Network security is of the utmost importance when it comes to protecting servers. An organization's servers contains a lot of sensitive data (e.g., clients’ personal data) that can greatly harm your business in the blink of an eye if compromised. One of the most common yet often undetectable ways the security of your servers can be compromised is cache poisoning.
It is crucial to be aware of what cache poisoning is, how it works, why it is so dangerous, and how you can prevent becoming a victim. This is your guide to keeping your servers secure from this malicious cyber attack.
What is Cache Poisoning?
Cybercriminals can target Domain Name Systems cache with malicious intent – a type of attack is known as cache poisoning (also known as DNS spoofing or DNS cache poisoning). This means that at least some of the information stored in the cache is not legitimate and leads to a destination with malicious intentions.
For example, let's say a fictitious website called XYZ has been compromised and when you enter in your credentials, you unknowingly are led to an illegitimate site that looks authentic. The cache not knowing the difference between the two, stores the information. As long as the information is in the cache, every time you go to the website, you will automatically be redirected to the illegitimate site because of the DNS data saved on your initial visit. The web server is not able to detect that the information has been falsified.
Phony information is inserted into the DNS with the intention of redirecting the user to a harmful website that will either steal information or install ransomware, spyware, trojans, worms, or other types of malware on the device. The user doesn’t detect it because they enter in a human-friendly name (DNS entry) such as amazon.com. The web browser then converts it into a computer-friendly IP address.
What is a Cache?
A cache is a temporary storage location that allows faster retrieval of frequently used data and files. Several types of caches are found across a number of devices and applications, such as on laptops, desktops, smartphones, tablets, web applications, and web browsers. The purpose is to make everything run faster and more efficiently.
When a user opens an app or visits a website for the first time, pertinent data and files are stored in the web cache. When the user revisits the website or app, the associated data and files can be accessed locally from the cache, allowing the site or app to load more quickly. This is why after a user initially inputs their credentials into a website or app, such as Amazon or Gmail, they typically do not have to do so again with each subsequent visit.
Benefits of Caches
The most recognized benefit of caches by users and IT professionals is that they allow apps and websites to run much faster, improving the system's performance. This is because the DNS (Domain Name Server) resolver can respond to queries without having to communicate with multiple servers. There are also additional benefits to caches, including:
- Offline access: As mentioned above, caches save data. In some situations, this allows apps to work without an internet connection. The reason some apps can do so is that the cached data can be used to enable the app to function correctly.
- Optimize resources:Since caches only need to download files once, the app or website doesn't have to waste battery power and time downloading data on each subsequent visit. Caches significantly increase efficiency.
It is pertinent to note two things. First, the data from a site or an app will be redownloaded if changes have been made to the data or files. Second, the DNS information is stored in the designated cache for a specific time frame known as TTL (Time-to-Live). This is why users must re-login into applications such as their email every so often (e.g., 30 days).
As with most components of computers and the internet, caches are subject to malicious attacks from those wishing to harm the software, hardware, or even the user.
How Cache Poisoning Works
In DNS poisoning, the perpetrator enters fake information into the DNS cache. The purpose is to redirect users from the intended server to a different server. The new destination is dangerous and has malicious intentions. There are three different forms of attack:
- Once the user is on the malicious website, some type of program, such as a hijacking program, spyware, malware, a worm, a trojan, etc., is downloaded onto the user's device without their knowledge.
- Sensitive information such as login credentials or bank information may be stolen because the user believes they are on a legitimate website or app, so they willingly input their information. Instead, they are on a phishing website. A common tactic to use is the man-in-the-middle attack approach. A man-in-the-middle attack may occur where the perpetrator alters the communication between two parties. For example, users may think they are talking with a bank representative about their accounts. When the truth is that the attacker has intercepted and hijacked the conversation so that the user is now actually talking with a cyber attacker. The users believing they are communicating with a trustworthy party may give out sensitive information.
- The attacker compromises security updates on the device, which leaves the device vulnerable to hacking.
It is essential to understand that the attacker disguises the dangerous destination, so the user has no idea they've been a victim of a cyber attack and that they were diverted to a different server other than the intended one. One way attackers accomplish DNS spoofing attacks is to enter a website address into the DNS that has been altered. The destination is a fake website disguised as a real one. Cache poisoning can occur on Apple (Mac), Android, and Microsoft operating systems.
Why Cache Poisoning Occurs
DNS Resolvers Cannot Identify DNS Poisoning
Unfortunately, DNS Resolvers are not able to identify and prevent cache poisoning. The reason is that DNS Resolvers do not verify the accuracy of the data stored in the caches. This means that falsified information goes undetected and remains in the cache until the issue is detected by a sophisticated solution that can detect DNS issues or the TTL expires. This means a single user may be a victim numerous times without realizing it.
Analysis of DNS records can identify foul play, however; it is near impossible for your IT team to validate DNS queries versus DNS responses on a daily basis without the use of automation.
The Use of UDP Instead of TCP
Instead of TCP (Transmission Control Protocol), DNS servers are equipped to use UDP (User Datagram Protocol). Unlike TCP, where the identity of the devices involved is verified upon communication initiation, UDP does not offer this protection. There is no process in place to guarantee that either one of the parties is legitimate. This is a vulnerability that cyber hackers exploit to execute cache poisoning attacks.
DNS Was Not Built For Today's Internet
DNS was developed in the 1980s when the internet was just beginning to gain popularity. The developers at that time could never have predicted how much and how quickly the internet would grow. Not to mention, DNS was built on trust that no one would want to compromise it and hackers were not as sophisticated as they are now. Simply put, DNS was designed for an Internet that was much smaller than it is today.
The Dangers of Cache Poisoning
As mentioned above, DNS spoofing can lead to the installation of dangerous programs on devices, data theft, and compromised security updates. The dangers of cache poisoning can be extensive and devastating to individuals and companies. The key characteristic that makes this type of cyber attack so effective is that it is almost impossible to detect until it is too late. The browser automatically resolves the URL. Since the web address or app is legitimate, the user has no reason to be suspicious that foul play is involved.
This means that if a server has accepted a phony piece of information, then every user on that server who accesses the compromised app or webpage is a victim. The potential damage is easily seen when we look at an example that involves a company server, such as a banking institution. Think of the information that could get into the wrong hands if a bank is the victim of cache poisoning. Sensitive data would be compromised, and funds could be transferred anywhere worldwide.
The above is just one example. DNS spoofing threatens every individual and every entity, including hospitals, schools, legal systems, and so many more. Since cache poisoning can be hard to detect, prevention is the key to protecting your servers.
Preventing Cache Poisoning
Effectively preventing cache poisoning is the combined responsibility of website owners, DNS service providers, and users. Here are the best ways to protect your business from DNS poisoning.
Utilize DNS Security Extensions
DNS Security Extensions (Domain Name System Security Extensions) or DNSSEC is a protocol in which authentication is required at every step of communication between servers. It creates a digital hierarchy designed to prevent cache poisoning. While this is better than nothing, DNS Security Extensions still have vulnerabilities because IP addresses and URLs can still be falsified. Name servers cannot tell the difference during translation.
Utilize End-to-End Encryption
End-to-End Encryption (E2EE) sends encrypted DNS requests that only the intended server can decrypt. This is a useful method because cyber attackers should not be able to decrypt and exploit the request. However, as with all things internet-based, some attackers can decrypt or foil these encrypted requests.
Implement Attack Surface Management Software
Comprehensive attack surface management (ASM) software monitors your servers for signs of suspicious activity and provides real-time security alerts. Reputable ASM solutions are up-to-date on hackers' latest tactics and streamline the remediation process to prevent serious security incidents, like data breaches.
Educate users
Educate end-users on how to safely use apps and websites and implement internet protocols that will significantly reduce their chances of introducing an attack into the system. Here's what users should do whenever possible:
- Never click on unknown URLs
- Never disable firewalls
- Routinely scan devices for suspicious activity
- Routinely clear the cache (if a cache has been poisoned unknowingly, this will help get rid of it faster than waiting for the TTL to expire)
- Use a VPN (virtual private network) when possible