Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Proxy servers and VPNs are in the crosshairs of invisible digital forces.
Experts from Assetnote have recently identified a large-scale problem of DNS query spoofing in the Chinese Internet infrastructure. When analyzing the DNS resolvers of one of the customers with a large presence in China, unusual behavior was found - many subdomains that led to random IP addresses.
Initially, the anomaly was attributed to the inoperability of DNS servers. It was suspected that query spoofing was due to the instability of DNS resolvers or the peculiarities of load balancing algorithms. However, it later turned out that the problem occurs exclusively on servers located in China.
While initially the spoofing was only observed on ".cn" domains, it soon became clear that it affected other zones as well, as long as their names were resolved through Chinese DNS servers. Researchers have found that queries to some key subdomains provoke unexpected DNS responses. For example, DNS queries to AlibabaDNS servers often returned unstable IP addresses, and the responses themselves changed depending on the keywords in the subdomains. Even when resolving non-existent domains, it was possible to get unexpected DNS answers.
Over time, it has been determined that the problem is not limited to a single DNS provider. Spoofing DNS queries was also found on the servers of other providers, for example, Cloudflare China. This indicates that the problem is systemic and related to the DNS within the Great Firewall of China.
The researchers then discovered several ways to exploit this "feature" for malicious purposes. The first way concerns the Fastly CDN provider. If spoofed IP addresses related to the Fastly infrastructure are detected, attackers can intercept traffic by creating CDN profiles using fake subdomains. This allows all traffic to be routed to the attacker's servers.
The second method is related to a vulnerability in cPanel that allows XSS attacks against spoofed subdomains. This approach also allows DNS spoofing to potentially be exploited to attack end users.
The ability to intercept traffic and perform XSS attacks via DNS spoofing has serious consequences. In particular, it allows attackers to gain access to HTTPOnly cookies and other sensitive data. However, the risk of implementing an attack through Fastly depends on whether the domain has already been added to the Fastly infrastructure. At the same time, cPanel-based XSS attacks are more general, although they do not provide access to HTTPOnly cookies.
The researchers suggest that the detected behavior is related to censorship attempts by the Chinese government. DNS spoofing can be part of the "Great Firewall of China", which monitors and blocks requests to certain resources related to proxy servers, VPNs, torrents, and other prohibited content.
To minimize risks, experts recommend that organizations move DNS servers outside of China. However, this can affect the performance and speed of websites for Chinese users. In addition, companies should ensure basic web security, such as setting "Secure" and "HTTPOnly" flags for cookies, to prevent possible attacks on users.
Source
Experts from Assetnote have recently identified a large-scale problem of DNS query spoofing in the Chinese Internet infrastructure. When analyzing the DNS resolvers of one of the customers with a large presence in China, unusual behavior was found - many subdomains that led to random IP addresses.
Initially, the anomaly was attributed to the inoperability of DNS servers. It was suspected that query spoofing was due to the instability of DNS resolvers or the peculiarities of load balancing algorithms. However, it later turned out that the problem occurs exclusively on servers located in China.
While initially the spoofing was only observed on ".cn" domains, it soon became clear that it affected other zones as well, as long as their names were resolved through Chinese DNS servers. Researchers have found that queries to some key subdomains provoke unexpected DNS responses. For example, DNS queries to AlibabaDNS servers often returned unstable IP addresses, and the responses themselves changed depending on the keywords in the subdomains. Even when resolving non-existent domains, it was possible to get unexpected DNS answers.
Over time, it has been determined that the problem is not limited to a single DNS provider. Spoofing DNS queries was also found on the servers of other providers, for example, Cloudflare China. This indicates that the problem is systemic and related to the DNS within the Great Firewall of China.
The researchers then discovered several ways to exploit this "feature" for malicious purposes. The first way concerns the Fastly CDN provider. If spoofed IP addresses related to the Fastly infrastructure are detected, attackers can intercept traffic by creating CDN profiles using fake subdomains. This allows all traffic to be routed to the attacker's servers.
The second method is related to a vulnerability in cPanel that allows XSS attacks against spoofed subdomains. This approach also allows DNS spoofing to potentially be exploited to attack end users.
The ability to intercept traffic and perform XSS attacks via DNS spoofing has serious consequences. In particular, it allows attackers to gain access to HTTPOnly cookies and other sensitive data. However, the risk of implementing an attack through Fastly depends on whether the domain has already been added to the Fastly infrastructure. At the same time, cPanel-based XSS attacks are more general, although they do not provide access to HTTPOnly cookies.
The researchers suggest that the detected behavior is related to censorship attempts by the Chinese government. DNS spoofing can be part of the "Great Firewall of China", which monitors and blocks requests to certain resources related to proxy servers, VPNs, torrents, and other prohibited content.
To minimize risks, experts recommend that organizations move DNS servers outside of China. However, this can affect the performance and speed of websites for Chinese users. In addition, companies should ensure basic web security, such as setting "Secure" and "HTTPOnly" flags for cookies, to prevent possible attacks on users.
Source
