Three large scale DNS attacks launched against Brazilian internet users
Cable modem customers had their DNS traffic modified andwere redirected to malicious sites all over Brazil. In the last few months, a
series of DNS attacks involving cache poisoning emerged there.
In these instances, cable ISP customers had hackers update their cable modem settings to change the DNS servers to malicious servers used to redirect the users.
One national ISP suffered from cache poisoning in their national DNS infrastructure inflicted by one of their employees, also resulting
in customers being redirected to malicious websites.
These large scale DNS cache poisoning attacks are becoming more common place all over the world and there are no safe havens.
Hackers can target their cache poisoning attacks at either the DNS servers that resolves the domain names of organizations such as banks, insurance companies and online retailers, or they can target their attacks at the client end such as cable modems or other ISP provisioning servers.
Content providers such as banks and financial institutions can drastically reduce their exposure to these attacks if they implement the DNS Security Extension (DNSSEC) allowing their customers to validate their signed DNS records. Their customers would have been protected from these redirection attacks, as their computers and phones would not have believed the poisoned DNS answers in these Brazilian attacks.
Apart from domain owners deploying DNSSEC to protect their domains, endusers can protect themselves by deploying DNSSEC on their own laptop. Browsers such as Google Chrome and Mozilla Firefox are working on DNSSEC integration. However; until these vendors catch up, users can install their own protection on laptops running Windows, OSX and Linux. One such addon, “dnssec-trigger”, ensures a user gets full DNSSEC protection, no matter what network or wireless network they use.
DNS Security Extension (DNSSEC) adds security to DNS while maintaining backwards compatibility. DNSSEC was designed to protect Internet users from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed.
Checking the digital signature of DNS, a computer is able to check if the DNS information was tampered with or not
Headquarteredin Ottawa, the high-tech capital of Canada, Xelerance provides products and services to secure the internet. Its products include DNSX Secure Signer, whichwon the Best Security Hardware award at FOSE 2010, and DNSX Secure Resolver.