-
DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address. -
When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.
| Concept | DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address. Let us see how this is done. |
Typically, a DNS Server contains the records only for the machines of the domain it has authority over. If it has to answer queries about machines outside its domain, it has to send a request to the other DNS Server which handles these machines. As frequent communication is not practical, the DNS server keeps a cache and stores in it all the replies returned by other DNS servers.
When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.
| Attack Methods | The attack methodology goes like this. The attacker sends a request to the target DNS Server asking it to resolve www.attacker.com (attacker's domain). As the target DNS does not have the pointing record in its cache, it seeks the answer from the responsible name server (which is the attacker's DNS server). While replying to the target DNS server, the hacked DNS server transfers all the records, including the manipulated records, to the target server. This process is called zone transfer. The DNS server is poisoned as long as the cache is not cleared or updated. This way, the attacker can make some records point to spoofed addresses or even remain silent and let all the traffic pass through his server. |
| Countermeasures | Countermeasures include implementing much of the anti-spoofing rules on the border routers of network. This can be as simple as not allowing anything out with a source IP address not belonging to the network or anything in with a source IP address belonging to the network. |
The next level of protection can reside on the access routers. This could also be used in order to prevent IP spoofing at its most common source. While these filters can be sometimes tricky when it comes to combining dynamic IP and 'multi-POP' static IP routing, if implemented well, these filters can completely prevent IP spoofing that originates from an access network.
-
This tool is a simple DNS ID Spoofer for Windows 9x/2K. -
In order to use it you must be able to sniff traffic of the computer being attacked. -
Usage: wds -hExample: wds -n www.microsoft.com -i 216.239.39.101 -9 00-00-39-5c-45-3b
This is a simple tool for spoofing the DNS ID for Windows 9x/2K. In order to use the user must be able to sniff traffic of the computer being attacked. However, it does not work in a switched network, as a switched network requires ARP Cache Poisoning tools like winarp_sk or winarp_mim. |
A personal firewall must be configured to block UDP 53 destination port to check outgoing DNS traffic in order to ensure that the DNS Server does not answer before WinDNSSpoof does. The working of WinDNSSpoof then takes care of spoofing only those packets that are required to - while the rest are allow to go through. This is made possible by specifying the MAC address of the DNS server or the default gateway in case the DNS server is in another network.
Usage: wds -h
Example: wds -n www.targetsite.com -i 216.239.39.101 -g 00-00-39-5c-45-3b
0 comments:
Post a Comment