Security News > 2023 > August > MaginotDNS attacks exploit weak checks for DNS cache poisoning
A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named 'MaginotDNS,' that targets Conditional DNS resolvers and can compromise entire TLDs top-level domains.
The concept of DNS cache poisoning is injecting forged answers into the DNS resolver cache, causing the server to direct users who enter a domain to incorrect IP addresses, potentially leading them to malicious websites without their knowledge.
These attacks have been mitigated by adding defenses into the resolvers' implementation, rendering off-path attacks challenging.
Because the two share the same global DNS cache, an attack on the forwarder mode can open the path to breaching the recursive mode, essentially breaking the DNS cache protection boundary.
For these attacks, the threat actor needs to predict the source port and the transaction ID used by the target's recursive DNS servers when generating a request and then use a malicious DNS server to send forged responses with the correct parameters.
The researchers shared the following video demonstrating the MaginotDNS attack on Microsoft DNS. Scanning for vulnerable CDNS. The researchers scanned the internet and found 1,200,000 DNS resolvers, of which 154,955 are CDNS servers.
- MATA malware framework exploits EDR in attacks on defense firms (source)
- Pro-Russia group exploits Roundcube zero-day in attacks on European government emails (source)
- Record-Breaking 100 Million RPS DDoS Attack Exploits HTTP/2 Rapid Reset Flaw (source)
- Side channel attacks take bite out of Apple silicon with iLeakage exploit (source)
- EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub (source)
- Hackers exploit recent F5 BIG-IP flaws in stealthy attacks (source)
- LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed (source)
- WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks (source)
- Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks (source)
- Russian hackers use Ngrok feature and WinRAR exploit to attack embassies (source)