[dns-operations] difference between dns spoofing and dns hijacking?

Grant Taylor gtaylor at tnetconsulting.net
Wed Aug 1 18:19:37 UTC 2018

On 07/24/2018 05:39 PM, Barry Raveendran Greene wrote:
> Getting back to Stephane’s observation .... it would be extremely 
> helpful to the industry to add definitions around these vectors. That way 
> we strive to get people on the same page without confusing a “hijack” 
> from a “poisson.”

I think it would also be helpful to put some guidelines around when a 
term is used (to describe an attack), in addition to what the term is.

Example scenario:

Someone uses BGP to "hijack" (read: unauthorized control of) a /24 
prefix, say, so that they can "spoof" (pretend to be) the DNS server, to "poison" DNS caches with bad (malicious) information.

Is this a "hijack" or a "spoof" or a "poison" attack?

I feel like this is more a "hijack" than it is a "spoof" or "poison" 
attack.  Sure, spoofing and poisoning happen, but they are an 
intentional side effect of the enabling action of deliberately 
advertising the prefix via BGP.

So, which term should be used to describe this attack?

I'd argue that it was a "blended" attack that used all three techniques; 
"BGP hijack", "DNS (server) spoofing", and "DNS (cache) poisoning".

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180801/dc1a0e9c/attachment.bin>

More information about the dns-operations mailing list