T 5.152 DNS hijacking

DNS hijacking is a method of attack used to route the communications between advertising DNS servers and resolvers via the IT system of an attacker. It is thus a man-in-the-middle attack. Communications do not take place directly between the two communication partners, but are routed via a third party.

The attacker can now listen in on and record communications. The far greater risk, however, is that a successful attacker is able to change any traffic of the two communication partners in any way. An attacker is thus able to:

• reject packets,
• modify or (re)direct packets or
• send his/her own response packets.

If a request is sent by the resolver of a client IT system to a DNS server after a DNS hijacking attack has been completed successfully, then the attacker can, for example, modify the allocation of name and IP address according to his/her wishes and needs, regardless of whether it is an advertising or a resolving DNS server.

DNS hijacking can also be combined with other forms of attack; phishing in particular is ideal in this case. When phishing (derived from "password" and "fishing") is carried out, passwords or similar information are elicited from users (for example, see also T 5.42 Social Engineering and T 5.78 DNS spoofing) in order to sell this data or to use them for one's own advantage.

Example:

• A company operates its own web shop and a customer wants to shop there. An attacker succeeds in routing the customer and company's entire DNS traffic via his server. The customer enters the domain name of the web shop in his browser. Usually, the name is automatically resolved into the corresponding IP address in the background. Since, however, the attacker is interposed, she rejects the DNS request and sends her own response packet. Here, the attacker changes the allocation of IP address and name so that the customer is not redirected to the company's web shop, but to the attacker's web shop. The attacker's web shop is a visual reconstruction of the web shop of the desired company and so the customer does not notice any difference. The customer enters his login data and, following his purchase, his credit card number, which he has thus disclosed to the attacker. As a result, the attacker can use the data in order either to make purchases at the customer's costs or to resell the data obtained.