现大量易受攻击的服务器是令人惊讶的，”Petursson说。

Kaminsky's research should be a wake-up call for anyone managing a DNS server, particularly broadband Internet providers, Mockapetris said. Kaminsky said he doesn't intend to use his research to target vulnerable organizations. However, other, less well-intentioned people could run scans of their own and find attack targets, he cautioned.

Kaminsky研究将是DNS服务器管理者的警钟，特别是宽带Internet提供者，Mockapetris说。Kaminsky说他不打算用他的研究来攻击易受攻击的组织。但是，缺少善意的的人可以自己扫描并找到攻击对像，他警告说。

"This technology is known to a certain set of the hacker community, and I suspect that knowledge will only get more widespread," Mockapetris said.

“这个技术确实为黑客社区所知，我怀疑这个知识将会更普遍。”Mockapetris说。