Internet entities are regularly affected by Distributed Denial of Service (DDoS) of various scales. This is basically a way to hack into an entity and stop it from working. Hackers use it all the time to bring down famous sites. They tend to attack the domain name system (DNS), since it allows to infiltrate heavily. Now what is a domain name system? Well, a domain name system server basically translates a human readable domain name (such as mysite.com) into a numerical IP address. This numerical IP address is is used to route communications between nodes on the network. For people who didn’t already know, this is how the internet works! Coming back to the hacking part, the attackers like to attack their victims by poisoning the DNS. Wait a minute, how do you “poison” a system? How do they actually attack the users?
Why do we care about this domain name system?
As we discussed earlier, the server needs to translate the text you type in the address bar into a numerical IP address. If the server doesn’t know a requested translation, it will ask another server, and the process continues recursively. To increase performance, a server will typically remember these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again. This remembering thing is called cache and the process is called caching.
What is cache poisoning?
Cache poisoning (also called DNS cache poisoning) is the process of corrupting an Internet server’s domain name system table by replacing an Internet address with that of a rogue address. When a user looks for a particular page with that address, the request is redirected by the rogue entry in the table to a different address. This address is usually controlled by the hacker. At this point, the user’s computer usually gets infected with a worm, spyware, Web browser hijacking program, or some kind of malware.
Why is it a problem?
This kind of attack is often categorized as a pharming attack and it creates several problems. First, users think they are at a familiar site, but they aren’t. If it’s a “phishing” attack, an alert user can spot a suspicious URL. But in the case of cache poisoning, the URL is legitimate. It’s just another URL which has been certified by your DNS! Remember, the browser resolves the address of the domain automatically so there is no intervention of any kind on the part of the users. Since nothing unusual has happened, they have no reason to be suspicious. Cache poisoning is particularly dangerous when the targets are well-known and trusted sites, such as those to which browsers are pointed when automatic virus-definition updates are performed. Pretty neat right!
How does the attack happen?
With cache poisoning, an attacker attempts to insert a fake address record for an Internet domain into the DNS. If the server accepts the fake record, the cache is poisoned and subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the fake entry is cached by the server (entries usually have a certain lifetime, typically a couple of hours), subscriber’s browsers or e-mail servers will automatically go to the address provided by the compromised DNS server.
Several methods can be used to perform such attacks but the most recent incidents were caused by throughput amplification via DNS servers. What this basically means is that the attacker is generating amplified traffic towards the victim. The attacker spoofs his victim’s IP address and sends some small-sized queries. Now the DNS servers answer with larger DNS messages to these queries, thus generating an amplified traffic towards the victim.
It is possible to attack e-mail systems in a similar way as well. Rather than inserting a fake record for a Web server into a DNS caching server, the attacker inserts a fake record for a mail server, thereby redirecting corporate e-mail to a server they control.
Is there any other form of DNS poisoning?
Cache poisoning differs from another form of DNS poisoning, where the attacker spoofs valid e-mail accounts and floods the inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning. In URL poisoning, also known as location poisoning, Internet user behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site.
One thought on “DNS Cache Poisoning”