AT&T first reported victim of DNS attack – HD Moore was NOT “Pwned”

AT&T is the first known DNS poisoning victim using recent vulnerability (IMG:J.Anderson)

IDG News is reporting that HD Moore, or rather his company BreakingPoint, has had traffic redirected to a fake Google search page. The irony that HD Moore is at the center of this recent news is not lost on anyone familiar with the security sector of IT. However, the larger issue is that the attack noticed by BreakingPoint was not on its network, but rather a DNS server on AT&T’s network, making the ISP the first to fall victim to the DNS vulnerability discovered by Dan Kaminsky.

"The DNS server in question was ( This system accepted recursive requests from anywhere (not just subscribers) and is the default DNS server for anyone who purchased SBC Internet Services (in our case, a T1 line that was our primary until our fiber was run). Internally, we use two DNS servers, one going out the fiber, other going out the T1 as backup," Moore explains. 

"Early Tuesday morning, some of the friends and family members of BreakingPoint employees noticed that the iGoogle web page was returning a 404 from their home internet connections. Once our folks got to the office, they noticed that every once in a while, they could also reproduce it from within our network. Digging into it, we discovered that one of our internal DNS servers was still using SBC/AT&T as an upstream forwarder and that this server was returning the wrong results for"

The redirected traffic linked to a split frame, with one frame showing an altered Google search page, and three others designed to click on advertisements automatically. The attack and redirection amounted to nothing more than a simple scam if you look at the result of the initial attack, but the serious issue is the DNS poisoning of AT&T, one of the larger ISPs in the U.S.

“I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five-minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for,” Moore reveals. He was originally misquoted by IDG News and the misleading story was later corrected.

The attack was expected by many security experts and, while it was perhaps bound to happen, it could have been prevented with the application of proper patches. This is a well-known fact.

The story that led up to AT&T being served and gaining new public light as the first DNS victim, is filled with drama the likes of which you would only see in a soap opera; only it is the press and the security community that is at the center of it all.

It started when several major vendors: Microsoft, Cisco, Red Hat, ISC (BIND), and Sun Microsystems, to name a few, which each released an advisory and update for their respective implementations of DNS management. The reasoning for the massive patch effort and advisory listings, all on the same day, was one man, IOActive researcher Dan Kaminsky.

Kaminsky worked for a long time and sat on his information, making sure each vendor knew what he had discovered, and even going so far as to get CERT involved to help with things.

On July 08, the news had broken, and the vendors each released patches and mitigations at the same time. This is when all hell broke loose in the media. The news that DNS servers the world over were at risk and the end of the Internet was near started to spread. The initial stories were mostly FUD based, and centered on one issue, namely that Kaminsky had found something serious, and everyone should panic.

However, at the same time the news started to spread, several security researchers and respected security community experts called Kaminsky out on his findings, some even accusing him of rushing to spread panic. Going public on this scale without proper peer review is seen as a no-no in some circles, and Kaminsky had apparently violated a cardinal rule.

Recognizing this, and taking lots of heat from other researchers, Kaminsky let others into the fold and shared his findings. The interesting aspect, and what set more people off on a tangent, is that while Kaminsky shared information with a select few, he asked other researchers not to speculate.

This request went over well for some while others took offence, using the logic that speculation was all anyone had because no one other than a handful of people knew the full details. The point was made that it was presumptuous to assume that by keeping people in the dark, the Internet, and by proxy the DNS servers used online, were safe.

Then something happened. Thirteen days after the original disclosure of the vulnerability and release of the patches, Halvar Flake, known to others as CEO Thomas Dullien, speculated on his blog about the DNS flaw.

The theory Flake posted was confirmed by Nate of Root Labs as legit and, not too long after that, Thomas Ptacek of Matasano Security posted a blog confirming the same.

"The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat," Ptacek wrote. His post, with the full details, explaining everything you would need to understand the DNS vulnerability in simple and easy to follow terms, was pulled, but it was already too late.

Ptacek’s post was apparently a mistake: "It was posted in error. We regret that it ran. We removed it from the blog as soon as we saw it... We dropped the ball here," he said in another posting offering an apology to Kaminsky for the blunder.

"Dan told me about his finding personally, in order to help ensure widespread patching before further details were announced at the upcoming Black Hat conference. We chose to have a story locked and loaded for that presentation, or for any other confirmed public disclosure. On a personal level, I regret this as well. Dan did phenomenal work on this research… That I helped detract from that work is painful both personally and professionally, and I apologize to Dan for the way this played out," Ptacek wrote.

Shortly after that, Druid and HD Moore released modules for Metasploit. The two modules fully exploit the DNS issue, and one is used as an example in a video showing off a new tool called Evilgrade.

And yet the drama is still unfolding, with Matasano taking criticism for the details being leaked, and charges being levelled that it was intentional, not accidental.

Adding to that is the Full Disclosure debate, now alive and kicking and rearing its ugly head once again. The story that has played out since July 08 is one that has existed for a long time online, only now there is a well-documented display of what normally happens in private e-mail and discussion forums. Kaminsky did good work, and needs to have that work noted.

The larger aspect to the story, as demonstrated by the recent AT&T DNS attack, is that before the modules were released, and before the code was published, there was time to patch the DNS servers. Even now, as proven, ISPs and business giants such as Apple Inc. are not patched; this could turn into an ugly issue for some IT departments if they don't act quickly.

AT&T had no comment for The Tech Herald on the DNS issues that were reported by HD Moore, however it told SecurityFocus that: "AT&T employs best practices in the management of its DNS infrastructure... Upon learning of the recent vulnerability and patches available to defend against it, AT&T immediately obtained the patches and began testing and certifying them for production use. Having completed that certification, AT&T is now expediting the deployment across their entire production infrastructure."

If you want to keep track of the vendor list, simply click here.

The official CERT advisory can be found here.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.