A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
Description
Attack Execution Flow
3
1
Step 1
Explore[Explore resolver caches] Check DNS caches on local DNS server and client's browser with DNS cache enabled.
Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
Figure out if the client's browser has DNS cache enabled.
AI Translation
[Esplora cache del resolver] Verifica le cache DNS sul server DNS locale e sul browser del client con la cache DNS abilitata.
Esegui strumenti che controllano la cache del resolver in memoria per verificare se contiene una voce DNS di interesse.
Determina se il browser del client ha la cache DNS abilitata.
Attack Techniques
-
Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
-
Figure out if the client's browser has DNS cache enabled.IT: Esegui strumenti che verificano la cache del resolver in memoria per vedere se contiene una voce DNS di destinazione.
2
Step 2
Experiment[Attempt sending crafted records to DNS cache] A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.
Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.
AI Translation
[Tentativo di invio di record manipolati alla cache DNS] Viene inviato una richiesta al server autoritativo del sito web target e si attende la risposta del resolver iterativo. Un adversary invia una richiesta fasulla al server DNS locale, quindi inonda di risposte che ingannano la cache DNS facendole memorizzare risposte dannose, ovvero risposte errate alla query DNS.
L'adversary deve conoscere l'ID di transazione intercettando una query DNS, oppure inviando una query fasulla con ID di transazione noto.
Se l'ID di transazione utilizzato per identificare ogni istanza di query è randomizzato in alcuni nuovi software DNS, l'attacco deve indovinare l'ID di transazione. Ritarda la risposta del server DNS reale causando un Denial-of-Service. Questo dà agli adversary abbastanza tempo per indovinare l'ID di transazione.
L'adversary crea una risposta DNS con lo stesso ID di transazione della richiesta. L'adversary invia risposte DNS prima del server DNS autorizzato. Ciò costringe la cache DNS locale a memorizzare una risposta DNS falsa (risposta errata). Le risposte DNS false di solito includono l'indirizzo IP di un sito web maligno.
Attack Techniques
-
If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
-
Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.IT: Se l'ID di transazione utilizzato per identificare ogni istanza di query viene randomizzato in un nuovo software DNS, l'attacco deve indovinare l'ID di transazione. Rallenta la risposta del server DNS reale causando un Denial-of-Service. Questo dà agli avversari abbastanza tempo per indovinare l'ID di transazione.
-
Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.IT: Se l'ID di transazione utilizzato per identificare ogni istanza di query viene randomizzato in un nuovo software DNS, l'attacco deve indovinare l'ID di transazione. Rallenta la risposta del server DNS reale causando un Denial-of-Service. Questo dà agli avversari abbastanza tempo per indovinare l'ID di transazione.
3
Step 3
Exploit[Redirect users to malicious website] As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.
Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.
AI Translation
[Reindirizza gli utenti a un sito web dannoso] Man mano che l'attaccante riesce a sfruttare la vulnerabilità, la vittima si collega a un sito dannoso utilizzando il nome di dominio di un buon sito web.
Reindirizzamento del traffico web verso un sito che appare abbastanza simile all'originale da non suscitare sospetti.
Adversary-in-the-Middle (CAPEC-94) intercetta la comunicazione sicura tra due parti.
Attack Techniques
-
Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
-
Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.IT: Reindirizzamento del traffico Web verso un sito che assomigli abbastanza all'originale da non suscitare sospetti.
Mitigations
3
Configuration: Disable Client Side Dns Caching.
Configuration: Make Sure Your Dns Servers Have Been Updated To The Latest Versions
Configuration: Unix Services Like Rlogin, Rsh/Rcp, Xhost, And Nfs Are All Susceptible To Wrong Information Being Held In A Cache. Care Should Be Taken With These Services So They Do Not Rely Upon Dns Caches That Have Been Exposed To The Internet.
Consequences
Consequence Information
{'impacts': [], 'impacts_translate': [], 'scopes': [], 'scopes_translate': []}
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1584.002
DNS Server
Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic …
Resources Required
1
The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.