’s Cyber Kung Fu Master Class: DNS Cache Poisoning, with Infoblox

Peter Goodwin of Infoblox coaches us on the Web-traffic redirect attack

Tags: Cyber crimeDomain nameInfoblox ( Arab Emirates
  • E-Mail’s Cyber Kung Fu Master Class: DNS Cache Poisoning, with Infoblox This month’s Cyber Kung Fu Master: Peter Goodwin, technical director, Middle East at Infoblox.
By  Stephen McBride Published  February 26, 2015

The motives of the cyber mugger are varied in the case of DNS attacks. The page to which the unwitting surfer is diverted can be anything the attacker wants: a third-party website, a website they control, a static page with an activist message... or, and this is where it gets slightly disturbing, a clever copy of the original page.

It takes very little imagination to envisage how attackers might use this to their advantage. By capturing a request for a bank's login page, the attacker can collect the username and password of an account holder and then redirect them, via their credentials to the proper pages hosted by the bank. The user has no idea what has happened. Attacks like this are why many banks have introduced two-factor authentication methods.

But while attacking a DNS server may sound simple, in practice success requires landing a lucky punch. And as with all back-alley muggings, timing is everything.

"The exploits take advantage of the fact that all DNS-IP pairs are temporary; the pairing of a certain IP server address to a particular domain might be true for only a few minutes, at which point a new pairing will take effect," Goodwin explains. "This is called a domain name's ‘Time To Live' or TTL; websites use TTLs to balance their traffic throughout the day, moving visitors from one server bank to another as demand ebbs and flows. This means every DNS server will periodically be asking other DNS servers for information, even for the most common sites."

A cyber-bandit with the right knowledge of DNS protocols will be able to query a target server on how much time is left to run on a particular domain name-IP pair. With the right timing, the attacker can send updates to the server containing the new, phony IP address.

"There is a certain amount of luck involved in getting the transaction right," says Master Goodwin. "For example, legitimate DNS requests generate a 16-bit message ID when sending out a query. When the server responds, it needs to include the same number. That initially proved difficult for people attempting cache poisoning exploits, until it was discovered that the random number generator creating the message IDs had a bug that made the numbers much easier to predict."

Once the attack is successful, the instigators have not only changed the pairing, but have commonly reset the domain name's Time To Live from a few minutes to perhaps as long as several years to keep the redirect intact.

Continues on next page>>

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code