[dns-operations] difference between dns spoofing and dns hijacking?
Grant Taylor
gtaylor at tnetconsulting.net
Wed Aug 1 18:19:37 UTC 2018
On 07/24/2018 05:39 PM, Barry Raveendran Greene wrote:
> Getting back to Stephane’s observation .... it would be extremely
> helpful to the industry to add definitions around these vectors. That way
> we strive to get people on the same page without confusing a “hijack”
> from a “poisson.”
I think it would also be helpful to put some guidelines around when a
term is used (to describe an attack), in addition to what the term is.
Example scenario:
Someone uses BGP to "hijack" (read: unauthorized control of) a /24
prefix, say 9.9.9.0/24, so that they can "spoof" (pretend to be) the
9.9.9.9 DNS server, to "poison" DNS caches with bad (malicious) information.
Is this a "hijack" or a "spoof" or a "poison" attack?
I feel like this is more a "hijack" than it is a "spoof" or "poison"
attack. Sure, spoofing and poisoning happen, but they are an
intentional side effect of the enabling action of deliberately
advertising the 9.9.9.0/24 prefix via BGP.
So, which term should be used to describe this attack?
I'd argue that it was a "blended" attack that used all three techniques;
"BGP hijack", "DNS (server) spoofing", and "DNS (cache) poisoning".
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180801/dc1a0e9c/attachment.bin>
More information about the dns-operations
mailing list