DNS Cache Poisoning
DNS Cache Poisoning : The method by which some additional information is sent to the Domain Name Server along with the resolution request of the DNS. The DNS may not have the IP address of the domain, so what id does is : it contacts the autoritative name server for the IP address. In this communication the attacker can come into play and send malicious data to the DNS pretending to be a Authoritative Name Server. This additional information may be malicious. This additional false information is cached by the Name server and used when there is a request for that domain that fits the malicious data sent.
DNS uses BIND protocol for domain name resolution.
BIND : Berkeley Internet Name Domain - Protocol used by majority of the name servers all over the world to convert Domain Names to their corresponding Domain Names. BIND Flaws :
1. Use of 16 Bit sequence number for identification of a transaction.
2. Use of multiple recursive simultaneous equerries for the same IP Address. - Birthday paradox - It increases the probability of attack to 100% since the attacker can intercept/spoof multiple queries and would be able to reach the server request at least once before the Authorized Name Server returns with a valid response.
Adaptation towards Random number of TCP sequence number is not so random. The implementation was very easy to break.
The attacker sends 300 packets for asking the IP address of the server which has to be attacked, the number 300 is the threshold that is calculated using birthday attacks paradox. 16 bit number meaning about 65535 combination’s. The attacker has to get one correct number of the transaction number that the DNS server would have sent to the authoritative server. This 300 number comes simply because the protocol works in such a way that it would send multiple requests of the same querry.
In response the attacker would also send the DNS reply query with having randomly generated numbers. This would be as if the athoriative DNS server is sending the response to the main DNS server. the DNS server would be fooled given that one of the transaction number matches the one that the DNS server is expecting.
Once the malicious packets are in the DNS there could be many sub attacks :
1. Web traffic redirection. - google redirector, bank - account access, news manipulation, stock manipulation.
2. Man in the middle attack -
Recommended defenses against DNS Cache poisoning :
1. DNSSec - All DNS servers would have Cryptographically signed records.
2. Beaware of DOS- when someone is trying to slow your server down, he may be trying to shut you off the Name server, thus completing the cache posioning.
considor having split split DNS. - One with the recorsion is safeguarded with a firewall.
Complete article reference :
http://www.secureworks.com/research/articles/dns-cache-poisoning/