DNS spoofing/poisoning Attack Report (Word Document)
1. Contents
Application level attacks: DNS Spoofing/Poisoning ...................................................................... 2
DNS................................................................................................................................................. 2
How it works?.................................................................................................................................2
DNS Attacks:...................................................................................................................................2
DNS SPOOFING/POISONING ..................................................................................................... 3
Aims of Attackersfor DNS Spoofing:.................................................................................................4
How DNS Spoofing Occurs? .............................................................................................................4
WAYS TO EXPLOIT..................................................................................................................... 4
PREVENTION................................................................................................................................ 5
How to check DNS settings in Windows?..........................................................................................5
DNS ATTACKS IN PAST ............................................................................................................. 7
REFERENCES ............................................................................................................................... 8
2. Information Security Project Report
2 | P a g e
Application level attacks: DNS Spoofing/Poisoning
DNS
DNS stands for ‘Domain Name Server’. Domain Name Servers (DNS) are the Internet's
equivalent of a phone book. They maintain a directory of domain names and translate them to
Internet Protocol (IP) addresses. This is necessary because, even if domain names are easy for
people to remember, computers or machines, access websites based on IP addresses [1].
How it works?
DNS translates domain names to IP addresses so browsers can load internet resources.
Information from all the domain name servers across the Internet are gathered together and
housed at the Central Registry. Host companies and Internet Service Providers interact with the
Central Registry on a regular schedule to get updated DNS information. When you type in a web
address, e.g., www.google.com, your Internet Service Provider (ISP) views the DNS associated
with the domain name, translates it into a machine friendly IP address (for example
74.125.236.32 is the IP for google.com) and directs your Internet connection to the correct
website [1].
DNS Attacks:
1. Packet Interception
2. ID Guessing and Query Prediction
3. Name Chaining
4. Betrayal by Trusted Server
5. Denial of Service
6. Authenticated Denial of Domain Names
7. DNS Amplification Attack
8. DNS Cache Poisoning / DNS Spoofing
3. Information Security Project Report
3 | P a g e
9. (DDoS) Distributed Denial of Service attack
10. BIND9 Spoofing
DNS Amplification Attack: Attacker use DNS open resolvers by sending DNS requests with
source IP address of the target. When Resolvers receive DNS queries, they respond by DNS
responses to the target address. Attacks of these types use multiple DNS open resolvers so the
effects on the target devices are magnified.
(DDOS) Distributed Denial of Service: The attacker tries to target one or more of 13 DNS root
name servers. The root name servers are critical components of the Internet. Attacks against the
root name servers could, in theory, impact operation of the entire global Domain Name System.
BIND9 Spoofing: BIND is most widely used DNS software on Internet. BIND 9 (Stable
Production Release) BIND 9 DNS queries are predictable. Source UDP port and DNS
transaction ID can be effectively predicted. BIND9 is found to be predictable to 10 choices.
This enables a much more effective DNS cache poisoning than the currently known attacks
against BIND 9.
DNS SPOOFING/POISONING
DNS spoofing, is a form of computer security hacking in which corrupt Domain Name
System data is introduced into the DNS resolver's cache, causing the name server to return an
incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's
computer [2].
DNS spoofing corrupts the domain name system, diverting internet traffic away from its intended
destination. DNS spoofing is used to censor the internet, redirect end users to malicious websites,
and carry out DDoS attacks on web servers.
DNS spoofing is also known as:
o DNS tampering
o DNS hijacking
o DNS redirection
DNS attack tools are readily available on the Internet (for example, dsniff, dnshijack, and many
more) and they are all FREE!
DNS spoofing is an overarching term and can be carried out using various methods such as:
o DNS cache poisoning
o Compromising a DNS server
o Implementing a Man in the Middle Attack
o Guessing a sequence number
However, an attacker’s end goal is usually the same no matter which method they use. Either
they want to steal information, re-route you to a website that benefits them, or spread malware.
4. Information Security Project Report
4 | P a g e
Aims of Attackers for DNS Spoofing:
There are a number of reasons why a hacker or other entity might do this:
o Launch an attack: By changing the IP address for a popular domain like Google.com,
for example, a hacker could divert a large amount of traffic to a server incapable of
handling so much traffic. This can cause the server to slow down, stop, and encounter
numerous errors. Such a “denial-of-service” attack can shut down a website or game
server, for example.
o Redirection: A corrupted DNS entry can redirect users to websites they do not intend to
visit. A hacker might use this to send victims to a phishing site. Phishing sites often look
identical to the real website but are operated by a hacker, tricking the user into entering
private information such as their username and password. ISPs sometimes use DNS
redirection to serve advertisements and collect user browsing data.
o Censorship: Browsing the web is nearly impossible without DNS, so whoever controls
the DNS server controls who sees what on the web. Government-controlled ISPs in
China, for instance, use DNS tampering as part of their nationwide censorship system,
known as the Great Firewall, to block websites from public view.
How DNS Spoofing Occurs?
DNS spoofing occurs in one of two ways:
o Tampering with an existing DNS name server’s resolver cache, or
o Creating a malicious DNS name server and spreading malware that makes routers and
end user devices use it
WAYS TO EXPLOIT
In order to achieve DNS Amplification attack, the attacker performs two malicious tasks,
5. Information Security Project Report
5 | P a g e
1. The attacker spoofs the IP address of DNS Resolver (converts domain name to IP
address) and replaces it with the victims IP address. This is because all reply of the DNS
server will respond back to victims’ server.
2. The attacker finds Internet domain registered with many DNS records. Ex
domain.example.com, domain1.example.com etc. Then the attacker DNS query to get all
records of example.com.
Now the attacker is ready to launch the attack. In order to get all records for example.com with
spoofed source IP (victims IP); the attacker sends multiple DNS queries from different
computers with different DNS server.
The request that comes from the DNS resolver to resolve the domain name to IP address but as
the resolvers IP changed with the victims IP, all the response from the DNS server will go to the
source server (victims).
Now the attacker got the amplification attack because for the request a large no of response will
send to the victim (sometimes 100 times larger). If the server generates 3 Mbps DNS query it
amplifies to 300 Mbps in victim side which creates traffic which is the resource consuming task
in victim’s side. So, the victim’s side will be so busy to handle the attack which leads to Denial
of Service attack [3].
DNS resolvers like BIND use unpredictable values with each generated query. Since the
corresponding values in the response must match the values sent in the query, it is difficult for a
blind attacker, who does not see the query, to forge a valid response and insert a new name. The
new vulnerability allows an attacker to de-randomize the IP address of the name server a BIND
resolver queries—reducing the amount of information a blind attacker must guess to successfully
poison BIND's cache. At issue is BIND's Smoothed Round Trip Time (SRTT) algorithm.
Distributed Denial of Service Attacks constitutes a relatively new type of DNS based attack that
has proliferated with the rise of high bandwidth Iot botnets like Mirai. This attack uses the high
bandwidth connections of IP cameras, DVD boxes and other IoT devices to directly overwhelm
the DNS server of major providers. The volume of requests from IoT devices overwhelms the
DNS provider’s services and prevents legitimate users from accessing the provider’s DNS
servers.
PREVENTION
How to check DNS settings inWindows?
For Windows:
1) In the Start Menu, locate the Command Prompt menu item which is usually found in the
Accessories.
2) Right click on the command prompt menu item and select Run As Administrator.
3) In the command prompt window type the following command:
6. Information Security Project Report
6 | P a g e
ipconfig/flushdns
4) If the problem persists type the following two commands:
net stop dnscachenet
startdnscache
Thus, this is how DNS poisoning attach can be used while the method to prevent and avoid it is
given above [9].
Detecting whether your DNS server has been tampered with or you’ve been infected with DNS
changer malware can be difficult. Most of us don’t routinely check our DNS settings, and it may
well be that only a few DNS entries have been poisoned. You might encounter more ads or
involuntary redirection, but there may be no clear symptoms at all.That said, here are a few
precautions you can and should take to protect yourself from DNS spoofing:
o Always check forHTTPS:If DNS spoofing has led you to a malicious website, it will
likely look identical or nearly identical to the genuine site you intended to visit. The
difference is that the imposter won’t have a valid SSL certificate for the domain, which
means you won’t see “https” or a closed padlock in your browser’s URL bar. The
padlock indicates that your connection to the site is encrypted and verifies the server
owner is who it says it is. Note that not all websites use HTTPS, so this is not a foolproof
method. You can install the HTTPS Everywherebrowser extension to force your
browser to always load the HTTPS version of a website when available. If you come
across a site with HTTPS but it’s indicated in red or crossed out, then the SSL certificate
is not valid and you should leave the site immediately.
o Encrypted DNS:Due to the well-documented security weaknesses in DNS, a few vendors
have stepped up to provide improved DNS security. DNSCrypt is perhaps the most
popular of these for end users. DNSCrypt is a lightweight app that encrypts DNS traffic
between the user and an OpenDNS nameserver, much in the same way that SSL encrypts
traffic to websites that use HTTPS. This prevents spying, man-in-the-middle attacks, and,
of course, DNS spoofing. You will need to configure your device to use an OpenDNS
nameserver, which is free.
o VPN:A VPN, short for Virtual Private Network, is a service that encrypts all the internet
traffic going to and from your device and routes it through an intermediary server in a
location of the user’s choosing. Quality VPN services use their own private DNS servers,
and all DNS requests are sent through the encrypted tunnel. This means DNS requests
7. Information Security Project Report
7 | P a g e
cannot be intercepted or altered, and you’ll be using a (hopefully) secure nameserver.
Note that not all VPNs are created equal. Some use public DNS servers like Google
DNS, while others allow DNS requests to leak outside of the encrypted tunnel, which
means the default nameserver is used. Be sure to research your VPN provider’s
specifications regarding DNS servers and DNS leak protection before signing up.
o Antivirus:Use up-to-date antivirus software and keep real-time protection enabled. This
should stop malware payloads containing DNS changer malware from infecting your
device and other devices, including routers, on the network.
o Disable JavaScript andWebRTC: Known strains of DNS changer malware have found
their way onto end user devices through the use of JavaScript and WebRTC. JavaScript is
a programming language used in many web pages today, so going without it might be too
inconvenient for some users. That being said, JavaScript is often used to deploy malware.
WebRTC is a communications protocol used by browser-based Voice over Internet
Protocol (VoIP) services like Skype for Chrome. Chances are you don’t need it, but it’s
enabled by default in most browsers including Firefox and Chrome. In Chrome, you can
disable WebRTC by installing the WebRTC Network Limiter extension.
In Firefox, enter about:config in the URL bar. Search for the
media.peerconnection.enabled parameter and set it to false. A good VPN will disable
WebRTC for you. If you’re not sure whether WebRTC is enabled in your browser, you
can run a test here.
o DNSSEC:For those operating nameservers, Domain Name System Security Extensions
(DNSSEC) provide sorely needed authentication. This suite of specifications ensures
trust between the end user and the DNS server. With DNSSEC properly implemented, the
user knows responses come from the domain name owner and not from a corrupted DNS
entry. DNSSEC also does not encrypt DNS records [8].
DNS ATTACKS IN PAST
In Brazil in November 2011, the users faced malicious redirections when trying to access
websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol,
Terra and Globo. In all cases, users were asked to run a malicious file as soon as the website
opened. Brazil has some big ISPs. Official statistics suggest the country has 73
million computersconnected to the Internet, and the major ISPs average 3 or 4 million customers
8. Information Security Project Report
8 | P a g e
each. If a cybercriminal can change the DNS cache in just one server, the number of potential
victims is huge [5].
Similarly, in Turkey around September 2011, A Turkish hacker group diverted traffic to a
number of high-profile websites including the Telegraph, UPS, Betfair, Vodafone, National
Geographic, computer-maker Acer and technology news site the Register, putting unwary users
at risk of having passwords, emails and other details stolen. Industry experts warned people not
to log on to sites such as Betfair because their details could be stolen. Some people viewing the
sites thought that they had been hacked directly, with the sites appearing to show a message in
Turkish by a group called Turk Guvenligi, which last month carried out a similar attack on a
Korean company. But in fact the sites themselves remained unaffected. The group had instead
attacked the domain name system (DNS), which is used to route users to websites. A list of the
sites affected by the hack, including Microsoft in Brazil and Dell in South Korea, was posted on
the zone-hwebsite, used by hackers to list their successes [6].
Hacker with nickname AlpHaNiX defaces Google, Gmail, YouTube, Yahoo, Apple etc domains
of Democratic Republic of Congo. Hacker use strategy so-called DNS cache poisoning.DNS
cache poisoning is a security or data integrity compromise in the Domain Name System (DNS).
The compromise occurs when data is introduced into a DNS name server's cache database that
did not originate from authoritative DNS sources. It may be a deliberate attempt of a maliciously
crafted attack on a name server [7].
REFERENCES
[1]http://www.networksolutions.com/support/what-is-a-domain-name-server-dns-and-how-does-
it-work/
[2] https://en.wikipedia.org/wiki/DNS_spoofing
[3] https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/11/03/dns-spoofing-how-
protect-your-organization-it
[4] http://www.cs.tufts.edu/comp/116/archive/fall2013/apolyakov.pdf
[5] https://securelist.com/massive-dns-poisoning-attacks-in-brazil-31/31628/
[6] https://www.theguardian.com/technology/2011/sep/05/turkish-hacker-group-diverts-users
[7] https://thehackernews.com/2011/12/dns-cache-poisoning-attack-on-google.html
[8]https://privacy.net/dns-spoofing/
[9]https://www.slideshare.net/monark111/what-is-dns-poisoning