Jane said

HTTP hijacking is divided into two kinds, one is DNS hijacking (domain name hijacking), the other is associated content hijacking. The latter is based on the former development, more advanced hijacking means.

1. DNS hijacking

Concept:

Interception of domain name resolution requests, analysis of their domain names, release of interception conditions outside the range, return of tampered IP or lost response within the range.

Effect:

Makes a specific network unresponsive or returns a false address.

Nature:

Tampering with the DNS server or using a forged DNS parser.

Non-hijacking process:

  1. The client sends a domain name request to the DNS resolution server (usually LocalDNS).
  2. The DNS server translates the domain name into a public IP address (queried at the IP carrier) and forwards the request to the target server.
  3. The target server responds and sends the data back to the DNS server.
  4. The DNS server forwards the response information back to the client.

Hijacking process:

  1. The client sends a domain name request to the DNS resolution server (usually LocalDNS), but the DNS resolution server is tampered with.
  2. The DNS resolution server that is tampered with by the attack forwards the request to the bogus server.
  3. The bogus server returns a response message to the DNS server tampered with by the attack (or may not respond directly);
  4. The tampered DNS server forwards the forged response information to the client.

Solutions:

The essence of DNS hijacking is that the CARRIER’s DNS server is tampered with by attack. Therefore, the carrier can use its own DNS server or directly send requests in the form of IP addresses on the client to bypass the carrier’s DNS server and avoid hijacking.

Content hijacking

Initial starting point:

The carrier uses a caching mechanism after session hijacking to speed up user access and reduce traffic loss. Therefore, traffic hijacking occurs on links with weak load capacity.

Nature:

TCP session hijacking.

Hijacking process:

  1. The client sends a resource request to the carrier.
  2. After receiving the request, the carrier retrieves the cache pool first. If there is any relevant cache, it returns directly. If there is no data, the request is forwarded to the target server.
  3. The target server responds and sends back data, and the carrier hijacks the session and the data it sends back, stores it in the cache, and returns it to the client.

Note:

At this point, if someone maliciously tampered with the cache pool or hijacked the session, sending back bogus data before the real server responded, the client would get the wrong response and the real server response data would be discarded.

Solutions:

Use the HTTPS encryption protocol. HTTPS = HTTP + SSL.

DNS resolution process:

  1. When a request is initiated, the operating system checks whether the resolved IP address of the domain name exists in the browser cache. If yes, the resolution is stopped.
  2. If no, the browser checks whether an IP domain name mapping exists in the host file of the operating system. If yes, the IP domain name mapping is enabled and the resolution is stopped.
  3. If the domain name does not exist, the OPERATING system sends the domain name to the LocalDNS configured in the host file. This server provides DNS resolution services for local Internet access with good performance and generally caches domain name resolution results. 90% domain name resolution is complete.
  4. If the LDNS is not matched, access the Root Server to request resolution.
  5. Root Server Returns the IP address of the primary DOMAIN name server (gTLD server, 13 top-level domain name servers in the world) for the queried domain name to LDNS.
  6. The LDNS then sends a request to the gTLD Server.
  7. Upon receiving the request, the gTLD Server looks up and returns the address of the Name Server corresponding to the domain Name. This Name Server is the registered domain Name Server.
  8. Name Server The Server queries the mapping table of domain names and IP addresses in the storage and returns the CORRESPONDING IP addresses and TTL values to LDNS.
  9. LDNS Indicates the mapping between cache domain names and IP addresses and the TTL value.
  10. LDNS returns the result to the client.

Note:

The analytical results are time-sensitive.

Write in the last

I want to make it clear that I’m not a professor, I’m just a sharer, a discussant, a learner with a different opinion or a new idea, come forward and we’ll work on it together. While sharing, it is not only the sharer who is learning and improving, but also the sharer.

Knowledge is everywhere, and when it is gathered, it is yours.

Since useful, might as well like, let more people understand, learn and improve.