In the aftermath of last week’s temporary defacement of Etisalat’s commercial websites, regional cyber security experts have identified the operation as a DNS (domain name system) cache poisoning exploit.
The end product of DNS cache poisoning is the replacement of a lookup entry on a DNS server with a false address. Specialists contacted by ITP.net say this kind of attack is on the increase and DNS ranks only behind HTTP attacks in terms of popularity as an attack vector.
“DNS is projected to surpass HTTP to become the number one attack vector within the next 12 months,” warned Cherif Sleiman, general manager, Middle East at Infoblox. “In the past year alone, DNS attacks have increased by more than 200%. In the same way that today companies cannot build networks without firewalls and intrusion prevention systems, we have entered an era where organisations can no longer build networks without DNS security.”
Nicolai Solling, Director, Technology Services, Help AG believes this is the first DNS poisoning attack on a telecoms provider in the region.
“From a technical perspective it is relatively straight forward to understand what happened, but not necessarily how,” he said. “As the website is as prominent as etisalat.ae I would say that exactly due to the size and users on the site, it is a major attack.”
“For as long as the false entry is cached, incoming Web requests and emails will go to the attacker’s address,” Sleiman said. “There are many ways to accomplish this. New cache poisoning attacks… use brute force, flooding DNS responses and queries at the same time hoping to get a match on one of the responses and poison the cache.”
Bothe Sleiman and Solling cited a number of possible motives for the attack, including financial gain and reputation enhancement among other hackers. Gains can include the hijacking of computers for botnets and other nefarious purposes. This is why popular, high-profile sites are chosen by attackers.
“It is important to understand that while it is Etisalat.ae that is effected the issue could be outside the Etisalat infrastructure, however as we have only heard about etisalat.ae, it is most likely the DNS servers of Etisalat that were effected,” Solling said.