Monthly Archives: April 2017


Man in the Middle Attack: What is it And How to Prevent it From Happening?

The internet boom of the modern century has led to an unimaginable level of digital expansion. Back in 1995, only 1% of the world had internet connectivity. Today that number stands at over 40%. However, with this surge in interconnectedness, comes the added risk of security breach and leak of data.

When the internet was first conceptualized, few could envision the sheer scope of its use. Thus, security was never at the priority of its design. The Domain Name Server (DNS) was built for functionality and, to this day, remains the most efficient method for connecting website names to their IP address via queried searches. But the lack of DNS security makes it easy for malicious hackers to exploit your servers and steal sensitive information. One of the ways to do it is via Man in the Middle (MITM) attack.

What is Man in the Middle attack?
Man in the Middle attack in computer security, is the method by which hackers can intercept data that is being transferred between two parties and thereby be privy to sensitive information. For example, if two people, A and B wish to communicate, B may request A to send a public key. However, if unbeknownst to A, C somehow gets hold of this key, he can listen in on A and B’s messages without each of them knowing.

MITM may be passive in nature, where the hacker only listens to the conversation without changing the messages to gather intel, or active, where the hacker may change the messages en route and send erroneous information to either A or B, or both.

There are several ways to execute this type of attack. Let us take a look at some of them, as well some defense mechanisms.

ARP Cache Poisoning
ARP Cache Poisoning is one of the simplest methods of eavesdropping on a network. The ARP protocol was created to communicate between layers in the OSI model and retrieve of the MAC Address of the target device. In simple terms, an ARP request would ask to match the MAC address of the target IP from all devices in a network. The ARP reply would send the MAC to the source device and data transfer could begin. However, since ARP has no way to secure this reply, malicious hosts can force the source device to update their ARP cache with the MAC Address of third party devices. Thus, an external member could receive the data packets without the source or target devices being any wiser.

How to Defend this?
Since ARP is only used on local networks, hackers must first penetrate the network to use this method. Thus, securing the LAN and bolstering DNS security goes a long way in preventing these attacks. Hard coding the cache and monitoring the cache with a third-party program that can flag suspicious activity can also be used.

DNS Spoofing
Building on ARP Cache Poisoning, DNS spoofing attempts to poison the DNS Cache and redirect traffic to malicious servers. DNS works by linking a web domain name to its IP Address retrieved from a database. If a hacker can poison this database, they can redirect any popular website name to retrieve information from their own server. Thus, when the user communicates with this server, it is actually sending data to the hacker who can then redirect the data to the correct server after having saved a copy of the data.

Defense Tips
DNS Spoofing is one of the hardest attacks to defend against. Typically, you will not know the database has been compromised, and defense is mainly preventive more than active in nature. Secure your internal machines and invest in DNS security software to prevent intrusion. DNNSEC is usually a good choice.

Read More



What is A BIND Birthday Attack on DNS and How To Eliminate This Threat?

We live in a world where troubles are never ending. They keep coming one after the other. Same goes for the world of computers. Viruses, bugs, trojan horses and other such disastrous elements keep showing up time and again. DNS (Domain name server) attacks have been such elements which have kept the users daunting for quite some time now. Engineers keep researching about various cache poisoning methods and try to come up with better ways to defend against these kinds of attacks and ensure proper DNS protection. One such attack is the BIND (Berkeley Internet Name Domain) birthday attack. The nomenclature has got a lot to do with the Birthday paradox which states that if there are 23 people in a room, the chances of two of them sharing the same birth date is 50-50. What has this paradox got to do with the BIND attack? Well, let’s make the concept of this BIND birthday attack clear:

The Mechanism:

When your computer gets connected to the internet, a local DNS server is assigned to you. For every symbol entered by you, your system contacts the local server for resolution. The returned value is then stored in a local cache. If not resolved properly, the request is then transferred to another DNS server which has more information. It forms a chain when there are continuous requests to different servers and is hence called recursive. The final result looks like it was returned by the local DNS server to your computer. In the early 2000s, the information spread that BIND allowed false DNS server resolutions, which came to be known as cache poisoning. This attack takes place when the cache of the local DNS server is poisoned with false resolutions and then following the chain, the client cache is poisoned as well.

So, how does the DNS server is made to accept false resolutions? It’s a bit tricky yet simple. Let me explain how. The attacker makes a name request to the victim server. The request is intentionally set in a way so as to yield a recursive solution. The attacker then feeds the false information to the recursive request too! The attack becomes successful due to some loopholes in the DNS and BIND. Both of them share implicit trust with each other, which means that there is no authentication required over the implementation of DNS by BIND.

Moreover, an older version of BIND still permits multiple simultaneous requests for the same name! The attacker then chooses the 16-bit Identifier (It is the only thing that connects a request to its reply) and guesses it to have accepted a false response. N recursive requests and N replies with random identifiers are then sent by the attacker. When this N reaches to about 700, the Birthday Paradox prevails, which means that the probability of one of the requests by the victim server matching one of the generated responses will be high.

How To Defend Against It?

There can be various situations you have to face as a BIND user. For example, there can be instances where your users are returned false information or your server gets hijacked. Let’s categorically look at what different people do to defend against this kind of attacks:

  • As a Domain owner: It is sometimes beyond your control to defend your server against those spoofing your name for a fake nameserver. You can use SSL for authentication to your browsers. However, detection of such attacks would still be difficult. Also, there can be people trying to slow your server down, which may put up a negative impact before your visitors.
  • Nameserver Admin: Updating BIND to the latest version would prove to be the best method for you. As already mentioned, in the older versions, BIND still permits multiple requests under the same name which is not the case with the newer versions. You can also choose to disable the requests coming from the outside world which would yield a recursive result.
  • As an End user: If your company doesn’t upgrade BIND, you can try running your own recursive resolver. Stick to the basic security features such as antiviruses and firewalls to prevent your computer from any alien malware.
  • As a Vendor: You can fix the problem yourself by limiting the number of requests under the same name to one. If you have already updated it to the latest version, it’s fine enough.

Moreover, you should regularly inspect your DNS server as these attacks come uninvited. Security should be the most basic priority for any website, as cyber-crime has reached new levels. Take care of your DNS server and prevent it from any further BIND birthday attacks!


Read More