Categories Internet & Networks

Continued from Introduction

Let's consider a fictitious discount computer reseller called MicroEmporium. This company generates a lot of sales leads through its Web site ( www.microemporium.com), but to save maintenance costs, it outsources this service. The IT team has done a good job of securing its Web server by installing security patches and enforcing the use of good passwords for system access.

But one day at the height of a much-advertised spring sale, customers go to the site yet don't see computers for sale. Instead, they find a completely different set of pages mocking MicroEmporium's business practices. After some hours of testing and analysis, the IT team realizes that MicroEmporium's customers are being redirected to a totally different site owned by a malevolent attacker. The culprit in this attack is a corrupted Domain Name System (DNS) entry at MicroEmporium's authoritative DNS server.

In this scenario, the attack can take place because the DNS implementation has not been secured against caching a fraudulent entry. When a requester (such as a Web browser) needs a DNS name to be resolved to an IP address, a local DNS server scans the Internet to locate the authoritative DNS server for that domain. It then asks that server to resolve the name. The authoritative server replies to the local DNS server, which then forwards the answer to the requester. The answer is also cached at the requesting server for future reference.

The diagram "How Hackers Can Corrupt Your DNS" shows how an attacker can exploit this process by corrupting the cache of an authoritative DNS server. First, he modifies the record of a domain that he owns (such as attacker.com) to add an additional entry mapping the MicroEmporium site to an IP address the attacker owns.

Second, the attacker queries MicroEmporium's DNS server to resolve www.attacker.com. To service the request, that server will query the attacker's DNS server and receive a record containing not only www.attacker.com's IP address but also the IP address the attacker chose for MicroEmporium.

If the DNS server was properly configured to reject secondhand information, it will simply disregard all server entries that aren't part of the attacker.com domain. But in this case, it stores the corrupted entry in its DNS cache. As a result, subsequent client requests to resolve the microemporium.com domain name will direct users to the attacker's Web site rather than the original site.

This problem is widely understood in the security community, but despite that, a significant percentage of servers is subject to this vulnerability. CERT has published an advisory describing the details of this attack. (ftp://info.cert.org/pub/cert_advisories/ ca-97.22.bind) In July 1997, Eugene Kashpureff at AlterNIC used the vulnerabilities in DNS to redirect users from www.internic.net/to AlterNIC's site in a protest against InterNIC's claim of ownership over the Internet's high-level domains.

Next: Diagram: How Hackers Can Corrupt Your DNS.

Published as Enterprise Computing in the 5/25/99 issue of PC Magazine.

Related Links
• Denial-of-Service Attacks -- PC Tech
• Internet Security Standards -- PC Tech
• Internet Security: Disarming the Net -- PC Labs Reviews
• Network Antivirus: Defend Your Network -- PC Labs Reviews
• Network Manager -- ZD Products
• Network Administrator Courses -- ZDU