The DNS Hijacking Scenario
In the year 2000, RSA Security, an Internet security firm, was the victim of a defaced web site. RSA Security is a major player in the security industry, so it was quite surprising to hear that their network was vulnerable to something like a web defacement attack.
Was it true? As it turned out, the answer was both yes and no.
Defacing a web site entails taking advantage of a number of security flaws in an organization to crack the network, gain access to the web site files, and modify the HTML of selected web pages. But that didn't happen in this case. RSA's security was tightafter all, that's their business. So how did their web page become defaced?
To start, it wasn't the files on their system that were defacedtheir DNS was hijacked. DNS hijacking or spoofing happens when a DNS server accepts and uses incorrect information from a host that has no authority to give that information. DNS spoofing actually "poisons" the cache by placing counterfeit data in the cache of the name server. These kinds of attacks can result in serious security problems for DNS servers that are vulnerable; for example, by causing users to be directed to incorrect Internet sites.
That's what happened in the case of RSA Security. The DNS hijacker rerouted RSA visitors to another URL that looked like the RSA site. The attacker created a fake web page and then redirected web traffic to that fake page by manipulating DNS IP addresses away from the real RSA Security. When site visitors saw the spoofed home page, they assumed that an intruder had cracked the real RSA Security web site. In reality, the site was not cracked at all.