Thursday, July 31, 2008

DNS cache poisoning-Cache Poisoning Attacks

DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. This can happen through improper software design, misconfiguration of name servers and maliciously designed scenarios exploiting the traditionally open-architecture of the DNS system.

Once a DNS server has received such non-authentic data and caches it for future performance increase, it is considered poisoned, supplying the non-authentic data to the clients of the server.

Normally, an Internet-connected computer uses a DNS server provided by the computer owner's Internet Service Provider, or ISP. This DNS server generally serves the ISP's own customers only and contains a small amount of DNS information cached by previous users of the server. A poisoning attack on a single ISP DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable.

To perform a cache poisoning attack, the attacker exploits a flaw in the DNS (Domain Name Server) software that can make it accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request.

This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates fake entries for files on the server they control with names matching those on the target server. These files could contain malicious content, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the target server and unknowingly download malicious content.

In the following variants, the entries for the server ns.wikipedia.org would be poisoned and redirected to the attacker's nameserver at IP address w.x.y.z. These attacks assume that the nameserver for wikipedia.org is ns.wikipedia.org.

To accomplish the attacks, the attacker must force the target DNS server to make a request for a domain controlled by one of the attacker's nameservers

DNS server's request: what are the address records for subdomain.example.com?

subdomain.example.com. IN A

Attacker's response:

Answer:
(no response)

Authority section:
example.com. 3600 IN NS ns.wikipedia.org.

Additional section:
ns.wikipedia.org. IN A w.x.y.z

A vulnerable server would cache the additional A-record (IP address) for ns.wikipedia.org, allowing the attacker to resolve queries to the entire wikipedia.org domain.

Responding before the real nameserver

The third variant of DNS cache poisoning, which is called DNS Forgery, involves beating the real answer to a recursive DNS query back to the DNS server. DNS requests contain a 16-bit nonce, used to identify the response associated with a given request. If the attacker can successfully predict the value of the nonce and return a reply first, the server will accept the attacker's response as valid. If the server randomizes the source port of the request, the attack may become more difficult, as the fake response must be sent to the same port that the request originated from.

By sending a number of simultaneous DNS requests to the server to force it to send more recursive requests, the probability of successfully predicting one of the request nonces increases

No comments: