Routing optimization Master router DNS hijacking attack outbreak, CSRF point in the weakness of the router

In the last few days because of the Philippine shooting of Taiwanese fishermen in the "Taiwan-Philippine Hacker War", Taiwan hackers once captured the Philippine government's DNS server, forcing the Philippine hackers openly "begging for mercy." DNS security problem has become the focus of research at home and abroad again. And recently, the online has also burst out "54DNS" hijacking incident.

This hijacking by hackers using broadband router defects on the user's DNS to tamper with, because the Web page does not have special malicious code, so can successfully evade security software detection, resulting in a large number of users are DNS phishing scams.

The DNS full name Domain name System plays an important role in the network implementation process. DNS holds the domain name and corresponding IP address of all hosts in the network, and converts the domain name to an IP address. Once illegally tampered with, users will most likely be directed to phishing sites or other malicious URLs.

It is reported that the DNS hijacking event originated from the May 4 domestic domain Name Service provider 114DNS found a "monitoring data anomaly." Then, the security team successfully traced to launch this DNS hijacking attack "culprit", and the first time the attack to the Tp-link and other domestic mainstream router manufacturers.

114DNS and Tencent computer stewards say a new round of DNS phishing attacks have caused millions of of users to become infected. About 4% of all network users may already be in the midst of the threat of DNS phishing attacks. If the total network users 200 million scale estimates, daily by the DNS phishing attack users have reached 8 million, and such a large-scale DNS phishing attacks in the past is very rare, may be the largest hacker attack in history.

So what kind of a means is used to attack this incident?

A netizen named "rayh4c" once wrote an HTTP authentication Url and CSRF technical article in 2011, which mentions the corresponding attack principle. and other netizens pointed out that the principle of such attacks in the 2008 has been in the United States hacking conference published, has not been the attention of everyone.

The security research team recently made an analysis of this attack in the following steps:

1. The attacker tricked the victim into accessing a page with a csrf attack code through a browser;

2. After the victim's visit, the CSRF code on this page starts to execute;

3. Perform the 1th csrf: Log in to the default routing IP address (such as admin/admin login http://192.68.1.1) with the default account password, these default can form a list, traverse on the line;

4. After the successful 1th CSRF, the target routing device will have a legitimate cookie embedded in the victim's browser;

5. Perform the 2nd CSRF: Modify the DNS IP to the server IP that the attacker prepared. This time, the browser will take the 1th time legal cookie, so the modification can be successful;

5. The user's access request will pass through the attacker's server, the attacker can do all kinds of hijacking;

In addition, he has made some comments on how individual users can prevent such attacks:

1. Modify the default password and intranet address segment will be better;

2. Local binding of trusted DNS services, such as 8.8.8.8;

3. Upgrade to the new version of IE browser;

4. If you use an open source browser, Firefox+noscript has always been a great combination;

In the context of Web front-end security, CSRF's attack skills have evolved. Before a small number of people play harmless, but now these things are black industry chain combat, this is the more we need to focus on. Especially for the webmaster, but also to pay attention to their site backstage was CSRF invasion, usually can log into the SCANV website Security Center to their website to do check and warning.