By Bruce D. At 8:30
GitHub:github.com/doukoi-BDB
Today’s topic:
Traffic hijacking, we often see some of the company’s home page was inserted into some small ads, this is traffic hijacking, today to share the current hijacking of several methods and anti-hijacking knowledge.
Estimated reading time: 7 minutes
Traffic hijacking is divided into three parts: DNS hijacking, data hijacking, and monitoring hijacking.
DNS hijacking:
First of all, domain name hijacking is a kind of attack on the Internet. By attacking DNS server or forging DNS server, the domain name of the target server is resolved to the wrong place, so that users can not access the real address.
Here’s a question: So how does DNS work?
When accessing the server, the client must obtain an IP address corresponding to the domain name from the DNS server. When requesting a DNS server, the user datagram Protocol (UDP) is used to search for an IP address in the public domain name server provided by the local carrier.
If the IP address is not found, it continues to request the upper-level DNS server for processing until the IP address is returned.
Domain name hijacking, even if the problem occurs when the DNS requests to resolve the domain name, the target domain name is maliciously resolved to another IP address, resulting in the user cannot use the service normally.
To reduce DNS query time, DNS resolution is cached in the HTTP protocol stack: browsers may cache DNS resolution.
The domain name mapping table (hosts) in the user system caches domain name resolution.
Public domain name servers are usually provided by ISPs (Internet service providers).
The public DNS server caches the results of the upper-level DNS server.
After the TTL of the public domain server expires, the system obtains information from the top-level domain server.
So here’s another question: how do you contaminate DNS?
Common DNS pollution methods are:
Tamper with Hosts files;
Contaminate intermediate link devices (routers, etc.);
Modifying UDP content affects DNS query results.
Hacking DNS servers (high cost).
So here’s another question: How do you defend against DNS hijacking?
One solution to domain name hijacking is to bypass UDP, which is not secure, and resolve domain names through a trusted source. You can also resolve domain names through HTTP.
Transport DNS content over TLS protocol;
Use HTTP protocol to transmit DNS;
HTTPS protocol to transfer DNS;
Use your own DNS server (high cost).
Data hijacking:
Let’s talk about data hijacking. Data hijacking is basically about content transmitted in clear text. When the user initiates an HTTP request and the server returns to the page, the page content is tampered or padded, and pop-ups or advertisements are forcibly inserted through the intermediate carrier network.
Which begs the question: how to defend against data hijacking?
The current solution in the industry is to encrypt the content using HTTPS to achieve ciphertext transmission and completely avoid hijacking. MD5 verification also prevents data hijacking. Before the content is returned, the application layer verifies the returned data and generates a check value.
At the same time, after receiving the content, the content receiver also verifies the content and generates the verification value, and compares the two verification values. If the two verification values are consistent, it proves that the judgment data is not hijacked.
Note: HTTPS can also be hijacked by carriers. 1. 2, the proxy also has the client’s certificate and private key, or the client and the proxy authentication time does not verify the validity, you can use the proxy to interact with our server data (more).
Here are a few ways to monitor data hijacking, but not to fix hijacked pages.
Content-security-policy (CSP) is essentially a whitelist system. The developer explicitly tells the client which external resources can be loaded and executed, which is equivalent to providing a whitelist. Its implementation and execution are all done by the browser, and the developer only needs to provide the configuration. Specifies the conditions that each resource type can load for execution. It also protects against XSS attacks. It can also be used to force resources to be loaded using HTTPS, reducing the possibility of hijacking.
There are two ways to enable CSP: // Using HTTP headers content-security-policy: default-src HTTPS: // Using meta tags Disadvantages: Because the CSP identifier itself exists in an HTML tag or HTTP request header, it can be removed by an attacker. The rules are complicated. The use of dynamic creation scripts is affected.
Subresource Integrity (SRI) will write to your reference using a base64 encoded file hash
If the verification fails, the corresponding script or link content is not executed.
Disadvantages: Because the SRI identifier itself exists in the HTML tag, it can be removed by an attacker. The use of dynamic creation scripts is affected. The availability is affected if the verification fails. Limited compatibility, iOS Safari is not supported
Hijacking monitoring:
This plan refers to the prevention and control plan of Meituan-Dianping 2018 front-end sharing.
Plan A: Build monitoring stations in some provinces and regions and grab fixed resources regularly (resources are too fixed and the number of monitoring stations is far from enough).
Scenario B: The business side listens for resource Error events in its OWN HTML (there is no way to confirm that the problem is hijacking, or it could just be a normal JS Error).
Option C: Use third-party enterprise services for monitoring (the more services, the higher the cost).
Scheme D: CSP and SRI (poor compatibility and flexibility, unable to customize logic).
As can be seen from the above scheme, no matter what kind of scheme, it has its shortcomings, so the scheme below is set up:
The advantages are as follows: The level of monitoring is business level or even page level, rather than a fixed resource. The logic built into the business side’s Node.js gives the business side the ability to degrade and respond on its own. Failure of the monitoring layer does not affect the code execution of the business side.
Conclusion:
DNS hijacking is illegal and is being cracked down on, so we need to take a number of precautions to ensure a clean and safe Internet browsing environment.
Pay attention to the "8:30 technical station" public number received the update for the first time, GitHub source case will continue to iterate on the update, feel good to a star, there is a problem nuggets message.