DNS Attacks

There have been a number of recent articles on DNS attacks, some good, some not as much. This posting is meant to help explain some of the types of DNS attacks, how they are used, and some simple defenses. For clarity, a DNS attack is any attack focused on either DNS servers, so that they would return incorrect information to user’s DNS requests, or attacks attempting to change which DNS servers a user goes to by default. This post does mention Denial of Service (DOS) attacks, but this should not be considered a full covering of all such attacks. This is simply a few types of DOS attacks.

Types of DNS attacks

There are two primary types of DNS attacks, those that try to change information on DNS servers, and those that try to change which DNS servers users end up going to. The first type can include both trying to enter false information into the DNS cache, or by entering false information and making the server consider itself “authoritative” for a particular domain. The second type includes changing the network settings on a user’s computer, or by changing the DNS settings of a router or other device that then provides that information to user’s computers. I will provide a quick description of each, and how they are used.

1. DNS Cache Poisoning
   This attack sends false DNS data to a DNS server, trying to get the server to accept the data as valid DNS information. This allows an attacker to temporarily change information for a specific domain on that server, affecting all users of that server. Normally, this type of attack is aimed at the DNS servers for ISPs. By changing an ISP’s DNS information, an attacker can have all users of that ISP being sent to a server of their choosing. This type of attack is temporary, since DNS servers refresh their cache after a timeout period.
   
2. DNS Server Corruption
   This attack requires an attacker to alter data on a DNS server. Instead of corrupting the cache of a DNS server, the attacker alters the DNS configuration files, making the server believe it the the authoritative server for a particular domain. Then, all requests for that domain will be given the wrong information. The server will never check with other servers to verify this information. This can also be used against the actual authoritative DNS server for a domain, with the intention of changing the information for that domain’s servers, such as web servers, to servers that are controlled by the attacker.
   
3. Changing a computer’s network settings
   This requires using software or open access to a computer to change the network settings of that computer. This change tells the computer to always use a server of the attackers choosing for DNS lookups. Usually, that server will be either one the attacker has setup, or one that has been compromised and corrupted (as per type 2). All lookups from that computer will go to the DNS server of the attackers choosing.
   
4. Changing a router’s network settings
   This attack changes the DNS server settings on a router or gateway device. Then, whenever a computer attached to that device, either wired or wireless, receives their network information, they will be given the attacker’s DNS server entry. Then, all lookups will go the the attacker’s DNS servers, instead of the ones for the ISP.
   

Uses of DNS attacks

Most DNS attacks are trying to redirect users from a legitimate site to a false site setup by the attacker. At the false site, users enter their username and password as they normally would at the legitimate site. This provides their login information to the attacker. These false sites can very greatly; ranging from sites that are obviously fake, to sites so real, they even handle logging into the real site with the user’s information, allowing the user to see what they would normally expect to see. This type of attack is referred to as phishing, since the basic idea is to get a user to enter their username and password, providing an attacker with the tools they need to compromise that user’s account.

Along with phishing, another use of DNS attacks is Denial of Service (DOS) attacks. These attacks include both Simple Denial of Service (SDOS) attacks and Distributed Denial of Service (DDOS) attacks. The simple attack is intended to keep traffic from getting to the site. This does not require redirecting that traffic to another server, simply not to the server intended. The distributed attack tries to send far more traffic to a server than it can handle.

A simple attack might be changing a large ISP’s DNS information for a specific site, therefore sending requests for that site, to an incorrect address. For example, if an large ISP’s DNS entry for Google.com is changed, then anyone trying to go to Google would not be able to get there. For the distributed attack, a large ISP’s DNS servers would be changed to replace information for one, high traffic, site to another site. Using the previous example, if the ISP’s DNS entry for Google.com was changed to point to a small company’s web server, the amount of traffic caused by people trying to get to Google, would be more than the small server could handle, causing it to become unresponsive, if not bring it offline completely.

Defending against DNS attacks

For most end users, the attacks against servers are difficult, if not impossible, to defend against. It is up the ISP or other hosting provider who has setup the DNS server to take steps to protect them. This can include securing login access to the servers and making sure updates are properly, and timely, applied. Also, DNS servers can be setup to use a short cache timeout and the data files for the server can be in a protected location, so that restarting the DNS service would load valid files, rather than corrupted ones.

End users can take steps to protect themselves from attacks on their computers and routers. This includes using up to date virus scanning and firewall software, along with not running downloaded applications, especially those they are not absolutely sure of. However, the most important steps an end user can take is in proper password security of both their computer(s) and router. Many routers ship with default username and passwords, these should be changed and made as secure as possible. As for their computers, users should make sure that any administrative accounts do not have simple passwords, and that users normally login as non-administrative accounts.

Advertisement