Diary of a Network Geek

The trials and tribulations of a Certified Novell Engineer who's been stranded in Houston, Texas.

2/7/2012

DNS Attacks Are On The Rise

Filed under: Geek Work,News and Current Events,The Dark Side — Posted by the Network Geek during the Hour of the Snake which is just before lunchtime or 11:14 am for you boring, normal people.
The moon is Waning Gibbous

DNS has inherent weakness.

In it’s current form the Domain Name System, by it’s open nature, is pretty primed for exploitation.
Some of these attacks are more obvious than others, but there are two that I find particularly troubling.  More so that I can see them being used together to really mess with a website owner.
The first of these two attacks isn’t new.  But, the fact that it isn’t new and has been dealt with before doesn’t mean that it has suddenly stopped being effective.  The attack is called “DNS poisoning” and it works by corrupting the DNS cache on a server, which then forwards those poisoned DNS records as legitimate to other, unsuspecting servers.  The end result is that the attackers can redirect traffic from a legitimate website to their own site.  It’s hard to flat out stop right now, though, once discovered, it can be fixed with relatively little trouble.  This attack was used recently against several websites who were supporting SOPA and PIPA.  Of course, since these folks were trying to make a statement, it was pretty clear what had happened, so techs were working to fix it pretty quickly.
The second attack, which I would think include the first attack at its initial stages, is sub-domain hijacking.  In this attack, the attackers redirect the sub-domain of an existing site to another location.  This is a little more subtle and hard to detect.  In this case, the attackers are looking to profit from a well-established domain by “piggy-backing” on their reputation.  They poison the DNS records to point something like Viagra.google.com to their actual website, selling Viagra, or a site filled with spammy links that redirect a potential victim to their website selling Viagra, or whatever.   This attack takes a proactive system administrator to catch.  Since it doesn’t redirect any of the main, honest, actual site anywhere, but only uses its reputation to improve their own spammy links, it’s not always obvious that it’s going on.  Regular DNS record audits are about the only way to catch this, barring an angry end-user contacting the main site.

The internet is still a wild and wooly place sometimes, folks.  The reasons the professionals get paid what they do is because, theoretically, they have to deal with all that stuff and keep us safe!  Which reminds me, I have to go check my own company’s websites and DNS records, not to mention my own!
(The title, incidentally, was inspired by the movie that helped get me into this business, Sneakers. “Cattle mutilations are up.“)


Powered by WordPress
Any links to sites selling any reviewed item, including but not limited to Amazon, may be affiliate links which will pay me some tiny bit of money if used to purchase the item, but this site does no paid reviews and all opinions are my own.