Skip navigation.
Home
MarkusVirtanen.com
Chitchat from a Finnish Software Engineer
Home

Protecting Routing and DNS Services

Submitted by Markus on December 1, 2009 - 00:16

Last Saturday I left to Ă…land with my friends Linus and Istvan. During the cool trip we drove 550 km and experienced local traditions and a Christmas buffet with all kinds of delicious food.

On that same Saturday, HS-newspaper published an article about the the Finnish internet connections being closed due to spyware activity on private computers. Thanks to the new controversial law, our Internet Service Providers (ISP) can close a home connection if customer's computer is sending spam or if it is taking a part in a zombie network. Last week, almost 2.000 connection were closed because on those computers there was a spyware, which could have been used to access their online bank account details.

The news article on hs.fi did not show the full picture of the problem and neither real ways of defending the customer PC, so I decided give some ideas about how such an attack could be done, and how it can be also prevented.

Deployment

Figure 1. Deployment of basic banking application.

In figure 1, you can see that there are altogether 3 Domain Name Servers (DNS). One in the User PC, one in ADSL-modem and one on ISP-side. A DNS-server works like phonebook - it maps domain names, such as nordea.fi into an IP-address such as 92.43.121.130. Whenever you access a website, this request is made for you under the hood. It is hard to hack DNS-servers of ADSL-modem or ISP, but it is somewhat easy to create application that modifies these settings from a regular Home-PC. A virus can tell the Home-PC that if a user tries to visit nordea.fi, use a static IP-address of 192.168.1.1 instead of the real Nordea-server. In that Fake Bank machine, there is an exact copy of the real bank's user interface and the bank customer thinks that he can safely use the service. A normal web-page request sequence is presented in figure 2.

Sequence diagram.

Figure 2. The scenario of normal web page request.

There are two main methods for this kind of spoofing. To force the Home PC to visit a fake online bank instead of the real one, either routing information or DNS information can be modified. The best defence method is to protect the basic networking elements described in the pictures above; network routes & DNS-servers. No virus or user application should be able to modify these values after they are received from the ISP.

To verify the current settings, tools such as ipconfig, route and notepad can be used. Do this in three steps:

1) Verify that internet traffic flows through a valid gateway and ISP-servers are used for DNS and DHCP requests. Open console and

C:\>ipconfig /all
...
   Default Gateway . . . . . . . . . : 81.220.54.1
   DHCP Server . . . . . . . . . . . : 81.220.65.1
   DNS Servers . . . . . . . . . . . : 193.89.123.231
                                       194.210.19.190
...

2) Verify that there are no static routes for IP-addresses of online banks and/or DNS-servers. Open console and

C:\>route print
=================================================
Interface List
...
=================================================

IPv4 Route Table
=================================================
Active Routes:
Network Destination    Netmask     Gateway   Interface  Metric
...
=================================================
Persistent Routes:
  None

IPv6 Route Table
=================================================

3) Verify that there are no invalid IP-address/domain name mappings included in the Home-PC's local DNS-service. Select Start->Run and insert "notepad %windir%\system32\drivers\etc\hosts".

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1   localhost
::1             localhost
127.0.0.1	  test.markusvirtanen.com

In the above example test.markusvirtanen.com is mapped to IP-address 127.0.0.1, which always refers to the local machine. This is so that I can test my site locally. It could as well be nordea.fi in that file, and instead of the real Nordea site, my Nordea would appear from my local hard-drive.

In addition to these basic steps of protecting the routes and DNS-servers, one must always remember to keep the computer up-to-date with Windows Update and Antivirus applications. Some security applications keep track of these settings and they'll alarm if a virus tries to forward the user into a fake site. Some spyware-killer applications that I personally like are SpywareBlaster and Advanced SystemCare which are both free.

BR,

/markus

»