Pharming for DNS flaws

Over the past few years, I've found that my clients have been getting exponentially better in how they manage the security of their internet-facing infrastructure.

Both their firewall rule sets and patching processes have improved, and to such an extent that the number of vulnerabilities likely to be discovered during a penetration test is directly proportional to the time elapsed since the last patching cycle or internal vulnerability scan.

This means that any vulnerabilities discovered during an engagement are either brand new or were previously known by the organisation and had already been deemed an acceptable business risk.

I like engagements like this because they help to push the skills of any consultants involved. Instead of blindly reiterating the same fix information about missing patches and vulnerable services, they must examine any findings in greater detail and carefully explain the significance of each one. A lot of minor flaws that would have only been glossed over on an "easy" pentest are instead wrung for all their worth.

This is good for two reasons – the client benefits from a clearer understanding of the significance of these traditionally minor/low-risk vulnerabilities, and the consultants are forced to appreciate and understand the business context of an exploit.

The DNS vulnerabilities are of particular interest at the moment. Just as email security flaws became more important as a source of spam, and eventually developed into the more insidious phishing attack vector, DNS security flaws are now developing into pharming attacks.

Minor flaws in the way domain names are registered and how host names are managed by DNS servers has been exploited by phishers to form the basis of the newest, hard to detect and protect against, pharming threat.

By gaining control of a corporate host's DNS entry and modifying its listed IP address, the attacker can force customers trying to connect to their online services to any host of his choice. Many of the tools specifically designed to spot fake host names or obfuscated destinations used in phishing attacks are bypassed in this attack.

To evaluate the potential of this type of attack, the consultant must carefully scrutinise all the details of their network registration (right down to the registrant's name, address and listed validation credentials), keep a close eye on the dates of any referenced TLDs to prevent domain hijacking or post-expiry purchasing, analyse the details of all hosts listed within the zone of the DNS server (trying to spot non-standard names or unexpected IP addresses), and even query the caching DNS servers of popular ISPs.

Even after having conducted all this "extra" pentesting, customers may still fall for a pharming attack if their local or preferred DNS server (not in the control of the client) has been affected. But the likelihood has been reduced as far as possible and, hopefully, the report the client receives will explain the nature of the threat and how prepared they are to face it.

Gunter Ollmann is director of professional services at Next Generation Security Software