Cache Poisoning Attack Completely Explained

What Is Cache Poisoning?

Cache poisoning Known As DNS Spoofing is a variety of attack in which corrupt data is putted into the cache database of the Domain Name System (DNS) name server. 

The Domain Name System is a system that connects domain names with IP addresses. Devices that connect to the internet or other private networks depend on the Domain Name System for resolving URLs, email addresses and other human-readable domain names into their corresponding IP addresses. 

In a DNS cache poisoning attack, a malicious party sends forged responses from an imposter Domain Name System in order to reroute a domain name to a new IP address. This new IP address is almost always for a server that is controlled by the malicious party. Domain Name System cache poisoning attacks are usually used to expand computer worms and other malware. More sophisticated uses for Domain Name System cache poisoning include man-in-the-middle attacks (MITM) and distributed-denial-of-service attacks (DDoS).
Cache Poisoning Attack Completely Explained
Cache Poisoning Attack Completely Explained

Cache Poisoning Attacks

The success of a cache poisoning attack depends on the existence of exploitable vulnerabilities in Domain Name System software. Once an attacker has sent a forged Domain Name System response, the corrupt data provided by the attacker gets cached by the real DNS name server. It is at this point that the Domain Name System cache is considered “poisoned.” As a result, future users that attempt to visit the corrupted domain will instead be routed to the new IP address selected by the malicious attacker. Users will continue to receive inauthentic IP addresses from the Domain Name System until the poisoned cache has been cleared.

Domain Name System cache poisoning attacks usually incorporate elements of social engineering to manipulate victims into downloading malware. The servers and websites that attackers use to replace authentic IP addresses are set up to appear legitimate while they actually contain malware in disguise. Attackers’ use of social engineering along with the fact that domain names still appear normal can make it very difficult for users to detect cache poisoning attacks. As a result, victims willingly download malicious content that they believe to be valid and from trusted sources.

Prevent Cache Poisoning Attacks

There are several measures that enterprises should take to prevent Domain Name System cache poisoning attacks. For starters, IT teams should configure DNS servers to rely as little as possible on trust relationships with other DNS servers. Doing so will make it more difficult for attackers to use their own DNS servers to corrupt their targets’ servers. Beyond limiting trust relationships on the Domain Name System, IT teams should ensure that they’re using the most recent version of Domain Name System. Domain Name Systems that use BIND 9.5.0 or higher include features such as port randomization and cryptographically secure Transaction IDs, both of which help prevent cache poisoning attacks.

In order to further prevent cache poisoning attacks, IT teams should configure their DNS name servers to:

  • Limit recursive queries.
  • Store only data related to the requested domain.
  • Restrict query responses to only provide information about the requested domain.

The DNS server should be maintained to ensure that it is clear of any services that aren’t needed. Extraneous services running on the DNS server only provide attackers with more potential attack vectors.

There are also cache poisoning tools available to help organizations prevent cache poisoning attacks. The most popular cache poisoning prevention tool is probably DNSSEC (Domain Name System Security Extension). DNSSEC is a cache poisoning tool developed by the Internet Engineering Task Force that provides secure DNS data authentication.
Cache Poisoning Attack Completely Explained Cache Poisoning Attack Completely Explained Reviewed by Redbuddy on June 14, 2019 Rating: 5

No comments :

Powered by Blogger.