January 29, 2012

3.2.13 DNS poisoning and ARP poisoning

DNS poisoning and ARP poisoning

DNS and ARP poisoning are types of man-in-the-middle (MITM) attacks, which are types of spoofing attacks. A spoofing attack is an attempt by someone to masquerade as someone else.

Address Resolution Protocol (ARP) cache poisoning (sometimes also known as ARP Poison Routing) allows an attacker on the same network segment (subnet) as its victims to eavesdrop on all network traffic between the victims.

ARP poisoning, tries to convince the network that the attacker's MAC address is the one associated with an IP address so that traffic sent to that IP address is wrongly sent to the attacker's machine.

In ARP poisoning, the MAC (Media Access Control) address table of the victim host is ‘poisoned’ with false data. Incorrect data for a victim host is interjected into the MAC table of the victim host to force the victim to communicate with the wrong host. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack.

Any device can send an ARP reply packet to another host and force that host to update its ARP cache with the new value. Sending an ARP reply when no request has been generated is called sending a gratuitous ARP. When malicious intent is present the result of a few well placed gratuitous ARP packets used in this manner can result in hosts who think they are communicating with one host, but in reality are communicating with a listening attacker.

For sensitive hosts, you can rely on static ARP entries in your local ARP cache rather than on ARP requests and replies which can be faked.

As a reactive measure, you can monitor the network traffic of hosts using tools such as Snort or xARP.
With DNS poisoning, the DNS server is given information that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to, reroute mail, or do any other type of redirection wherein data from a DNS server is used to determine a destination. Another name for this is DNS poisoning. DNS servers store its information (resource records) either in database files or as cached data. This information can be falsified or ‘poisoned’.

Every DNS query that is sent out over the network contains a uniquely generated identification number that’s purpose is to identify queries and responses and tie them together. This means that if our attacking computer can intercept a DNS query sent out from a target device, all we have to do is create a fake packet that contains that identification number in order for that packet to be accepted by that target.

DNS poisoning is difficult to defend against due to the attacks being mostly passive by nature. Typically, you will never know your DNS is being poisoned or spoofed until it has happened. That being said, there are still a few things that can be done to defend against these types of attacks:

  • Secure your internal machines
  • Defending against internal threats and having a good internal security posture is always good
  • Don’t rely on DNS for secure systems – use local hosts file for sensitive name resolution data
  • Use IDS – monitor your network/host
  • Use DNSSEC – an updated and more secure version of DNS


No comments:

Post a Comment