Overview: With ARMs-Cloud dialing, we can monitor websites in real time, realize minute-level monitoring, and detect DNS hijacking and page tampering in time.

Author: White Japan

DNS hijacking, as the most common network attack, is the most headache for every webmaster or operation and maintenance team. Painstakingly managed websites by DNS hijacking, not only will affect website traffic, weight, but also let users in danger, privacy disclosure caused property losses.

It was an attack as simple as it could have been that caused a global “bank hijacking” in 2009, when nearly 1% of customers at Banco Bradesco, Brazil’s largest bank, were hacked and their accounts stolen. Hackers take advantage of the defect of broadband router to tamper with users’ DNS — when users browse the Web page made by hackers, the DNS of their broadband router will be tampered by hackers. Because the Web page has cleverly designed malicious code, it successfully avoids detection by security software, resulting in a large number of users being fooled by DNS phishing.

It is common for websites to be hacked, mirrored by evil intentions, and implanted with junk code. Its hazards also include:

  • Phishing fraud online shopping, online payment may be maliciously directed to other websites, more increased the risk of personal account disclosure;
  • Malicious advertisements appear on the website;
  • Light impact network speed, heavy can not access the Internet.

But when it comes to DNS hijacking, do you have to go down without a fight?

Know your enemy. What is DNS?

DNS is short for Domain Name System. The Domain Name System maps Domain names to IP addresses in a distributed database. Simply put, THE DNS is used to resolve domain names. In normal environments, each Internet access request of a user is resolved to a matching IP address through the DNS. As an application-layer protocol, DNS works for other application-layer protocols, including but not limited to HTTP, SMTP, and FTP. The DNS is used to resolve the host name provided by a user into an IP address. The process is as follows:

(1) The client running DNS on the user host (PC or mobile phone);

(2) The browser extracts the domain name field from the RECEIVED URL, i.e. the host name of the visit, such as www.aliyun.com/, and sends this host name to the client of the DNS application;

(3) THE DNS client sends a query message to the DNS server, which contains the host name field to be accessed (including some columns of cache query and distributed DNS cluster work);

(4) The DNS client finally receives a reply packet containing the IP address corresponding to the host name;

(5) Once the browser receives an IP address from DNS, it can initiate a TCP connection to the HTTP server located at that IP address.

(Picture is from network, just for illustration)

You can see that in order to obtain the IP address of the target site, in addition to looking up the behavior on the host, a third party server (DNS) is also required. However, as long as the third party service, the network is not controllable, so there is a possibility of DNS hijacking, for example, the IP address obtained is not the actual IP address, so as to open non-target websites. When the website is resolved by the local DNS, the hacker will replace the target website in the local DNS cache with the IP of other websites, and the client is not aware of this, but still according to the normal process of addressing and building parallel connection. If a hacker wanted to steal a user’s account and password, the hacker could create a Trojan page that looked exactly like the target site and let the user log in. When the user entered the password and submitted it, the hacker could be fooled.

What are the common means of DNS hijacking?

(1) Use the DNS server to launch DDoS attacks

The normal recursive query process of the DNS server is exploited and becomes a DDoS attack. It is assumed that the hacker knows the IP address of the attacked machine, and the attacker uses this address as the source address to send the parsing command. When the DNS server is used for recursive query, the DNS server responds to the initial user. If the hacker controls enough chickens to do this. Then, the original user is attacked by a DDoS attack with a response message from the DNS server.

(2) DNS cache infection

The hacker uses DNS requests to inject data into the compromised DNS server cache. The cache information is returned to the user when the user accesses the DNS, and the user’s access to the normal domain name is directed to the page set by the intruder, such as horse hanging or phishing, or the user’s password information is obtained through forged emails or other services, resulting in further infringement on the customer.

(3) DNS information hijacking

In principle, the TCP/IP system uses various methods, such as serial numbers, to prevent fake data inserts. However, by listening to the dialogue between the client and the DNS server, the hacker can resolve the DNS query ID sent by the server to the client. Each DNS packet contains an associated 16-bit ID, based on which the DNS server obtains the source location of the request. The hacker sends the fake response to the user in front of the DNS server, tricking the client into visiting the malicious site. Suppose that when a packet submitted to a DNS resolution request is intercepted, the fake IP address is returned to the requester as the reply message intended by the hacker. In this case, the original requester will connect to the fake IP address as the domain name it is requesting, apparently it has been directed elsewhere and cannot connect to the domain name it is seeking.

ARP spoofing

By forging IP and MAC addresses to achieve ARP spoofing, a large amount of ARP traffic is generated on the network and the network is blocked. As long as hackers continuously send forged ARP response packets, they can change the IP-MAC entries in the ARP cache of the target host, resulting in network interruption or manin-the-middle attack. ARP attacks mainly exist in the LOCAL area network (LAN). If a computer in the LAN is infected with an ARP Trojan, the system that is infected with the ARP Trojan attempts to intercept the communication information of other computers on the network by MEANS of ARP spoofing, which leads to communication failure of other computers on the network. ARP spoofing usually causes incorrect direction of domain names accessed by users on the user network. However, after an IDC room is invaded, an attacker may use ARP packets to suppress normal hosts or DNS servers to cause incorrect direction of access.

What is the impact of DNS hijacking on services?

Once hijacked, relevant user queries cannot obtain the correct IP resolution, which can easily result in:

(1) Many users used to rely on bookmarks or easy-to-remember domain names to enter, once hijacked, such users will be unable to open the website, change the domain name and can not timely inform the change, resulting in a large number of users loss.

(2) User traffic is mainly entered through search engine SEO. DNS hijacking will lead to search engine spiders unable to capture the correct IP, and the website may be banned by Baidu.

(3) Some domain names are used in mobile APP scheduling. These domain names do not need to be accessible to customers, but the resolution of these domain names is related to APP access. If the resolution is hijacked, the APP cannot be accessed. At this time, changing the domain name may lead to the removal of the APP, which requires review and may not be re-launched. This can cause the APP to have a window in which users cannot access or download it.

It can be seen that DNS hijacking has a huge impact on services, not only the loss of user experience, but also the potential huge risk to user asset security and data security.

How can we detect if a website has been hijacked by DNS?

With the help of ARMs-cloud dial test, we can monitor the website in real time, realize minute-level monitoring, and detect DNS hijacking and page tampering in time.

Hijack detection

  • DNS hijacking monitoring

The domain name whitelist and element whitelist are used to effectively detect domain name hijacking and element tampering. When setting up a dial-up task, we can set the DNS hijacking whitelist. For example, we configure DNS hijacking format of the file content to www.aliyun.com:201.1.1.22 | 250.3.44.67. This means that everything under www.aliyun.com except 201.1.1.22 and 250.3.44.67 has been hijacked.

  • Page tamper monitoring

We added the element type of the original page to the whitelist of page tampering, and compared the loaded elements with the whitelist to judge whether the page was tampered. For example, we configuration page tampering with the content of the files to www.aliyun.com: | / cc/bb/al-qeada if… In the www.aliyun.com domain, all elements except the base document, /cc/bb/a.gif and /vv/bb/cc.jpg were tampered with. For another example, we configure the content of the tampered page as www.aliyun.com:\*, which means: www.aliyuyn.com. All elements under the domain name are not considered to have been tampered.

Hijack the alarm

Along with continuous monitoring, timely alarms are also critical. This section describes how to flexibly set the hijacking alarm ratio. When the hijacking ratio of tasks exceeds the threshold, the o&M team is notified to maintain the website to ensure data security and normal website browsing.

As well as improving the user experience, it is also important for enterprises to secure their websites and user assets. Cloud dial test for your website security and user experience escort!

About cloud dial measurement

As a business-oriented non-intrusive cloud native monitoring product, cloud dial-up has become the best choice. Through aliyun’s worldwide service network, it simulates real user behavior and continuously monitors the availability and performance of websites and their networks, services and API ports around the clock. Achieve page element level, network request level, network link level fine granularity problem location. Rich monitoring related items and analysis models help enterprises timely find and locate performance bottlenecks and dark points in experience, reduce operating risks, and improve service experience and efficiency.

The original link

This article is the original content of Aliyun and shall not be reproduced without permission.