CACHE POISONING ATTACK
What Is Cache Poisoning?
Cache poisoning is a type of attack in which corrupt data is inserted into the cache database of the Domain Name System (DNS) name server. The Domain Name System is a system that associates domain names with IP addresses. Devices that connect to the internet or other private networks rely on the DNS for resolving URLs, email addresses and other human-readable domain names into their corresponding IP addresses. In a DNS cache poisoning attack, a malicious party sends forged responses from an imposter DNS in order to reroute a domain name to a new IP address. This new IP address is almost always for a server that is controlled by the attacker. DNS cache poisoning attacks are often used to spread computer worms and other malware. More sophisticated uses for DNS cache poisoning include man-in-the-middle attacks and denial-of-service attacks.
Cache Poisoning Attacks
The success of a cache poisoning attack relies on the existence of exploitable vulnerabilities in DNS software. Once an attacker has sent a forged DNS response, the corrupt data provided by the attacker gets cached by the real DNS name server. It is at this point that the DNS cache is considered “poisoned.” As a result, future users that attempt to visit the corrupted domain will instead be routed to the new IP address selected by the attacker. Users will continue to receive inauthentic IP addresses from the DNS until the poisoned cache has been cleared.
DNS cache poisoning attacks usually incorporate elements of social engineering to manipulate victims into downloading malware. The servers and websites that attackers use to replace authentic IP addresses are set up to appear legitimate while they actually contain malware in disguise. Attackers’ use of social engineering along with the fact that domain names still appear normal can make it very difficult for users to detect cache poisoning attacks. As a result, victims willingly download malicious content that they believe to be valid and from trusted sources.
Prevent Cache Poisoning Attacks
There are several measures that enterprises should take to prevent DNS cache poisoning attacks. For starters, IT teams should configure DNS servers to rely as little as possible on trust relationships with other DNS servers. Doing so will make it more difficult for attackers to use their own DNS servers to corrupt their targets’ servers. Beyond limiting trust relationships on the DNS, IT teams should ensure that they’re using the most recent version of DNS. Domain Name Systems that use BIND 9.5.0 or higher include features such as port randomization and cryptographically secure Transaction IDs, both of which help prevent cache poisoning attacks.
In order to further prevent cache poisoning attacks, IT teams should configure their DNS name servers to:
- Limit recursive queries.
- Store only data related to the requested domain.
- Restrict query responses to only provide information about the requested domain.
The DNS server should be maintained to ensure that it is clear of any services that aren’t needed. Extraneous services running on the DNS server only provide attackers with more potential attack vectors.
There are also cache poisoning tools available to help organizations prevent cache poisoning attacks. The most popular cache poisoning prevention tool is probably DNSSEC (Domain Name System Security Extension). DNSSEC is a cache poisoning tool developed by the Internet Engineering Task Force that provides secure DNS data authentication.