Author: Bai
Review & proofreading: Shaoyan
Editing & Typesetting: Wen Yan
DNS hijacking, as the most common network attack method, is the most troublesome thing for every webmaster or operation and maintenance team. After a painstakingly managed website is hijacked by DNS, it will not only affect website traffic and weight, but also put users in danger, leaking privacy and causing property losses.
It was such a simple attack method that caused a global sensation in 2009, which caused nearly 1% of customers of Banco Bradesco, Brazil's largest bank, to be attacked and accounts to be stolen. Hackers use broadband router flaws to tamper with the user's DNS-when users browse a web page created by hackers, their broadband router DNS will be tampered with by hackers. Because the web page is equipped with a cleverly designed malicious code, it successfully evaded security software detection. A large number of users were scammed by DNS phishing.
It’s not uncommon for websites to be hacked, mirrored maliciously, and implanted with spam code. The harms also include:
- Phishing fraudulent online shopping, online payment may be maliciously directed to other websites, which increases the risk of personal account leaks;
- Malicious advertisements appear on the website;
- It affects the speed of the Internet to the slightest extent, and cannot access the Internet.
But in the face of DNS hijacking, can you only catch it with one's hands?
Know yourself and the enemy, what is DNS?
DNS stands for Domain Name System. The Domain Name System maps domain names and IP addresses to each other in the form of a distributed database. Simply put, DNS is used to resolve domain names. In a normal environment, every user's Internet access request will be directed to a matching IP address through DNS resolution to complete an Internet behavior. As an application layer protocol, DNS mainly works for other application layer protocols, including but not limited to HTTP, SMTP, FTP, and is used to resolve the host name provided by the user into an IP address. The specific process is as follows:
(1) A DNS client is running on the user host (PC or mobile phone);
(2) The browser extracts the domain name field from the received URL, which is the host name of the visit, such as http://www.aliyun.com/ , and transmits this host name to the client of the DNS application;
(3) The DNS client sends a query message to the DNS server, which contains the host name field to be accessed (including a series of cache queries and the work of distributed DNS clusters);
(4) The DNS client will eventually receive a reply message, which contains the IP address corresponding to the host name;
(5) Once the browser receives the IP address from DNS, it can initiate a TCP connection to the HTTP server located by the IP address.
(The picture comes from the Internet and is only for illustration)
It can be seen that in order to obtain the IP of the target website, in addition to the search behavior in the local machine, the participation of a third-party server (DNS) is also required. But as long as it passes through third-party services, the network is not within the controllable range, and DNS hijacking may occur. For example, the obtained IP is not the IP actually desired, thereby opening non-target websites. When the website undergoes local DNS resolution, the hacker replaces the target website in the local DNS cache with the IP of another website and returns, but the client does not know it, and still establishes a parallel connection according to the normal process addressing. If some hackers want to steal user accounts and passwords, the hackers can create a Trojan horse page that is exactly the same as the target website, allowing the user to log in, and they will be recruited when the user enters the password and submits it.
What are the common DNS hijacking methods?
(1) Use DNS server for DDoS attack
The normal DNS server recursive query process is exploited and turned into a DDoS attack. Assuming that the hacker knows the IP address of the attacked machine, the attacker uses this address as the source address for sending the parsing command. When the DNS server is used to query recursively, it will respond to the initial user. If the hacker controls a large enough broiler to perform the above operations. Then, the initial user will be attacked by the DDoS response from the DNS server and become the victim.
(2) DNS cache infection
Hackers use DNS requests to inject data into a vulnerable DNS server cache. These cached information will be returned to the user when the client makes DNS access, and direct the user's access to the normal domain name to the page set by the intruder to hang horses, phishing, etc., or obtain user password information through forged emails and other services, leading to customer encounters Further infringement.
(3) DNS information hijacking
In principle, the TCP/IP system avoids counterfeit data insertion through various methods such as serial numbers, but hackers can resolve the DNS query ID that the server responds to the client by monitoring the conversation between the client and the DNS server. Each DNS message includes an associated 16-bit ID, and the DNS server obtains the request source location based on this ID. The hacker hands the false response to the user before the DNS server, deceiving the client to visit the malicious website. Suppose that when a data packet submitted to a domain name server's domain name resolution request is intercepted, then a fake IP address is returned to the requester as a response message according to the hacker's intention. At this time, the original requester will connect this fake IP address as the domain name it wants to request. Obviously, it has been directed elsewhere and cannot connect to the domain name it wants to connect to.
(4) ARP spoofing
ARP spoofing is achieved by forging IP address and MAC address, and a large amount of ARP traffic is generated in the network to block the network. Hackers can change the IP-MAC entry in the ARP cache of the target host as long as they continue to send forged ARP response packets, causing network interruption Or a man-in-the-middle attack. ARP attacks mainly exist in the local area network. If a computer in the local area network is infected with the ARP Trojan, the system infected with the ARP Trojan will try to intercept the communication information of other computers in the network by means of "ARP spoofing", and thus cause the network Communication failure of other computers in the computer. ARP spoofing is usually in the user's office network, causing the wrong direction of the user's access to the domain name, but after the IDC computer room is invaded, it may also happen that the attacker uses ARP packets to suppress the normal host or suppress the DNS server, so that the access is directed to the wrong direction. .
What impact does DNS hijacking have on the business?
Once hijacked, there is no way for related user queries to obtain the correct IP resolution, which can easily cause:
(1) Many users are accustomed to relying on bookmarks or easy-to-remember domain names to enter. Once hijacked, such users will not be able to open the website, and changing the domain name will not be able to notify the change in time, resulting in a large loss of users.
(2) User traffic is mainly entered through search engine SEO. After DNS is hijacked, search engine spiders will not be able to capture the correct IP, and the website may be banned by Baidu.
(3) Some domain names are used for mobile application APP scheduling. These domain names do not need to be accessible to customers, but the resolution of these domain names is related to application APP access. If the resolution is hijacked, the application APP will be inaccessible. At this time, changing the domain name may cause the APP to be delisted, and the re-listing needs to be reviewed and may not be able to be re-listed. This will cause the application APP to have a window period when the user cannot access or download it.
It can be seen that DNS hijacking has a huge impact on business, not only the loss of user experience, but also a potentially huge risk to user asset security and data security.
How do we monitor whether the website is hijacked by DNS?
With the help of ARMS-cloud dial test, we monitor the website in real time, realize minute-level monitoring, and detect DNS hijacking and page tampering in time.
Hijacking detection
DNS hijacking monitoring
Use domain name whitelist and element whitelist to effectively detect domain name hijacking and element tampering. When establishing a dial test task, we can set a whitelist for DNS hijacking. For example, we configure the file content of the DNS hijacking format as www.aliyun.com:201.1.1.22|250.3.44.67. This means that under the domain name www.aliyun.com, everything except 201.1.1.22 and 250.3.44.67 was hijacked.
Page tampering detection
We add the element type of the original page to the whitelist for page tampering, and compare the loaded elements with the whitelist during the dial test to determine whether the page has been tampered with. For example, the file content tampered with on our configuration page is www.aliyun.com:|/cc/bb/a.gif|/vv/bb/cc.jpg, which means that under the domain name www.aliyun.com, in addition to basic documents, Elements other than /cc/bb/a.gif and /vv/bb/cc.jpg are tampered with. For another example, the content of the file we configured to tamper with on the page is www.aliyun.com:*, which means that all elements under the domain name www.aliyuyn.com are not considered tampered.
Hijacking alert
While continuing to monitor, timely warnings are also crucial. By flexibly configuring the hijacking alarm ratio, when the task hijacking ratio is greater than the threshold, the relevant operation and maintenance team is quickly notified to maintain the website to ensure user data security and normal website browsing.
While improving the user experience, ensuring the safety of the website and user assets is also crucial for enterprises.
Cloud dial test escort your website security and user experience!
About Cloud Dial Test
As a business-oriented non-intrusive cloud native monitoring product, Cloud Dial Test has become the best choice. Through Alibaba Cloud's global service network, it simulates real user behavior and continuously monitors the availability and performance of websites and their networks, services, and API ports around the clock. Achieve fine-grained problem positioning at the page element level, network request level, and network link level. Abundant monitoring related items and analysis models help companies find and locate performance bottlenecks and experience dark spots in a timely manner, reduce operational risks, and improve service experience and efficiency.
At present, the cloud dial test provides a 15-day free trial
10% discount for new user purchases!
Click to read the original text for more details!
For more information, please scan the QR code below or search for WeChat account (AlibabaCloud888) to add a cloud native assistant! Get more information!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。