Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 188.8.131.52.
Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 184.108.40.206, the adversary floods local DNS with crafted responses with IP address 220.127.116.11. The result is that 18.104.22.168 is stored in DNS cache. Meanwhile, 22.214.171.124 is associated with a malicious website www.maliciousexampsle.com
When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.
Skill or Knowledge Level: Medium
To overwrite/modify targeted DNS cache
The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.
Configuration: Make sure your DNS servers have been updated to the latest versions
Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.
Configuration: Disable client side DNS caching.
A vector specifically crafted to poison DNS cache, so that all traffic is redirected to an unintended destination.
Any local machine that types names of the good server is redirected to a malicious server. This attack assists pharming attack when victim is fooled into entering sensitive data into supposedly trusted locations. The adversary could also accept the incoming SSL connection, decrypts it, reads all the traffic, and makes the same request via SSL to the original site.
[R.142.1] [REF-6] "Wikipedia". DNS Cache Poisoning. The Wikimedia Foundation, Inc. 2011-07-10. <http://en.wikipedia.org/wiki/DNS_cache_poisoning>.
[R.142.2] [REF-7] "DNS Threats and DNS Weaknesses". DNS Threats & Weaknesses of the Domain Name System. DNSSEC. <http://www.dnssec.net/dns-threats.php>.
More information is available — Please select a different filter.