Today we'll be looking at DNS hijacking, and some of the other risks associated with incorrect router administration. The principals behind DNS hijacking are rather simple, an attacker breaks into a router and changes the router's DNS settings to point to their own rogue DNS server's IP address.

Once this has been achieved the attackers DNS server will serve the attackers own phishing websites, or malicious code to an unwitting victim's PC under the guise of a respected website's URL. Attackers leverage simple vulnerabilities such as flaws in router firmware that allow authentication to be bypassed, or unchanged default login credentials, attackers have even automated the process creating viruses that infect only your router.

To understand how these attacks work one must first understand the basics of the Domain Name System and why it exists. When the Internet was first ushered into it's bright existence, it consisted of a small number of computers comprised mainly of universities, and government departments hooked together with modems and telephone lines. You could only make connections by providing the IP address of the computer you wanted to establish a link with. An example of typical IP address might be 192.168.31.125 The hosts file was fine when there were only a few hosts out there, but it soon became too large to maintain as more and more systems came online.[1] The first solution to the problem was a simple text file named 'HOSTS.TXT' which was manually maintained and made available via file sharing by Stanford Research Institute for the ARPANET membership, this file contained the host name and address of hosts as contributed for inclusion by member organizations.

The Domain Name System, first described in 1983 and implemented in 1984, automated the publication process and provided instantaneous and dynamic host name resolution for the rapidly expanding network. In modern operating systems, the hosts file remains an alternative name resolution mechanism, as a fall-back in case of DNS failure.[2] When you type a URL into your web browser, say for instance this website; www.cyphonica.co.nz your web browser application sends a request for the page to your router, which in turn sends a request to the DNS server set on in the router's DNS settings. The DNS server then responds with the IP address that correctly corresponds with the URL your web browser application is requesting on your behalf, allowing your computer to then send out a request to the IP address which is allocated to the server that hosts the website, and finally the page web you requested appears before you, this process is called DNS Resolution.[3]

Now that we understand the process of DNS Resolution the gravity of the situation becomes apparent, if an attacker can gain access to your router's administration panel they can essentially see everything your web browser sends to the internet over plain text. In a DNS hijacking, the attacker sets the DNS setting to point to their own rogue DNS server which gives them full control over the content served up when you enter a URL into your web browser. When I was doing the research for this article I decided to run a quick scan over some IP ranges that I know to be local New Zealand IP addresses and I quickly discovered that around three out of ten IP addresses had their Administration Panel internet facing, this is a big no-no for a start, it allows anyone on the internet to see the administrative login page for your router by navigating to your home IP address using their web browser and change your routers settings, that is, unless you have up to date router firmware, and a good password set.

This is about when I discovered something truly horrific I tried the default administrative login credentials on about ten of the live hosts I had found in my scan, and to my astonishment three of them allowed me into their administrative area, I quickly made a note of the IP's, logged out and notified their ISP of their customer's folly. To make matters worse, there are a great deal of known vulnerabilities in standard router firmware an attacker can leverage to gain access, these include the likes of authentication bypass vulnerabilities, allowing the attacker to log in quite literally without any direct knowledge of the administration password. Router attacks are becoming more prevalent, attackers take advantage of the fact those most users set up their router and leave it for months, or even years without having to log back in unless they change their Internet Service Provider, therefore patches and updates are often overlooked by users who are focused on keeping their PC itself safe from malware and viruses. Attackers have now taken router attacks to the next level, by creating viruses that only attack routers 'TheMoon' is an example of a self replicating worm that attacks certain Lynksys Routers that haven't had their firmware updated. 'TheMoon' scans random IP ranges for routers that are vulnerable, and attacks them using Authentication Bypass vulnerabilities to gain administrative access, it then infects the router by uploading a copy of it's self, once it has infected it's target 'TheMoon' collects data by intercepting it when it passes through your router on it's way to it's destination,[4] It doesn't go as far as to infect your PC therefore whether you are using Windows, Linux, or Mac, your data will still be intercepted and your anti-virus software wont pick it up.

So what can users do to fight back against these types of attacks? There are a number of countermeasures that should be in place on all routers to defend against these types of attacks, first and foremost you should change the default administrator user name and password using a password with a character length of at least twelve to fifteen characters including both upper & lower case letters, numbers, punctuation, and other keys such as "!@#$%^" next make sure your router's administration panel is not internet facing, you can do this by going to www.google.com and typing "what's my IP address" into the search bar. At the top of the search results there should be an area that says "Your public IP is:" it should look similar to the IP address shown at the beginning of this article, if this result does not appear for some reason, there should be a number of websites in the search results that will also tell you what your publicly accessible IP address is. Once you've found your IP address, highlight it and copy it(ctrl + c) open up a new browser window or tab, paste the IP address(ctrl + v) into the navigation bar and press enter, if you're greeted with your routers administration login page, your router is set to be internet facing, you should login straight away and change the setting to only allow local access. You should, if your router is set-up correctly receive and error such as "Host Unreachable" this means your router is correctly configured. Finally you should ensure that your routers firmware is up to date, the process for upgrading your routers firmware is unique to each brand of router, you should check your manufacturers website for instructions on checking whether your routers firmware is up to date. You should check this regularly (at least once every couple of months) to ensure that your routers firmware stays up to date, for the sake of a few extra minutes every couple of months you could save yourself a great deal of hassles.

References:


[1] - http://computer.howstuffworks.com/internet/basics/internet-infrastructur...
[2] - https://en.wikipedia.org/wiki/Hosts_
[3] - http://nlp.stanford.edu/IR-book/html/htmledition/dns-resolution-1.htm
[4] - http://www.pcsympathy.com/2014/02/17/exploit-released-vulnerability-targ...