Networking / Beginners

Redirects

Under another method of DNS attack, hackers compromise a link on someone else's page or set up their own page with false links. In either case, the link could state that it is for a legitimate site, but in reality the link brings the Web surfer to a site set up and controlled by the hacker that looks like the site the Web surfer was expecting.

If all other attempts fail, a hacker can try manipulating the domain name registry system originally maintained by the InterNIC. In 1999, on at least three occasions, hackers were able to transfer domain names or redirect Internet surfers to sites other than the ones they were attempting to access. In one case Network Solutions' own DNS entry was altered, so that when users entered in the Network Solutions URL they were redirected to another site.

In at least three other cases hackers were able to transfer ownership of domain names to other IP addresses. Once the ownership was transferred and the NSI database altered, anyone attempting to access those domains would be redirected to the new sites. In one case the domain for excite.com was transferred to an unsuspecting site that found itself inundated with the millions of hits that excite.com normally receives. In other cases the ownership of the domains for the Ku Klux Klan and another site opposed to homosexuality called godhatesfags.com were transferred. Ownership of the Ku Klux Klan site was transferred to a site dedicated to fighting bigotry. Ironically, the godhatesfags.com domain was transferred to a site with the domain godlovesfags.com, a site that went on-line to appeal for tolerance. No individuals from the sites to which the domain were redirected were involved with the manipulation of the domain name registry system.

When employing the MIM attack, a hacker's false or counterfeit site can actually pass the client's requests onto the real site and return to the client the requested pages from the real site. All the while the hacker is monitoring and recording the interaction between the client and the server.

There is really no effective countermeasure to MIM. This attack can even be successful when encryption, such as SSL, is being employed. It only requires the hacker to obtain a valid digital certificate to load on his or her server, so that SSL can be enabled. Web surfers need only to be careful about where they are browsing, confirming links and only trusting links from a secure and trusted site.

Note that there are other methods to execute a redirect or MIM attack. For example, certain operating systems such as Microsoft's Windows 95, 98, and 2000 and Sun's Solaris have an inherent vulnerability in their implementation of the Internet Control Message Protocol (ICMP) Router Discovery Protocol (IRDF); ICMP is an integral part of the TCP/IP suite protocols. Hackers can exploit this vulnerability by rerouting or modifying outbound traffic as they choose. A key limitation on an attack using this vulnerability is that the attacker must be on the same network as the targeted system.

Replay Attack

A hacker executes a replay attack by intercepting and storing a legitimate transmission between two systems and retransmitting it at a later time. Theoretically, this attack can even be successful against encrypted transmissions. The best defense to this attack is to use session keys, check the time stamp on all transmissions, and employ time-dependent message digests.

[Previous] [Contents] [Next]

In this tutorial:

  1. Threats and Attacks
  2. The OSI Reference Model
  3. TCP/IP Protocol Suite
  4. Threats, Vulnerabilities, and Attacks
  5. Attacks
  6. Viruses
  7. Worm
  8. Trojan Horses
  9. Trap Doors
  10. Logic Bombs
  11. Port Scanning
  12. Spoofs
  13. Sequence Number Spoofing
  14. DNS
  15. DNS Poisoning
  16. Redirects
  17. Password Cracking
  18. Sniffing
  19. War Dialing
  20. Denial of Service
  21. Ping of Death
  22. SYN Flooding
  23. SPAM
  24. Smurf Attack