Comcast suffers DNS outage, denies pharming link

Problems with the DNS (domain name system) servers at ISP (Internet service provider) Comcast Corp. prevented customers around the U.S. from surfing the Web Thursday, but the company said the interruptions were not linked in any way to a spate of recent DNS attacks known as "pharming" scams.

Comcast technicians noticed problems with the company's DNS servers at around 6:30 p.m. Eastern Time on Thursday. The problems interrupted DNS service to Comcast high-speed Internet customers across the U.S. just hours after The SANS Institute's Internet Storm Center advised ISPs to make sure their DNS servers were not vulnerable to a new spate of attacks. However, the outage was not caused by those attacks or by maintenance related to the attacks, according to company spokeswoman Jeanne Russo.

During the outage, Comcast customers who attempted to connect to Web sites such as Google.com received frequent "Page not Found" errors on their Web browsers. However, entering the numeric IP address of the Web site in question would connect the user to the page.

Comcast technicians began working on the DNS problem immediately after identifying it Thursday evening and restored service to the company's customers by 12:00 a.m. ET Friday, Russo said.

The DNS is a global network of computers that translates requests for reader-friendly Web domains, such as www.computerworld.com, into the numeric IP (Internet Protocol) addresses that machines on the Internet use to communicate.

The recent attacks on DNS servers use a strategy called "DNS cache poisoning," in which malicious hackers use a DNS server they control to feed erroneous information to other DNS servers. The attacks take advantage of a vulnerable feature of DNS that allows any DNS server that receives a request about the IP address of a Web domain to return information about the address of other Web domains.

Online criminal groups and malicious hackers have used DNS cache poisoning recently in pharming scams, which are similar to phishing identity theft attacks but don't require a "lure," such as a Web link that victims must click on to be taken to the attack Web site. Instead, corrupted DNS servers forward Internet users who are looking for legitimate Web pages, such as Google.com, to Web pages controlled by the attackers, which harvest personal information such as user names and passwords from the victims, or install Trojan horse programs or other malicious code, according to the Anti-Phishing Working Group.

The attacks have been increasing in recent months, as Internet users become more savvy about traditional phishing scams and online criminal groups look for new ways to collect sensitive information or financial data from victims, the Anti-Phishing Working Group said.

In March, a rogue DNS server posed as the authoritative DNS server for the entire .com Web domain. Other DNS servers that were poisoned with this false information redirected all .com requests to the rogue server, which responded to all .com requests with one of two IP addresses controlled by the attackers.

An earlier attack in March targeted vulnerable products from Symantec Corp. and other companies to redirect requests from more than 900 unique Internet addresses and more than 75,000 e-mail messages, according to log data obtained from compromised Web servers that were used in the attacks, the Internet Storm Center said.

In recent days, a spate of such attacks prompted the Internet Storm Center to issue a code "Yellow" alert, signifying increasing threats on the Internet, and prompted Microsoft Corp. to issue revised instructions for configuring Windows machines used as DNS servers to prevent cache poisoning.