Page 586 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 586

A fourth example of DNS poisoning focuses on sending an alternate IP
               address to the client to be used as the DNS server the client uses for

               resolving queries. The DNS server address is typically distributed to
               clients through Dynamic Host Control Protocol (DHCP) but it can also
               be assigned statically. Even if all of the other elements of IP
               configuration have been assigned by DHCP, a local alteration can
               easily statically assign a DNS server address. Attacks to alter a client’s
               DNS server lookup address can be performed through a script (similar
               to the ARP attack mentioned earlier) or by compromising DHCP. Once

               the client has the wrong DNS server, they will be sending their queries
               to a hacker-controlled DNS server, which will respond with poisoned
               results.

               A fifth example of DNS poisoning is that of DNS query spoofing. This
               attack occurs when the hacker is able to eavesdrop on a client’s query
               to a DNS server. The attacker then sends back a reply with false
               information. If the client accepts the false reply, they will put that

               information in their local DNS cache. When the real reply arrives, it
               will be discarded since the original query will have already been
               answered. No matter which of these five means of DNS attack is
               performed, false entries will be present in the local DNS cache of the
               client. Thus, all of the IP communications will be sent to the wrong

               endpoint. This allows the hacker to set up a man-in-the-middle attack
               by operating that false endpoint and then forwarding traffic on to the
               correct destination.

               A third area of concern in regard to local cache is that of the temporary
               internet files or the internet files cache. This is the temporary storage
               of files downloaded from internet sites that are being held by the
               client’s utility for current and possibly future use. Mostly this cache

               contains website content, but other internet services can use a file
               cache as well. A variety of exploitations, such as the split-response
               attack, can cause the client to download content and store it in the
               cache that was not an intended element of a requested web page.
               Mobile code scripting attacks could also be used to plant false content
               in the cache. Once files have been poisoned in the cache, then even
               when a legitimate web document calls on a cached item, the malicious

               item will be activated.
   581   582   583   584   585   586   587   588   589   590   591