2.4 DNS attacks

Question 1

DNS poisoning

Answer 1

• Modify the DNS server
  –Requires some crafty hacking
• Modify the client host file
  –The host file takes precedent over DNS queries
• Send a fake response to a valid DNS request
  –Requires a redirection of the original request or the
  resulting response
  –Real-time redirection
  –This is an on-path attack

Question 2

Domain hijacking

Answer 2

• Get access to the domain registration, and you have control
  where the traffic flows
  –You don’t need to touch the actual servers
  –Determines the DNS names and DNS IP addresses
• Many ways to get into the account
  –Brute force
  –Social engineer the password
  –Gain access to the email address that manages the account
  –The usual things
• Saturday, October 22, 2016, 1 PM
  –Domain name registrations of 36 domains are changed
  –Brazilian bank
  –Desktop domains, mobile domains, and more
• Under hacker control for 6 hours
  –The attackers became the bank
• 5 million customers, $27 billion in assets
  –Results of the hack have not been publicly released

Question 3

URL hijacking

Answer 3

Make money from your mistakes
–There’s a lot of advertising on the ‘net
* Sell the badly spelled domain to the actual owner
–Sell a mistake
* Redirect to a competitor
–Not as common, legal issues
* Phishing site
–Looks like the real site, please login
* Infect with a drive-by download
–You’ve got malware!

Question 4

Types of URL hijacking

Answer 4

• Typosquatting / brandjacking
  –Take advantage of poor spelling
• Outright misspelling
  –professormesser.com vs. professormessor.com
• A typing error
  –professormeser.com
• A different phrase
  –professormessers.com
• Different top-level domain
  –professormesser.org