[Cryptography] DNSChanger in ad malware attacks home routers

Christian Huitema huitema at huitema.net
Sun Dec 18 22:13:50 EST 2016


On Sunday, December 18, 2016 2:52 PM, Jerry Leichter wrote:
>
>> My (hbaker's) comments:
>> 
>> While this attack somehow modifies the home router to change the way it handles DNS, it isn't clear whether the problem can be solved through a better DNS system.
> >

Actually, something like "DNS over TLS" (RFC 7858) would go a long way. If the devices access a trusted DNS server through a secure connection, they would be reasonably protected against misbehaving routers. But then, RFC 7858 is quite new and not widely implemented yet. If you are interested, you can check the DNS Privacy Project at https://dnsprivacy.org/.

And, of course, if browsing with HTTPS instead of HTTP, DNS attacks downgrade to denial of service, which is annoying but much less rewarding for the attacker. 


> That article is way below Ars's usual standards - approaching clickbait.  The stuff about steganography - while true as far as it goes - is a way of making the whole thing look more scary:  There can be an attack *hidden invisibly inside a picture!*  Well, no ... there can be some data used by an attack that's carried along inside a picture thus making the job of scanners harder - but scanners are pretty much a lost cause today anyway.
>
> And, oh my goodness, it will use a STUN attack!  Kind of like a stun gun.  Very scary.  Well, no, STUN is simply a Secure TUNnel protocol.

Uh, no. STUN was originally defined as "Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)" (RFC 3489), then revised as "Session Traversal Utilities for NAT (STUN)" (RFC 5389). Ars mentions "so-called STUN server requests used in VoIP communications", which is reasonable. I assume that the malware uses STUN to establish some kind of peer-to-peer communication through NAT with other infected hosts.

> What exactly they do to infected routers gets a bit vague.  Home routers could get involved in DNS in one of three ways:
>
> 1.  Providing a DNS server address as part of DHCP.
> 2.  Providing a local DNS cache.
> 3.  Re-routing specific known DNS resolver addresses someplace else.
>
> Method 1 is pretty much universal, and the vast majority of home devices are configured to get their DNS server information this way.  Most ISP's configure routers to direct DNS queries to *their* routers.  Obviously, if you take over a router you can send DNS queries where you like.

Maybe devices should stop trusting routers for anything else than sending packets. We just might have to treat all networks as hostile. That's pretty much the norm for Wi-Fi hot spots, but it should probably be the norm too for home networks.

-- Christian Huitema







More information about the cryptography mailing list