|
Access:
» Pharming – DNS cache poisoning attacksRelated categories: Mariusz TomaszewskiViewed: 12630 | Article date: 2006-03-09 17:00:48 We explain how DNS cache poisoning attacks work, then demonstrate how such attacks are used in the new financial fraud technique called pharming. Finally, we test the most popular DNS cache server resistance to DNS cache poisoning attacks.
About the AuthorMariusz Tomaszewski holds an MSc in Information Technology and works on his PhD in Applied Information Technology Department of Lodz Technical University. He has published multiple articles on IT security and has a lot of experience in administering LAN and WAN networks based on Linux and BSD. A co-author of a book (published recently in Poland by Helion Publishing) called 101 security measures against attacks in computer networks. Currently works in a Polish programming firm, which designs management support systems. Visiting online banking services and other secured sites is becoming increasingly dangerous. Entering your credit card number on a website which looks deceptively similar to that of your bank might end with a considerable sum disappearing from your account. Unfortunately, such attacks are increasingly commonplace nowadays and make use of a new method called pharming.
What you will learn...
What you should know...
Classic phishing (see Frame How phishing came about) involves sending the victim spoofed e-mails, allegedly originating from an online bank or another important institution. A careless user then replies to the message, providing the requested personal information and access data, which the attacker promptly uses to steal money from the victim's account. A more advanced variation of phishing involves preparing a fake version of a web-based bank's site and luring an unsuspecting user to this site. A further development of this method is pharming - a high-tech version of phishing.
How phishing came aboutPhishing is a computer-based attack method aimed at stealing user's access data, nowadays usually to steal money from their online bank account. The term phishing originated over ten years ago, when modems were the dominating method of Internet access. Leading American ISP America Online (AOL) charged users based on the time they were logged into the AOL network. Phishing was originally the practice of using e-mails and IM conversations to persuade users to share their AOL logins and passwords, allowing phishers to use the Internet at the victim's cost. Phishing attacks have now become more sophisticated and dangerous, involving faking the transaction interfaces of banks, online payment providers and online auction services.
Pharming involves faking the IP addresses assigned to domain names and then writing this information to DNS caches. If a bank customer enters the bank's domain name in the browser address bar, he or she will be redirected not to the real bank's site, but to a site spoofed by an attacker. The fake site is usually identical to the real one, so the user will probably enter their login and password as usual. Pharming attacks are particularly dangerous, as they don't require fooling the user into any conscious actions to assist the attacker - the pharmer doesn't send any suspicious messages, so the victim has no reason to suspect a trap. The attack targets the DNS servers used by potential victims, although it may also be conducted against a local machine. The attacker enters into the DNS server's cache a false mapping of an IP address to the domain name used by users to access a selected website. The victim will then be redirected to the IP address supplied by the attacker, where a spoofed website awaits. This type of attack is called DNS cache poisoning. In this article, we will analyse a variety of DNS cache poisoning called the birthday attack and a modification of the classic poisoning attack. We will then have a look at the effectiveness of both types of attack against the most popular DNS servers. DNS cache poisoning variationsDNS cache poisoning can be performed both against an ordinary user's machine and a DNS cache server. The idea is the same in both cases: supplying a false DNS cache entry mapping a domain name to an IP address supplied by the attacker. When a DNS cache receives such an entry, it will cache it for a certain time (the time specified by the TTL - Time To Live - parameter of the spoofed DNS notification) and will supply its clients with the spoofed IP address. In the same way, a poisoned DNS Client service in Windows 2000/XP will supply its local user with a spoofed domain name mapping. As already mentioned, we will look at three types of DNS cache poisoning: classic, the birthday attack and a slightly modified version of the classic attack. Classic attackLet's start by quickly going over the main precepts of the classic DNS cache poisoning attack so we can later compare it to the birthday attack. A conventional DNS spoofing attack involves sending the name server n spoofed replies to one query sent to the DNS server by the attacker. In its DNS query to the authoritative name server for the domain in question, the name server sets a random query ID (in older servers this was not even a random value) in range of 1-65535. The maximum ID size comes from the fact that the ID field in a DNS query is just two bytes long, so the minimum possible value is 1 and the maximum value is 65535. This means that the more spoofed reply packets an attacker sends, the more likely he is to succeed. The general likelihood that such an attack will succeed (P) can be expressed by the following formula:
|
 
     
|
|||||||||||||||||
SDJ Users: 
hakin9 StarterKit IT Practical Solutions for Newbies
Copyright C 2006 by Software Developer's Journal. All rights reserved.