Hacktivists Targeting DNS Servers & an Effective DNS Offensive Counter-Measure
Denial of Service (DoS) attacks used to be the main tool in the Hacktivists toolbox. For the most part, they are not very hi-tech and anyone can run the software to attack websites to aid in their preferred “cause”. But as the recent hacktivism attacks in Israel (and now Pakistan) have shown, DNS server attacks are now all the rage.
DNS SERVERS TARGETED
Why deface one website, when you can just hack the server that holds the IP address to the victim’s site (or sites)! Changing the registered domain name for a website allows you to point the domain name, like Google.pk to ANY server that you want. So, if you can hack the DNS registrar that holds the records for an entire country, you can change any of the servers that you like to point to any website that you want.
Luckily the pranksters behind these attacks have just been redirecting these hijacked websites to a bragging page, “This site hacked by …” They seem to be in it to bring attention to their group, or a political cause, instead of doing serious damage.
Hacking into DNS registrar servers is the hard part, creating a website that looks like any one of the ones that was hacked is trivial. It only takes a few seconds to create a clone of a website that looks and acts like the real one, but could serve malware or other malicious functions. So far it seems that these hackers are more interested in just getting across a message.
Just in it for the “Lulz”.
But with the apparent ease that this is happening, you can see the dangers if the hacktivists were a more malicious group. Say like Nation State hackers who want to infect groups of systems from a target nation. Or gather pertinent credentials from users who think they are on a legitimate website, and not a spoofed one reached via DNS manipulation.
As you can see locking down these important DNS systems better be a top priority of EVERY nation.
OFFENSIVE COUNTER MEASURE
As mentioned earlier, Denial of Service attacks have not gone away and are still used en mass to tie up websites to make them unavailable. Many times Denial of Service attacks are nothing more than normal communication with a website, but multiplied over many times, from multiple users to tie up a server.
But can anything be done to stop this flood of traffic aimed at a site by thousands if not tens of thousands of attacking machines? Sure there is, according to the popular Patriot Hacker Jester, just reflect the traffic back at the attackers!
During the latest Israel/ Gaza conflict, the hacker group Anonymous jumped in on the Hama’s side and attacked many Israeli websites. So of course, The Jester responded by shutting down 3 Hamas sites and their TV Channel. In response, according to The Jester’s website, Anonymous targeted his website.
So Jester just redirected his DNS server to point back at one of their servers, effectively forcing them to DoS their own server!
His website is protected by “CloudFlare” a popular proxy service that protects users from many attacks. When he saw the incoming attack, he simply told CloudFlare to point his website name “jesterscourt.mil.nf” to one that was supported by Anonymous:
“So I simply redirected my domain name to the Occupy ‘movement’s main website. Known as ‘occupytogether.org’. Remember #Anonhamas are big supporters of the Occupy Movement and many of their ‘members’ are also members of the Occupy Movement. Fair game.”
Denial of Service attacks can last for days or longer. Did the technique work?
Apparently, it did:
The Jester also talks about automatting this process, so when a DoS attack is detected, it automatically forwards the flood of traffic to a list of Anonymous supported sites.
It has been an interesting week. New DNS attacks and apparently new effective offensive counter measures. Will the average corporate website defend itself with The Jester’s techniques?
Probably not, but I could foresee some country’s government sites just might.
Well, maybe off the record… 🙂