Sunday, April 24, 2005

DNS Poisoning - How Computer Criminals Subvert Web Addressing

Computer criminals are coming up with ever stealthier ways to make money. Rather than attack PCs or email inboxes, their latest trick is to subvert the very infrastructure of the internet, the domain name system (DNS) that routes all net traffic.
In doing so, they redirect internet users to bogus websites, where visitors could have their passwords and credit details stolen, be forced to download malicious software, or be directed to links to pay-per-click adverts.
...Your company's DNS server may know the IP address of the newscientist.com DNS server, but if it does not, it forwards the request to a DNS server of a local internet service provider. That ISP will know the newscientist.com address, or forward the request to a bigger ISP. This continues via a succession of computers until your PC discovers the location of the full IP address (see Diagram).
The DNS is also designed to take short cuts. Once your DNS server has learned the location of www.newscientist.com, it stores it in a cache and routes directly to it. But herein lies the weakness of the system, because hackers can persuade some servers to cache "poisoned" information.
First they set up their own DNS server called, say, hacker.com. From here, they poison your company's DNS server by sending an email to a bogus email address at your company. This forces your company's server to exchange information with the hacker.com server, and that interaction gives the hacker a chance to insert a malicious code onto your company's server.
Stage two takes place when you next type www.newscientist.com into your browser. This time the hacker has instructed your company's server to send requests for this, and any other URLs they specify, to hacker.com. There the hacker has constructed a fake New Scientist web page; it looks identical, except the hacker gets to see any personal info you type in.

No comments: