Sep 22, 2021
Just like any other day you come into work and take your place at the cube farm and power up your workstation PC. You enter your credentials and open your web browser to access the company's employee web portal. Nothing seems out of the ordinary, and you’re certainly not looking to find trouble.
You don’t notice the slight difference in the domain name as you enter your credentials, login to the web portal and begin the usual grind. However, something happened that you missed that day. What’s worse is that it didn’t only happen to you, but to every employee who accessed the company's web portal that day.
Unbeknownst to anyone affected by the attack, all their credentials were elaborately pilfered by an unknown threat actor. What your company has just experienced was a Domain Name Server (DNS) spoofing attack.
What Is DNS Spoofing?
The term spoofing denotes the act of committing deception or forgery. With this context in mind, DNS spoofing, and by extension, DNS cache poisoning are attack vectors that refer to a situation where DNS name resolution is being manipulated by a threat actor attempting to deceive a victim’s computer into thinking it is accessing a legitimate website - when, in fact, it is not.
In this case, the underlying IP address of a domain is being faked, while the domain name itself may appear legitimate to the end-user. This is a Man-In-The-Middle (MITM) attack, where the threat actor positions themselves in between your web browser and the DNS server, manipulating the way they communicate with each other.
How Is This Attack Executed?
Technically speaking, an attacker intercepts a particular communication channel between an intended client and a server computer belonging to the targeted website – let's say, www.estores.com with an IP address 192.168.2.200.
One of the most common tools used for this is arpspoof, which is used to dupe the client into thinking that the IP address is actually 192.168.3.300, while making the server believe that the client’s IP address is also IP 192.168.3.300.
This is how the situation typically unfolds.
The attacker makes use of arpspoof to issue a command for the IP address. This will lead to the modification of the IP addresses in the ARPS table making it seem that the attackers’ computer is that of the client.
The tool is once again used by the attacker to make the client believe that the attacker’s machine is the server.
Next, a Linux command is issued by the attacker, where all the IP packets are sent to the attacker's computer - i.e. anything that is being exchanged between the client and the server.
The host file of www.estores.com is created on the attacker's machine, enabling the attacker to map the activities of the original website locally.
The attacker now sets up a web server using the IP address of the local computer and creates a fake website (a believable copy of the target website they are aiming to spoof) to which they would divert the online traffic.
The final tool used here is the DNS spoof, which enables this entire attack to take place by diverting all the DNS requests to the attacker's local computer’s host file. The users then interact with the fake website instead of the real one, inadvertently downloading malware or leaking sensitive data they type in.
These forms of attacks are among the most deceptive to the user, as they often can go unnoticed for quite a while.
That said, most DNS attacks are preventable on the level of DNS server providers and website owners by means of correctly filtering and verifying DNS requests. If you are setting up your own server, this means configuring it to refuse to answer queries over the Internet on port 53, with the only exception of running an actual name server that has been registered with ICANN, and you controlling your own reverse zone.
Let's briefly cover some other methods you can use to shield yourself from web-based spoofing.
Verify Your Connection in Your Address Bar
Check your URL address bar. It is important for everyday users to examine the URL bar of your web browser and confirm that your browser is connecting to the correct website. For example, if you are intending to browse amazon.com, ensure that the page that comes up actually is amazon.com and not some suspicious variant (amaz0n.com, anyone?) of it or some completely different URL altogether.
Check your HTTPS Indicator
The above advice includes checking the HTTPS indicator, which is usually positioned on the left-hand side of your browser’s address bar, and typically features a padlock symbol, indicating whether or not the website is protected by a valid HTTPS certificate. If the padlock or indicator appears to be fluctuating between valid and invalid or is absent altogether, this website is often not to be trusted.
Don't Click on Just Any Link
Unfamiliar links are never a good idea to click on. Copy and paste the suspicious link into Domain Tools to verify if the web address actually belongs to the domain it claims to derive from.
Flush Your DNS Cache
Flushing your DNS cache can help to eliminate DNS cache poisoning on your local system. Additionally, cache poisoning can have a long shelf-life on your device unless you purge the infected data. Thankfully, flushing your DNS cache is fairly straightforward.
If you are using Windows, simply navigate to the search bar in the lower left-hand corner of your display and type Run which opens the Run program. Then type ipconfig /flushdns and hit Enter - that’s it.
This same function is available across multiple platforms and is accessible on Mac and Linux, as well as Android and iOS devices.
Use a Virtual Private Network
Using a Virtual Private Network (VPN) will create an encrypted tunnel to channel all your web traffic through it. VPN’s also make use of exclusive end-to-end encrypted servers through private servers, which provide an extra barrier against DNS spoofing.
An article by
Jesse McGraw
The original article can be found here
Comments