DNS Attacks – SY0-601 CompTIA Security+ : 1.4

The Domain Name System is a critical part of the network communication process. In this video, you’ll learn about DNS poisoning, domain hijacking, URL hijacking, and the importance of domain reputation.

<< Previous Video: MAC Flooding and Cloning Next: Denial of Service >>

 

 


One way that attackers can manipulate a DNS is by poisoning the DNS server. It takes a bit of knowledge to be able to execute a DNS poisoning attack, but it is very effective way to redirect traffic to an attacker’s website.

One way to perform a DNS poison is to modify the host file that’s located on each individual device. The host file in the machine takes precedence over any DNS queries, so it doesn’t matter what is configured in a DNS. Your computer is going to follow whatever is listed in that host file.

Another way to poison DNS is for someone to sit in the middle of the conversation with an on-path attack and be able to modify a query that’s being sent to a client. This would allow an attacker to change the IP address to be whatever they would like it to be. And another way to poison the DNS query is to modify the DNS information on the legitimate DNS server itself.

In this example, we have two users that will be querying a DNS server and we have an attacker that’s also wanting to query this DNS server. The DNS server has the legitimate IP address of professormesser.com as 162.159.246.164. But the attacker would like the IP address of professormesser.com to resolve to 100.100.100.100, which is probably a web server that is under their control.

User 1 is going to perform a DNS query where they’ll ask the DNS server what is the IP address for professormesser.com. This DNS server is going to respond back with that answer and User 1 is going to put that information into the DNS cache on this local machine. The attacker is now going to gain access to this DNS server and modify the DNS configuration files on the server so that this DNS believes that professormesser.com is located at 100.100.100.100.

This means that any subsequent request to this legitimate DNS server, for instance from User 2, will be responded to with the incorrect IP address. And now the attacker has poisoned the DNS server. Another way you can modify DNS information is to modify the domain configuration of a particular domain name. So if the attacker can gain access to the account that’s in charge of that domain at that registrar, they can begin making those DNS changes.

There are many different ways for the attacker to do this. They could simply brute force the password that you’re using on that registrar’s account. Or maybe they’re using social engineering. They’ll send you a phishing attempt in the hopes that you’ll send that information back to them. Or the attacker might try to gain access to the email address associated with the account that’s at that registrar or use many other methods in order to gain authentication and make changes to that domain information.

An example of an attacker doing exactly this occurred on Saturday, October 22, 2016 at 1:00 PM. 36 domains were changed for a Brazilian bank. This covered their domains for desktops, for mobile devices, and almost everything else associated with the bank.

The attackers were able to maintain control of this domain information for six hours. So anyone who accessed that DNS server and gathered that information was redirected to the hacker’s website instead of the legitimate bank website. This bank had over $5 million customers and over $27 billion in assets and, at this point, we still don’t know the extent of what may have occurred during the six-hour domain hijack.

Another type of attack might not involve changing the legitimate domain name but instead creating a domain name that was close enough to seem legitimate. This is also known as a URL hijack, and it’s commonly used to redirect people to pages that would show them ads instead of taking them to the legitimate website. Another moneymaking opportunity for an attacker is to sell the badly-named domain name to the legitimate owner so that everyone who is visiting the incorrect URL would then be redirected to the legitimate URL.

And although there may be legal issues associated with it, some attackers will take a domain name similar to one company and redirect all of that traffic to the competitor of that company. It’s probably more common though for an attacker to try to use this as a phishing opportunity. They can get people to visit that site and think they’re on the legitimate site. They may be able to gain personal information or login credentials. And if you can get someone to visit a site, you may be able to then download something into their browser and perform some type of malicious software installation– all because they visited an incorrect URL.

There are a number of different ways an attacker might be able to use this difference in your URL to their advantage. One way is to take advantage of maybe bad spelling. A domain like professormesser.com has many opportunities for misspellings, and an attacker might buy multiple domain names in the hopes that someone might type it in incorrectly and visit their website instead.

Some of these might be very obvious. For example, the legitimate professormesser.com can be easily misspelled professormessor.com with an “or” at the end. These look very similar to each other, but someone who’s typing in the second URL may not be visiting a legitimate site. An attacker may try to take advantage of people not spelling things properly when they’re typing it in. If an attacker purchases professormeser.com with one “s” instead of two, they may be counting on someone not typing it in correctly into the address bar of their browser.

And depending on what their purpose was, they could try a different phrasing of the domain name to be something relatively close like professormessers.com. And if you weren’t paying a lot of attention to the domain itself, you could probably find professormesser.org or some other top-level domain and use that instead of the legitimate professormesser.com.

Companies have to be very careful with the reputation associated with their email and web services. Email reputation is determined on the type of email that is being sent from an organization and what the users are clicking in their mail clients. If many people start clicking that a particular type of email sent from a company is spam, that will affect the reputation and the ability for that company to send mail to others.

A good example of this reputation problem is if a company might be infected with malware that sends spam using the company’s email server. Users will receive that spam message and they will click that button inside of their mail client that says, “This is spam.” As companies begin receiving more and more reports from their users that you’re sending spam, they will start limiting or restricting your ability to send any emails to their users.

There are many websites that can check and constantly monitor the reputation of your email IP address so that you can stop any of these problems before they become a significant issue. Not only do you have to be aware of the reputation of your email servers, you also have to be aware of the reputation of your web servers. If an attacker was to put malware onto a web server, that web server will be indexed by the major search engines and those search engines will identify the malware that’s on your server. Then any time anyone visits your website, they will get a message that says the site ahead contains malware with a big red message warning them that the site they are visiting is not safe.

This will obviously be a significant problem if you have sales from this website and users will avoid your brand and your overall reputation will suffer. Once you’ve been indexed with this malware on your website, most of the damage is now done. Even if you remove it quickly, it’s going to take some time to be re-indexed by the search engines and then finally have these messages removed from your domain name.