let me put it in a simpler terms...
1) When you type an address, e.g. www.google.com, it's being translated to IP address, e.g. 72.14.233.32. Remember, Net "true" addresses are always in IP address.
www.google.com = domain name [easier to remember this, right?]
72.13.233.32 = IP address [who ever can remember each IPs for all the URLs in a bookmark?!
]
2) Each ISP, e.g. TMnet, has 2 DNS (Domain Name Server) servers. 1 is main and another is redundancy. TMnet's DNS server IPs are 202.188.0.132 and 202.188.1.28.
3) www.google.com -(query)-> DNS -(reply)-> IP address. The DNS is the domain name translator.
4) Each DNS reply (source) always tied to a source port # (0-65535 only) and query ID (QID).
5) Malicious ppl sends out many fake/invalid queries to your DNS server so that it can "guess" what's the next port/QID that follows. Once it's able to guess a specific port and QID for each "query", he/she 'poison' the DNS cache (buffer) and marked it to active for a specific period of time or simply forever!
6) Imagine this: If I poison the DNS cache for www.google.com = 42.16.33.154 (e.g. a link to phishing site, po*n site or hoax page)...
7) The next time you enter www.google.com in your browser (IE, FF, etc.), it'll point to different place! This is because the DNS servers have been 'poisoned' to point to different IP address!
8) What the patching does is to "randomize" the source port # and QID for each IP address replies. This makes it difficult for malicious ppl to guess.
Read the good analogy at Doxpara.com ... it explains how malicious ppl do the 'guessing' and 'poisoning'!
Of course my explanation above is just a crude way explaining this DNS Cache Poison vulnerability.
This post has been edited by cybpsych: Aug 1 2008, 08:41 PM 
Aug 1 2008, 07:45 PM, updated 18y ago
Quote
0.0156sec
0.29
5 queries
GZIP Disabled