9 hours 49 minutes
the next attack to focus on is DNS. There are numerous attacks on DNS different types of categories. Simply because DNS is such a valuable tool to networks, the success or failure of a network is going to depend on whether or not DNS is running and running. Well,
not to mention the fact that I bag and modify DNS and can pretty much redirect you anywhere I want to go.
Whoever controls DNS controls the universe. That's just how it is.
The first thing I want to mention is one of the most common attacks on DNS is simply denial of service.
That is the easiest and quickest way to take a network down is to disable DNS. So many network services, like active Directory
Kerberos, Just everything in the environment relies on DNS working properly Federated Trust access to systems
We almost always connect to our resources. Vietnam. I don't ever connect by I p address. I generally connect via server one or server two or whatever their servers are called.
Of course, that means Mercury goes up to DNS server. That sends back a reply.
Now, farming means that an attacker gained access to the records of my DNS server and modified them
instead of going to the server that I think is my company's Internet. I'm redirected to a rogue server that looks like my company's server. That asks me for my user name and password. I type that in. Now. The attacker has that information. Maybe it comes back and displays a page that says the services down temporarily or something like that. So I'm not even alerted.
Going back to denial of service attacks Couple years right before the election, there was a huge massive denial of service attacks on servers like Amazon, Google, Facebook, several other huge Internet players. My first thought was significant enough to knock Amazon offline, but also Google and Facebook.
How in the world could they have managed an attack that was so far reaching?
The answer, as it turns out to be, was that Amazon, Google and Facebook weren't down at all. What happened was the attack was directed at the DNS servers. There was a company called D Y n that managed name resolution.
By taking DNS offline, nobody could access those servers that they were targeting DNS. It is really so very appealing to an attacker either to render your network unusable or for redirection.
Farming is about redirection.
There's also an attack called poisoning.
Anytime you talk about poisoning, that's usually revolving around modification of cash.
Cash is a special type of memory that is faster to access. The whole purpose of cash is that it's where we store things that were frequently going to need.
I store it close spy so I can access it quickly.
For instance, once a DNS server learns the i p address for amazon dot com, it stores that I p address and it's cash. So the next one it gets security for it can respond to that much faster because it's already learned.
If I compromise that DNS service cash and replace my I P address with the legitimate I P address and you'll be redirected to my site.
One of the ways that that happens is there is something called unsolicited replies. Ultimately, in that situation, if I send out a DNS query, I want to reply.
If I don't send out a DNS Curie, I don't want to reply.
That's like some random service coming out from the network and saying Hey, add me to the DNS. And here's my I P address.
At one point in time, DNS servers took unsolicited replies with the idea that the more information they have, the faster they perform.
We found that this was a result of getting counterfeit information into cash.
If you've ever configured a DNS server, there's a little check box that says Protect cash from pollution. What it's doing is not accepting unsolicited replies
now. Very comparable. We have a repeat poisoning,
if you remember from our network. Discussion Therapy stands for address resolution protocol.
Once a client knows the I P address that the data is destined for it sounds out a broadcast. It says, Hey, who is 10.1 point 1.1? That computer responds and says, Hey, that's me and here's my Mac address.
Then the Mac address gets added to the destination frame, and the attack is sent on its way
again. If cash is modified, then you're going to wind up being redirected to another location.
Those unsolicited replies are dangerous. We need to make sure that our systems don't accept that.
Honestly, operating systems today don't accept that DNS configuration doesn't accept it.
Occasionally, we run into an application that requires these options. It's always that balance of security versus performance