Domain Name System Server Problems
Increasingly, over the last few years, there have been reports of attacks being made against DNS (Domain Name System) servers. DNS servers store the correlation between an internet site's IP address, and the string of text that is commonly used to reach that site from an internet browser. This correlation also holds true for all services and protocols running on that IP address, such as :
- http - HyperText Transfer Protocol
- https - HyperText Transfer Protocol Secure
- ssl - Secure Sockets Layer
- smtp - Simple Mail Transfer Protocol
- etc ...
Every computer connected to the internet, or on any network, has an IP address. If this machine is running a web server, it can be surfed to from the internet. For example, the IP address for www.skiifwrald.com is 216.74.109.218. This means that you can browse to this site by entering http://216.74.109.218 into your browser address bar, or entering http://www.skiifwrald.com. By entering http://www.skiifwrald.com, your request is sent to a DNS Server, most likely at your ISP, which then finds that the skiifwrald.com entry has the IP address of 216.74.109.218, and sends the request off to that address. Essentially it is like the telephone directory for the internet, listing names and numbers, and allows you to find sites just by using their name.
It is possible to directly access a site by using the IP address for it, bypassing the DNS server. This will work, even if the DNS server is unavailable, having been poisoned, or otherwise corrupted or non-existant.
There are a couple of possible attacks against DNS servers. The first is a DoS (Denial of Service) attack, where countless spurious requests are made, in an attempt to flood the server and prevent legitimate queries from getting through, with the ultimate goal of preventing the end users from accessing any site by using the domain name. The second attack type is record poisoning (also known as cache poisoning). The master list of domain name to IP address links is updated regularly on the root level servers (the global master record storage), and agencies running their own DNS server will download this record list for their users to access when connecting to the internet. If a hacker can intercept and change this list, provide a false copy, or change the records in the copy of the list, then this will cause major problems for local user access to the internet. The effect of this is that someone could be trying to access google.com, but because the DNS record for google has been modified to point to 216.74.109.218, the user will see skiiwrald.com instead, but the site address in the browser address bar will still show google.com. This then has major implications for security, as a successful poisoning of the DNS record will result in the hacker being able to redirect any site that they wish.
This is essentially the ultimate hack, and if carried out cleanly, may not be identified for a significant period, if at all. For example, if the record is poisoned, and a major financial institution has been redirected, and the attacker has mirrored the financial institution's site, the hacker only needs to intercept the login details for the user, and no one is any the wiser that a successful attack has taken place. Analysis of the logs of the financial institution's site should indicate a disproportionate number of requests coming from a single IP. This can be covered again, by presenting as a proxying service, and by only attacking one or two ISPs at a time, to keep the IP hits down. The recent cases of DNS record poisoning have been amateurish at best, with the redirected sites being sent to illegal medication supply sites. The servers that have been identified as being at greatest risk are those running on Windows NT 4, and Windows 2000, which are, by default, susceptible to the most common DNS record poisoning attacks.
29 March 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.