Primary DNS attack methods

This article will introduce several main DNS attack methods. I hope this technology will help you.

Use DNS servers for DDOS attacks

The normal recursive query process on the DNS server may be exploited as a DDOS attack. Assume that the attacker knows the IP address of the attacked machine, and then uses the IP address as the source address for sending resolution commands. In this way, after recursive queries are performed on the DNS server, the DNS server responds to the initial user, which is the attacker. If attackers control enough bots and perform the preceding operations repeatedly, the attackers will be vulnerable to DDOS attacks in response to information from the DNS server.

The attacker has enough botnets to drag the network of the attacker to an interruption. An important challenge of using DNS server attacks is that attackers did not directly communicate with the attacked host, hiding their whereabouts and making it difficult for victims to track down the original attacks.

DNS Cache Infection

Attackers use DNS requests to store data in the cache of a vulnerable DNS server. The cache information will be returned to the user when the customer accesses the DNS, so that the user's access to the normal domain name is directed to the page on which the Hacker sets Trojans and phishing, you can also obtain user password information through forged emails and other server services, resulting in further attacks to the customer.

DNS information hijacking

The TCP/IP system prevents the insertion of counterfeit data through serial numbers and other methods. However, if an attacker listens to the conversation between the client and the DNS server, he can guess the DNS query ID that the server responds to the client. Each DNS packet includes an associated 16-bit ID. the DNS server obtains the request source location based on the ID. Attackers send false responses to users before the DNS server, thus deceiving clients to access malicious websites. Assume that the DNS packet data of the domain name resolution request submitted to a Domain Name Server is intercepted, and then a false IP address is returned as the response information to the requester according to the intention of the interceptor. The original requestor uses this fake IP address as the domain name it wants to request for access. In this way, he is deceived elsewhere and can connect to the domain name he wants to access.

DNS redirection

Attackers redirect DNS name queries to malicious DNS servers, and the resolution of hijacked domain names is completely under the control of attackers.

ARP Spoofing

ARP attacks implement ARP spoofing by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network, attackers can change the IP-MAC entries in the ARP cache of the target host as long as they continuously generate forged ARP response packets, resulting in network interruptions or man-in-the-middle attacks. ARP attacks mainly exist in LAN networks. If a computer in LAN is infected with the ARP virus, the system infected with the ARP virus will attempt to intercept the communication information of other computers in the network through ARP spoofing, and thus cause communication faults of other computers in the network.

ARP spoofing is usually performed in the user's local network, which leads to incorrect Domain Name Pointing. If the IDC is also infiltrated by the ARP virus, attackers may also use ARP packets to suppress normal hosts or DNS servers to direct access errors.

Local hijacking

After the computer system of the Local Machine is infected with Trojans or rogue software, access to some domain names may also be abnormal. Such as access to Trojans or phishing sites, and access failure. The local DNS hijacking methods include hosts file tampering, local DNS hijacking, SPI link injection, and BHO plug-in.