Network Intruder

The Domain Name System (DNS) is essential to the correct functioning of the network and the Internet with Kurose & Ross (2010, p135) stating that “if the DNS server crashes, so does the entire Internet!”. This statement relies not only on the assumption that DNS server will not crash but also that the messages being sent over the network are valid (i.e. received from and sent by hosts and servers as they were intended). Invalid DNS messages will probably not cause any crashes but do render the system useless. Therefore, the ability of an intruder to insert and remove DNS messages into the network allows them to change the named source and destination of network traffic completely for a single or multiple hosts which can have disastrous effects.

One scenario that presents itself as a result of an intruder having complete control over DNS messages is the ability to direct those messages to a different destination than intended without the user being aware that they have not reached the correct destination. This is often referred to as “pharming” according to Anderson (2010, p643) and can, for example, lead to a user entering personal sensitive information into a place they did not intend and thereby sharing that data.

A second scenario could be that the intruder uses the ability to insert and remove DNS messages to impersonate the host. These “Man-In-the-Middle” or MITM attacks according to Anderson (2010, p73-76) allow the use of various techniques to access systems as the valid host or user changing network data to the advantage of the attacker. This scenario slightly differs from pharming but also allows the intruder to gain legitimate access to systems and potentially extremely sensitive information (e.g. online banking details, data to aid in social engineering, etc.).

A third scenario for the intruder would be to use the DNS messages both to give the very realistic impression to another server, host or service that the user was requesting to use their services, despite the user not having requested to do so. If a multi-message changing strategy was used where the DNS messages of many requests were changed (via removal and insertion) in a coordinated manner, the intruder could perform Distributed Denial of Service (DDoS) attacks on one or more targets in a similar way to a botnet.

References

Anderson, R (2010) Security Engineering: A Guide to Building Dependable Distributed Systems (2nd Edition). Wiley Publishing.

Kurose & Ross (2010) Computer Networking: A Top-Down Approach (Fifth Edition). Addison Wesley.