DNS cache poisoning.DNS cache poisoning Injecting false information into the caches of the DNS system so that future requests are diverted to another site. In July 1997, Eugene Kashpureff inserted fraudulent information into the DNS, causing users going to the Network Solutions Web site to be rerouted to his Alternic site. is a technique that tricks a DNS server A dedicated server or a service within a server that provides DNS name resolution in an IP network. It turns names for Web sites and network resources into numeric IP addresses. DNS servers are used in large companies, in all ISPs and within the DNS system in the Internet, a vital service into believing it has received authentic information when, in reality, it has not. Once the DNS server has been poisoned, the information is generally cached for a while, spreading the effect of the attack to the users of the server. Normally, an Internet-connected computer uses a DNS server provided by the computer owner's Internet Service Provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. , or ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. . This DNS server generally serves the ISP's own customers only and contains a small amount of DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the information cached by previous users of the server. A poisoning attack on a single ISP DNS server can affect a large number of users, depending on how many users are serviced by the compromised DNS server. Details To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request. This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates fake entries for files on the server he controls with names matching those on die target server. These files could contain malicious content such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the target server and unknowingly download malicious content. Variants In the following variants, the entries for the server ns.wikipedia.org would be poisoned and redirected to the attackers nameserver at IP address w - x - y - z. These attacks assume that the nameserver for wikipedia.orgisns.wikipedia.org. To accomplish the attacks, die attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers. Redirect the target domain's nameserver The first variant of DNS cache poisoning involves redirecting the nameserver of the attacker's domain to the nameserver of the target domain, then assigning that nameserver an IP address specified by the attacker. DNS server's request: what are the address records for subdomain.example. com? subdomain.example.com. IN A Attacker's response: Answer: (no response) Authority section: example.com. 3600 IN NS ns.wikipedia.org. Additional section: ns.wikipedia.org. IN A w.x.y.z A vulnerable server would cache the additional A-record (IP address) for ns .wikipedia. org, allowing the attacker to resolve queries to the entire wikipedia. org domain. Redirect the NS record of the target domain The second variant of DNS cache poisoning involves redirecting the nameserver of another domain unrelated to the original request to an IP address specified by the attacker. DNS server's request: what are the address records for subdomain. example. com? :Subdomain.example.com. IN A Attacker's response: answer: (no response) Authority section: wikipedia.org. 3600 IN NS ns.example.com. Additional section: ns.example.com. IN A w.x.y.z A vulnerable server would cache the unrelated authority information for wikipedia. org's NS-record (nameserver entry), allowing the attacker to resolve queries to the entire wikipedia. org domain. Responding before the real nameserver The third variant of DNS cache poisoning involves beating the real answer to a recursive See recursion. recursive - recursion DNS query back to the DNS server. DNS requests contain a 16-bit nonce (Number ONCE) An arbitrary number that is generated for security purposes such as an initialization vector. A nonce is used only one time in any security session. Although random and pseudo-random numbers theoretically produce unique numbers, there is the possibility that , used to identify the response associated with a given request. If the attacker can successfully predict the value of the nonce and return a reply first, the server will accept the attacker's response as valid. If the server randomizes the source port of the request, the attack may become more difficult, as the fake response must be sent to the same port that the request originated from. By sending a number of simultaneous DNS requests to the server to force it to send more recursive requests, the probability of successfully predicting one of the request nonces increases This modification is a form of birthday attack. Prevention and Mitigation A secure version of DNS, DNSSEC (DNS SECurity) A set of extensions to the DNS system that are designed to prevent attacks agains the DNS system as well as DNS hijacking, which directs the user to an erroneous Web site. DNSSec uses a digital signature to ensure that the correct IP address is used. , uses cryptographic electronic signatures signed with a trusted certificate to determine the authenticity of data. It is rarely used, therefore the majority of DNS records A DNS server is configured with a "zone file" for each domain that contains "resource records." There are several types of records, and the most common are described below. See DNS. are not secured against spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. . This kind of attack may be mitigated by use of Transport Layer Security and electronic signatures. By using the secure version of HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. , HTTPS (1) (HyperText Transport Protocol Secure) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. , users may check whether the server's certificate is valid and belongs to the website's expected owner. For an applications that downloads updates automatically, the application can embed em·bed also im·bed v. em·bed·ded, em·bed·ding, em·beds v.tr. 1. To fix firmly in a surrounding mass: embed a post in concrete; fossils embedded in shale. a copy of the data's signing certificate locally and validate the signature stored in the software update against the embedded Inserted into. See embedded system. certificate. From Wikipedia |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion