DNS Attacks - Spoofing
TL;DR : DNS Spoofing (or so called Cache Poisoning) is the intent of an attacker to corrupt a resolver's DNS cache to return malicious IP addresses, redirecting users to malicious websites. This example demonstrates how an attacker can exploit this vulnerability to create a convincing fake site, steal sensitive information, and compromise user security. It is similar to phishing attacks, but at the DNS level.
A simple analogy
A simple analogy
Protagonists
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.
Jack decides to intercept the directions people get when they try to visit Alice's shop.
When Bob asks for directions, Jack steps in and pretends to be a helpful local. Jack gives Bob false directions that lead him to a fake shop that Jack has set up.
Bob, thinking he's at Alice's shop, interacts with Jack's fake shop. Jack intercepts Bob's requests, potentially stealing private informations (eg. his payment details) or giving him fake products.
Meanwhile, Alice is unaware that Bob has been misled and that her business is being compromised.
The Scenario: Redirecting Users to a Malicious Website
Step 1: Identifying the Target Resolver
Setup:
The attacker identifies a vulnerable DNS resolver in a network (readings), used by target users, such as a public DNS server or the DNS resolver of an ISP. DNS are pretty much like the yello-pages or address books of the internet, enabling network traffic to be directed to the right places (eg. next server). For further details about the DNS protocol, check out this post.
Purpose: Here the goal is to find a DNS resolver that can be manipulated to store incorrect DNS records in its cache.
Step 2: Crafting the Malicious DNS Response
Creation:
The attacker creates a DNS response that falsely associates a legitimate domain name with the IP address of a malicious server. For example, the attacker might want to redirect traffic from www.bank.com to their malicious server at IP address 192.168.1.100.
Content:
The malicious DNS response will contain the spoofed A record for www.bank.com, pointing to 192.168.1.100 instead of the legitimate IP address.
Purpose: The crafted response will be used to poison the DNS resolver's cache, making it return the malicious IP address for future queries to www.bank.com.
Step 3: Poisoning the DNS Cache
Injection:
- The attacker sends a flood of DNS queries to the targeted resolver, requesting the IP address for www.bank.com.
- Simultaneously, the attacker sends fake DNS responses to these queries, spoofing the source IP address to appear as if they are coming from the authoritative DNS server for www.bank.com.
This is a directl hijack attemps on a DNS server to reroute traffic from legitimate IPs addresse to some other IP addresses.
Success Condition:
If the timing is right and the fake response arrives before the legitimate response, the resolver may cache the malicious IP address for www.bank.com.
Purpose: By successfully injecting the false DNS record into the resolver's cache, the attacker ensures that any user querying www.bank.com through this resolver will be directed to the malicious server.
Step 4: User Interaction
Redirection:
A user attempts to visit www.bank.com by typing the URL into their browser. The user's computer plugs to the chain of DNS to resolve the IP, which queries the compromised DNS resolver to resolve the IP address for www.bank.com.
The resolver returns the poisoned DNS record, leading the user's browser to connect to the attacker's server at 192.168.1.100.
A note on TTL exploitation: Time-to-live (TTL) is a setting in DNS records (see here) that determines how long the record can be stored (cached) by DNS servers before it needs to be refreshed. By extending the TTL, hackers can ensure that their malicious DNS mappings remain in the cache of DNS servers and users's devices, effectively prolonging the window of opportunity for attackers to redirect users to malicious websites or servers, amplifying the impact of the spoofing incidents.
Effect on Privacy, Anonymity, and Hacking Concerns
Data Theft
The malicious server at 192.168.1.100 hosts a fake website designed to look identical to the legitimate www.bank.com site. The attacker may use even use SSL/TLS certificates to present the site as secure (e.g., https://www.bank.com with a valid-looking certificate), ie. leveraging the user's trust in the DNS system and the legitimacy of HTTPS indicators. Phishing websites can be difficult to detect. Users, believing they are on the legitimate site, enters sensitive information such as login credentials, personal details, or financial information, where the the malicious site captures this information and sends it to the attacker's database. Users generally notice their data was compromised too late. Outcomes are multiple: identity theft, financial fraud, selling the data on underground markets
Infection
Should the intent be compromising devices, these fake servers would be loaded with automatic, no-display, links and downloads to affect device with malware. Where the spoofing intend to impersonates some internet service provider (ISP), it could prevent legitimate security updates, directly exposing customers to viruses.
Freedom of Information
A form of censorship find expression when access to specific information or websites is controlled or restricted. Agents may employ DNS spoofing to deceive internet traffic into believing a ressource is nonexistent or refused, effectively censoring requests results. For example, the Chinese government today intentionally alter DNS caches to prevent access to particular websites or online resources in line with its Great Firewall policy and Information control policy, effectively redirecting (+ monitoring) users away from selected sites.
There are many example of DNS spoofing attacks, and some are very recent such as the Amazon 2018 DNS attack leading to MEW demise.
Done!
Thanks and Congratulations for reading this to the end. We hope this article brings a little clarity over what DNS spoofing is, and how it works.