Domain Name System (DNS) Attacks + Credential Replay Attacks + Malicious Code

Domain hijacking

changes the registration of a domain, either through technical means like a vulnerability with a domain registrar, or control of a system belonging to an authorized user, or through nontechnical means like social engineering. The end result of ___ is that the domain’s settings and configuration can be changed by an attacker, allowing them to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder

DNS poisoning

can be accomplished in multiple ways. One form is another form of the on-path attack where an attacker provides a DNS response while pretending to be an authoritative DNS server. Vulnerabilities in DNS protocols or implementations can also permit___ but they are rarer. ____ can also involve poisoning the DNS cache on systems. Once a malicious DNS entry is in a system’s cache, it will continue to use that information until the cache is purged or updated

URL redirection

When domain hijacking isn’t possible and DNS cannot be poisoned, another option for attackers is ____. ____ can take many forms, depending on the vulnerability that attackers leverage, but one of the most common is to insert alternate IP addresses into a system’s hosts file

Credential replay attacks

are a form of network attack that requires the attacker to be able to capture valid network data and to re-send it or delay it so that the attacker’s own use of the data is successful

Common indicators of replay attacks

are on-path attack indicators like modified gateways or routes

Common indicators of malicious code

include signatures that IDS and IPS systems can identify as well as scanning and probing on ports and protocols associated with worms