Page 53 - Read Online
P. 53
Page 46 Kim et al. J Surveill Secur Saf 2020;1:34-60 I http://dx.doi.org/10.20517/jsss.2020.14
[37]
Alharbi et al. did a study on the risk of client-side DNS cache poisoning attack and discovered that a
new type of DNS poisoning attack using vulnerabilities to caching within the end-user’s operating system
is feasible. Such vulnerability is still exposed because the client side is not considered as part of the DNS
framework and, therefore, not considered in mitigations to the DNS cache poisoning attack.
4.1.2 DA02. Kaminsky
To protect against conventional cache poisoning attacks, DNS resolvers use a technique known as “bailiwick
checking”. To protect against malicious DNS additional records, the DNS resolver accepts only basic
information and ignores additional information. To overcome this, attackers exploited the authoritative
name server to poison resolver caches. Dating from Steven Bellovin’s study in 1990, DNS hijacking and
poisoning attacks developed into attacks based on the “birthday paradox”, and eventually evolved into
Kaminsky attacks in 2008 [14,38] .
Kaminsky attack hijacks the authoritative records instead of RRs. To succeed in the attack, the attacker
should configure a domain name server that is authoritative for the malicious website zone, including
all records, as a precondition. Kaminsky attack consists of two steps: Step 1: The attacker requests fake
DNS queries about a random name within the target domain to local DNS servers. Since the local DNS
server does not have the information in its cache, it will generate subsequent queries to authoritative name
servers. Step 2: The attacker sends a barrage of forged answers to the local DNS server. Instead of fake RRs,
it delegates to another name server, using the malicious authority record.
Finally, an attacker owns an authoritative name server for the specific website and provide users with
malicious IP addresses for normal DNS requests of the domain through the DNS resolver. This attack is a
higher level of attack than DNS Cache Poisoning Attack because it can affect not only the domain but also
the subdomain.
4.1.3 DA03. DNS hijacking
DNS hijacking modifies DNS record settings (most often at the domain registrar) to point to a bogus DNS
server or domain. Attackers hack the vulnerable DNS servers to change the IP address and the mapped
[39]
[40]
domain address . Cisco Talos discovered a new DNS hijacking attack called “DNSpionage” . The
main feature of this attack is to keep it as inconspicuous as possible during the attack. DNSpionage uses
malicious Microsoft Office files with embedded malware, which provides HTTP and DNS communication
with the attackers. Finally, malicious DNS redirection works when a user opens a forged document or
malicious site. The main feature of this attack is to be as inconspicuous as possible during the attack.
4.2 DNS data flooding
In general, the goal of flooding attacks is to disable the user-server function by overwhelming the
server, thereby hampering the DNS name resolution for its zone. Through the DNS data flooding attack,
the attacker tries to exhaust server resources with an enormous amount of apparently valid queries,
overwhelming server resources, and impeding the server’s ability to respond to legitimate requests. Figure 9
describes the specific method of DNS data flooding.
4.2.1 DA04. DNS flooding attack
DNS flooding attack attempts to exhaust server-side resources through a flood of UDP requests from
multiple machines contaminated by malware. DNS servers, which rely on UDP protocol for name
resolution, may not be able to distinguish large UDP packets from normal requests. Attackers send a large
volume of packets, mimicking legitimate DNS requests to a DNS server, causing the DNS server to run out
[41]
of resources to handle legitimate requests .
