Tuesday, 27 November 2007

Why Cache Poisoning?

The simplest variety of cache poisoning involves transmitting counterfeit replies to the victim’s DNS server. The technique is an artifice that results in a Domain Name Server (DNS server) caching bogus entries as if they are authentic. A poisoned DNS server will generally cache this information for a time, impacting many of the server’s clients.

A cache poisoning attack is generally performed when an attacker exploits a vulnerability of the DNS system that allows it to receive false information. When a DNS server incorrectly authorizes DNS responses that it has not confirmed from an authoritative source, the server will consequently cache inaccurate entries may serve other clients with these erroneous records.
This technique is used to substitute the requested site address (or other information) with one of the attacker’s preference.

Organised crime is just one of the many varietals of attacker that are making use of this exploit. As an example, think what could occur if an attacker could alter the IP address of an online banking site. They could for instance redirect the site to a reverse proxy and “harvest” user name and password combinations before redirecting the unsuspecting victim to the real banking site.

The worst part, the little padlock contained in the browser window will lie and tell you that the site is secure.

The answer, well split brain DNS is a start. Thinking that the firewall is not the be all and end all of security goes further.

No comments: