Suspicious pool domain name resolution request event
Publish: 2021-03-25 04:09:18
1. From around 6:00 a.m. on January 12, 2010, the world's largest Chinese search engine network suddenly appeared large-scale inaccessibility, mainly reflected in jumping to a wrong page of Yahoo, pictures of Iran's online army, and the appearance of "tianwai symbol", covering Sichuan, Fujian, Jiangsu, Jilin, Zhejiang, Beijing, Guangdong and most other provinces and cities in China. The network failure lasted for five hours, which was also the biggest serious network outage since September 2006. It had a significant impact on the Internet instry at home and abroad. Later, the network announced that the domain name had been illegally tampered with in the US registry and was being handled. Through the appearance of "being hacked" on the Internet, through the whole process tracking analysis by Bu Ziqin, search engine analyst of China e-commerce research center, the general process is as follows: 1. From about 6:00 a.m. on January 12, 2010, the DNS server of the network domain name was hijacked and replaced, and the main domain name has been resolved to a Dutch IP; 2. After the domain name is changed, when visiting the network, the page will automatically jump to a space of renting a Yahoo server; The IP website actually uses the leased space under the English Yahoo, so when visiting the website under the network, the error information page of the English Yahoo will appear. 3. Because the number of page requests is too large, leading to Yahoo server paralysis or traffic overrun, server paralysis; 4. After the server is paralyzed, the Internet users who visit the network will automatically jump to the prompt page of Yahoo; 5. Before the overrun, some netizens on the hackers' pages of the Iranian Cyber Army admitted that they had tampered with the home page of the Internet and left Arabic characters; 6. On the morning of January 12, 2010, most domestic city users and overseas users can only use the spare domain name that has not been hijacked. This domain name is controlled by hackers in root domain resolution (this domain name is managed by the United States). Not only domestic Internet manufacturers need to enhance their awareness of prevention, but the entire international Internet community is also facing network security threats 3) Domain name dispute: the essential reason for the tampering of network domain name lies in the loopholes in the domain name registration system, which is register.com of the United States. Lawyer Yu Guofu believes that the Internet should sue the international domain name authority in the United States. Before this, another Internet giant QQ has transferred its domain name from abroad to China. After the attack, whether the network will take immediate action has become the focus of the instry. Top ten opinions of analysts: Bu Ziqin, search engine analyst of China e-commerce research center, who has long been concerned about search engine and network marketing, made the following comments on this major emergency 1) Exposed the domestic Internet enterprise security risks“ The "network blackout" incident itself exposed many problems of China's Internet enterprises, not only in advance security awareness and monitoring measures, but also in the emergency response mechanism after sudden failure, so Internet enterprises need to improve their own technological innovation and breakthrough, master core technology; Improve technical supervision and prevention, set up early warning scheme, such as technical processing scheme, set up spare domain name, public relations relationship processing scheme, etc 2) The security of Internet domain name server has not received e attention. The attack hackers used the way of DNS records tampering. The fundamental reason is that the DNS management server security of Internet domain name has not been given e attention. And reminded that at present, the vast majority of domain names have similar security risks, making DNS have many security risks 3) Search engine market competition mechanism needs to be further improved. Search engine is a core node of the Internet and an indispensable tool for Internet users. In a short time, as the "flagship" of China's search engine, the Internet was replaced by Google after being destroyed. Other domestic search engines, such as You, did not play the role of Google 4) Internet instry network security needs to be further strengthened. The Internet battlefield is a must for all countries in the future, and the future "cyber war" is likely to start. The Internet instry has a direct impact on the country's social and economic fields, and even caused a large area of instry paralysis, which is no less than the national basic instry and strategic instry being pinned down, or even controlled 5) Even though the security level of enterprise website is very high and the technology is excellent, there are still weak links, which need to be further adjusted, consolidated and strengthened 6) All kinds of "chain reactions" triggered by the incident also reflect the important position of search engine as a "node" for users to use the global Internet. The Internet, undoubtedly, has penetrated into the life of Chinese netizens and is inseparable from the life of netizens. In other words, the Internet has penetrated into every aspect of everyone's work, study, business and leisure 7) Because of the huge network user groups, market share and other factors, as well as media attention, he has a high degree of media attention. If the network operation is reasonable, the network is likely to become the "top ten network events in 2010". If the network operation is successful, it can turn the tide, and it may also become a classic case of network marketing 8) Faced with the complexity of the current international political and economic situation, some extremists show their influence by attacking some big websites with global influence, carry out political propaganda, and even demonstrate to dissidents and threaten them. Their influence effect may even be no less than that of creating an event similar to 9 / 11 9) At present, there is no DNS root server in China (all 13 DNS root servers in the world are located in the United States). In fact, one mirror server is responsible for processing DNS requests in China. Mirror servers are distributed all over the world and are maintained by national exclusive agencies 10) As we all know, the Internet technology and the rules of the game are made and controlled by Americans. We have no core technology. Similar to the "MSN service blocking incident of five countries by Microsoft" on May 30, 2009, this "network incident" once again reminds us that backwardness and passivity can only be beaten everywhere. China's Internet enterprises not only need to continuously improve technological innovation and supervision, but also firmly grasp the right of Internet discourse and rule-making, and strive for independent intellectual property rights, Only in this way can we strengthen information security, make our Internet instry truly autonomous and controllable, and achieve long-term, stable, sustainable and healthy development. Domain name hijacking: it is to intercept domain name resolution requests within the hijacked network scope, analyze the requested domain name, and release the requests beyond the scope of review. Otherwise, it will directly return the fake IP address or do nothing to make the request lose response. Its effect is that it can not access the specific web address or it is a fake Web address. 2. DNS: short for domain name system, which is used to name computers and network services organized into a domain hierarchy. On the Internet, the domain name and IP address are one-to-one (or many to one). Although the domain name is easy for people to remember, the machines can only know each other's IP address. The conversion between them is called domain name resolution. Domain name resolution needs to be completed by a special domain name resolution server. DNS is the server for domain name resolution. 3. Root server: to manage the home directory of the Internet, there are only 13 in the world. One is the primary root server, which is located in the United States. The remaining 12 are secondary root servers, of which 9 are located in the United States, 2 in Europe, in the United Kingdom and Sweden, and 1 in Asia, in Japan. All root servers are managed by ICANN, an Internet domain name and number distribution organization authorized by the U.S. government, which is responsible for the management of global Internet domain name root server, domain name system and IP address. The US government has a big say in its management.
2.
Internet companies on the home page was "black" issued a statement, pointed out that the lawless elements did not attack the network server, but select the U.S. domain name registrars as the target of attack, this is a new phenomenon, should be vigilant. At the same time, some domestic netizens have launched a large-scale counterattack against foreign websites, invaded foreign websites and left relevant comments. The network said that it did not encourage this practice and hoped that everyone would keep calm< It is reported that a hacker who called himself "Iranian Cyber Army" attacked the Internet (BIDU. O) website on Tuesday, and twitter website was also attacked a few weeks ago
the English words "the website has been captured by the Iranian Cyber Army" appear on the home page of the network, and the pattern of the Iranian national flag is also displayed on the black background< There was no parallel in history. There was no parallel in history.
Robin Li said that at 12:51 on January 12th />2010, the I post bar of the founder, chairman and CEO of the Internet company appeared in a message from Robin Li: "unprecedented, unprecedented!" Many netizens who followed the post expressed their indignation at the hacker's behavior one after another. Some netizens even made fun of it, but most of them expressed their feelings: life is very inconvenient after the lack of network< (1) domain name hijacking: it is to intercept domain name resolution requests within the hijacked network, analyze the requested domain name, and release requests beyond the scope of review. Otherwise, it will directly return a fake IP address or do nothing to make the request lose response. Its effect is that it cannot access a specific web address or it is a fake Web address
(2) DNS is the abbreviation of "domain name system", which is used to name computers and network services organized into the domain hierarchy. On the Internet, the domain name and IP address are one-to-one (or many to one). Although the domain name is easy for people to remember, the machines can only know each other's IP address. The conversion between them is called domain name resolution. Domain name resolution needs to be completed by a special domain name resolution server. DNS is the server for domain name resolution
(3) root server: to manage the home directory of the Internet, there are only 13 in the world. One is the primary root server, which is located in the United States. The remaining 12 are secondary root servers, of which 9 are located in the United States, 2 in Europe, in the United Kingdom and Sweden, and 1 in Asia, in Japan. All root servers are managed by ICANN, an Internet domain name and number distribution organization authorized by the U.S. government, which is responsible for the management of global Internet domain name root server, domain name system and IP address. The US government has a big say in its management
(4) China E-Commerce Research Center: China e-commerce research center is the first and only third-party organization in China to focus on the research and dissemination of e-commerce, search engine, network marketing and small and medium-sized enterprises. Through the online platform, the research center publishes hundreds of instry dynamic manuscripts, analysis and research articles and instry reports every day, attracting more than one million e-commerce related users from around the world. After more than three years of accumulation, it has developed into the most influential professional research institution and emerging communication platform in the field of e-commerce in China
3.
DNS service exception is the server failure, unable to find the address of the server
the solution is as follows:
1. Open the software first, as shown in the figure below. When there is no such software in the computer, it can be downloaded and copied to the mobile device through other computers that can access the Internet normally, and then switched to the current computer for installation
extended data
DNS importance
1. From a technical point of view,
DNS resolution is the actual addressing method for most Internet applications; The redevelopment of domain name technology and various applications based on domain name technology enrich Internet applications and protocols
2. From the perspective of resources,
domain name is the identity on the Internet, and it is the unique identification resource that cannot be repeated; The globalization of Internet makes domain name a national strategic resource to mark a country's sovereignty
DNS main functions
each IP address can have a host name, which is composed of one or more strings separated by decimal points. With the host name, do not memorize the IP address of each IP device by rote, just remember the relatively intuitive and meaningful host name. This is the function of DNS protocol
there are two ways to map host name to IP address:
1) static mapping. Each device is configured with host to IP address mapping, and each device maintains its own mapping table independently, which is only used by the device
2) dynamic mapping, the establishment of a set of domain name resolution system (DNS), only in the special DNS server configuration host to IP address mapping, the network needs to use the host name communication equipment, first need to query the corresponding IP address of the host to the DNS server[ 1]
the process of getting the IP address corresponding to the host name through the host name is called domain name resolution (or host name resolution). In the domain name resolution, you can first use the static domain name resolution method, if the static domain name resolution is not successful, then use the dynamic domain name resolution method. Some common domain names can be put into the static domain name resolution table, which can greatly improve the efficiency of domain name resolution
source: Network - DNS
4. DNS hijacking, also known as domain name hijacking, is to intercept the domain name resolution request within the hijacked network scope, analyze the requested domain name, release the request beyond the scope of review, otherwise return the fake IP address or do nothing to make the request lose response, and its effect is that it cannot respond to the specific network or visit the fake Web address
basic principle
the function of DNS (domain name system) is to map the network address (domain name, in the form of a string) to the real network address (IP address) that can be recognized by the computer, so that the computer can further communicate, transfer the web address and content. Because domain name hijacking can only be carried out in a specific hijacked network area, domain name servers (DNS) outside this area can return normal IP addresses. Advanced users can point DNS to these normal domain name servers in network settings to achieve normal access to web addresses. So domain name hijacking is usually accompanied by measures - blocking normal DNS IP
if you know the real IP address of the domain name, you can directly use this IP instead of the domain name to access it. For example, you can change the access to 202.108.22.5 to avoid domain name hijacking
coping methods
DNS hijacking (DNS phishing attack) is very fierce and not easy to be perceived by users. It once led to nearly 1% of customers of Brazil bank, the largest bank in Brazil, being attacked, resulting in account theft. In this DNS hijacking attack first discovered by 114dns, a leading DNS service provider in China, hackers use the defects of broadband routers to tamper with users' DNS. As long as users browse the web page controlled by hackers, their broadband router's DNS will be tampered by hackers. Because the web page has special malicious code, they can successfully avoid the detection of security software, A large number of users were cheated by DNS phishing
e to some unknown reasons, automatic repair is not successful in very few cases. It is recommended that you modify it manually. At the same time, in order to avoid being attacked again, even if the repair is successful, users can modify the login user name and password of the router according to the method prompted by 360 or Tencent computer manager. Next, take the tp link router commonly used by users as an example to illustrate the modification method (other brands of routers are similar to this method)
Modify DNS manually
Enter: http: / / 192.168.1.1 in the address bar (try to enter http: / / 192.168.0.1 if the page cannot be displayed)
2. Fill in the user name and password of your router and click OK
3. In the "DHCP server - DHCP" service, fill in the more reliable address of 114.114.114.114 for the primary DNS server and 8.8.8.8 for the standby DNS server, Click save
modify the router password
in the address bar, enter: http: / / 192.168.1.1 (if the page can't be displayed, try to enter: http: / / 192.168.0.1)
2. Fill in your router's user name and password. The router's initial user name is admin, and the password is also admin. If you have modified it, fill in the modified user name and password, Click "OK"
3. After filling in correctly, you will enter the router password modification page, and you can complete the modification on the system tool - modify login password page (the original user name and password are the same as those in 2)
prevent DNS hijacking
in fact, DNS hijacking is not a new thing, nor can it be prevented, The network blackout event once again reveals the vulnerability of the global DNS system, and shows that if Internet manufacturers only have a security plan for their own information systems, they will not be able to quickly respond to comprehensive and complex threats. Therefore, Internet companies should take the following measures:
1. Internet companies should prepare more than two domain names. Once hackers attack DNS, users can also access another domain name
2. The Internet should further revise the emergency plan and strengthen the coordination process for domain name service providers
3. Domain name registrants and agents may become the targets of centralized attacks in a specific period, which need to be prevented
4. Relevant domestic organizations should quickly establish coordination and communication with relevant overseas organizations to assist domestic enterprises to deal with this incident quickly and timely.
basic principle
the function of DNS (domain name system) is to map the network address (domain name, in the form of a string) to the real network address (IP address) that can be recognized by the computer, so that the computer can further communicate, transfer the web address and content. Because domain name hijacking can only be carried out in a specific hijacked network area, domain name servers (DNS) outside this area can return normal IP addresses. Advanced users can point DNS to these normal domain name servers in network settings to achieve normal access to web addresses. So domain name hijacking is usually accompanied by measures - blocking normal DNS IP
if you know the real IP address of the domain name, you can directly use this IP instead of the domain name to access it. For example, you can change the access to 202.108.22.5 to avoid domain name hijacking
coping methods
DNS hijacking (DNS phishing attack) is very fierce and not easy to be perceived by users. It once led to nearly 1% of customers of Brazil bank, the largest bank in Brazil, being attacked, resulting in account theft. In this DNS hijacking attack first discovered by 114dns, a leading DNS service provider in China, hackers use the defects of broadband routers to tamper with users' DNS. As long as users browse the web page controlled by hackers, their broadband router's DNS will be tampered by hackers. Because the web page has special malicious code, they can successfully avoid the detection of security software, A large number of users were cheated by DNS phishing
e to some unknown reasons, automatic repair is not successful in very few cases. It is recommended that you modify it manually. At the same time, in order to avoid being attacked again, even if the repair is successful, users can modify the login user name and password of the router according to the method prompted by 360 or Tencent computer manager. Next, take the tp link router commonly used by users as an example to illustrate the modification method (other brands of routers are similar to this method)
Modify DNS manually
Enter: http: / / 192.168.1.1 in the address bar (try to enter http: / / 192.168.0.1 if the page cannot be displayed)
2. Fill in the user name and password of your router and click OK
3. In the "DHCP server - DHCP" service, fill in the more reliable address of 114.114.114.114 for the primary DNS server and 8.8.8.8 for the standby DNS server, Click save
modify the router password
in the address bar, enter: http: / / 192.168.1.1 (if the page can't be displayed, try to enter: http: / / 192.168.0.1)
2. Fill in your router's user name and password. The router's initial user name is admin, and the password is also admin. If you have modified it, fill in the modified user name and password, Click "OK"
3. After filling in correctly, you will enter the router password modification page, and you can complete the modification on the system tool - modify login password page (the original user name and password are the same as those in 2)
prevent DNS hijacking
in fact, DNS hijacking is not a new thing, nor can it be prevented, The network blackout event once again reveals the vulnerability of the global DNS system, and shows that if Internet manufacturers only have a security plan for their own information systems, they will not be able to quickly respond to comprehensive and complex threats. Therefore, Internet companies should take the following measures:
1. Internet companies should prepare more than two domain names. Once hackers attack DNS, users can also access another domain name
2. The Internet should further revise the emergency plan and strengthen the coordination process for domain name service providers
3. Domain name registrants and agents may become the targets of centralized attacks in a specific period, which need to be prevented
4. Relevant domestic organizations should quickly establish coordination and communication with relevant overseas organizations to assist domestic enterprises to deal with this incident quickly and timely.
5.
1、 DNS hijacking
DNS hijacking, also known as domain name hijacking, is to intercept the domain name resolution request within the hijacked network scope, analyze the requested domain name, and release the request beyond the scope of review, otherwise, it will return a fake IP address or do nothing to make the request lose response, and its effect is that it cannot respond to a specific network or visit a fake website
The function of NS (domain name system) is to map the network address (domain name, in the form of a string) to the real network address (IP address) that can be recognized by the computer, so that the computer can further communicate, transfer the web address and content. So domain name hijacking is usually accompanied by measures blocking normal DNS IP. For example, you can change the access to 202.108.22.5 to avoid domain name hijacking (1) fill in your router's user name and password, and click & quot; Determine & quot(2) in & quot; DHCP server - DHCP & quot; In the service, fill in the more reliable address of 114.114.114.114 for the primary DNS server and 8.8.8.8 for the standby DNS server. Click Save
2. Modify the router password
(1) fill in the user name and password of your router. The initial user name of the router is admin, and the password is also admin. If you have modified it, fill in the modified user name and password and click & quot; Determine & quot
(2) after filling in correctly, you will enter the router password modification page. You can complete the modification in the system tool - modify login password page (the original user name and password are the same as those in 2)
3. Prevent DNS hijacking
(1) Internet companies prepare more than two domain names. Once hackers attack DNS, users can also access another domain name
(2) the Internet should further revise the emergency plan and strengthen the coordination process of domain name service providers(3) domain name registrants and agents may become the targets of centralized attacks in a specific period, which need to be prevented
(4) relevant domestic institutions should quickly establish coordination and communication with relevant overseas institutions to assist domestic enterprises to deal with the incident quickly and timely
6. DNS hijacking, also known as domain name hijacking, refers to obtaining the resolution control of a domain name by some means, modifying the resolution result of the domain name, resulting in the transfer of the access to the domain name from the original IP address to the modified designated IP address, and the result is that the specific Web address cannot be accessed or the access is a fake Web address. DNS hijacking is a kind of hacker technology, through this kind of domain name fraud to achieve the purpose of putting virus, cheating users of relevant information or invading other people's computers
DNS hijacking usually occurs in the following situations:
1. The user's computer is infected with a virus, and the virus tampers with the hosts file and adds false DNS resolution records. In Windows system, the priority of hosts file is higher than that of DNS server. When accessing a domain name, the system will first detect the hosts file, and then query the DNS server
2. The website users are trying to visit is attacked maliciously. You may visit a deceptive website or be directed to other websites
3. The user has entered the wrong domain name in the browser, resulting in DNS query for nonexistent records. In the past, the browser usually returned an error. At present, most users will see the domain name error correction system prompt set by ISP
1. Use a secure and reliable DNS server to manage your domain name, and pay attention to timely repair DNS related vulnerabilities and update the latest patches
2. Protect the security of your important confidential information to avoid the theft of domain name management authority; 3. Improve the security level of the server, timely repair system and third-party software vulnerabilities, to avoid attacks
4. The network manager should monitor and improve the security of the web page code in time to avoid the event of the website being hung up
5. Internet users should update their security software as soon as possible to intercept various network attacks and avoid becoming a member of Botnet
some methods of DNS hijacking
method 1: DDoS attack by using DNS server
normal recursive query process of DNS server may be used as DDoS attack. Suppose that the attacker knows the IP address of the attacked machine, and then the attacker uses this address as the source address to send the parsing command. In this way, when the DNS server recursively queries, the DNS server responds to the initial user, who is the victim. If the attacker controls enough broilers and repeatedly performs the above operation, the attacker will be attacked by DDoS with response information from DNS server
if the attacker has enough broilers, the network of the victim can be dragged down to interruption. An important challenge of using DNS server to attack is that the attacker conceals his whereabouts because he does not communicate with the attacked host directly, which makes it difficult for the victim to trace the original attack< Method 2: DNS cache infection
attackers use DNS requests to put data into the cache of a vulnerable DNS server. These cache information will be returned to the user when the customer has DNS access, so as to guide the user's access to the normal domain name to the page set by the intruder, such as hanging horse, fishing, etc., or obtain the user's password information through forged e-mail and other server services, causing the customer to encounter further infringement
mode 3: DNS information hijacking
TCP / IP system avoids the insertion of counterfeit data through serial number and other ways, but if the intruder listens to the conversation between the client and the DNS server, he can guess the DNS query ID that the server responds to the client. Each DNS message includes an associated 16 bit ID number, according to which the DNS server obtains the location of the request source. Before the DNS server, the attacker gives the false response to the user, thus deceiving the client to visit the malicious website. Suppose that when the DNS packet data of a domain name resolution request submitted to a domain name server is intercepted, and then a false IP address is returned to the requester as the response information according to the interceptor's intention. The original requester will access the fake IP address as the domain name it wants to request, so that he will be cheated to other places and connect to the domain name he wants to access< Method 4: DNS redirection
the attacker redirects the DNS name query to a malicious DNS server, and the resolution of the hijacked domain name is completely under the control of the attacker
mode 5: ARP Spoofing
arp attack is to achieve ARP spoofing by forging IP address and MAC address, which can generate a large amount of ARP traffic in the network and block the network. As long as the attacker continuously sends forged ARP response packets, the IP-MAC entry in ARP cache of the target host can be changed, causing network interruption or man in the middle attack. ARP attack mainly exists in the LAN network. If a computer in the LAN is infected with ARP virus, the system infected with the ARP virus will try to intercept the communication information of other computers in the network by ARP deception, and thus cause the communication failure of other computers in the network
ARP Spoofing usually occurs in the user's office network, resulting in the wrong direction of the user's domain name. If the IDC room is also invaded by ARP virus, the attacker may also use ARP packet to suppress the normal host, or suppress the DNS server, so as to make the access guidance point to the wrong direction
mode 6: local hijacking
after the local computer system is infected by Trojan horse or rogue software, some domain names may be accessed abnormally. Such as visiting hanging horse or fishing site, unable to access, etc. Local DNS hijacking methods include hosts file tampering, local DNS hijacking, SPI chain injection, BHO plug-in and so on
well, that's about the DNS hijacking method. So it's important to do a good job in the security of your own computing.
DNS hijacking usually occurs in the following situations:
1. The user's computer is infected with a virus, and the virus tampers with the hosts file and adds false DNS resolution records. In Windows system, the priority of hosts file is higher than that of DNS server. When accessing a domain name, the system will first detect the hosts file, and then query the DNS server
2. The website users are trying to visit is attacked maliciously. You may visit a deceptive website or be directed to other websites
3. The user has entered the wrong domain name in the browser, resulting in DNS query for nonexistent records. In the past, the browser usually returned an error. At present, most users will see the domain name error correction system prompt set by ISP
1. Use a secure and reliable DNS server to manage your domain name, and pay attention to timely repair DNS related vulnerabilities and update the latest patches
2. Protect the security of your important confidential information to avoid the theft of domain name management authority; 3. Improve the security level of the server, timely repair system and third-party software vulnerabilities, to avoid attacks
4. The network manager should monitor and improve the security of the web page code in time to avoid the event of the website being hung up
5. Internet users should update their security software as soon as possible to intercept various network attacks and avoid becoming a member of Botnet
some methods of DNS hijacking
method 1: DDoS attack by using DNS server
normal recursive query process of DNS server may be used as DDoS attack. Suppose that the attacker knows the IP address of the attacked machine, and then the attacker uses this address as the source address to send the parsing command. In this way, when the DNS server recursively queries, the DNS server responds to the initial user, who is the victim. If the attacker controls enough broilers and repeatedly performs the above operation, the attacker will be attacked by DDoS with response information from DNS server
if the attacker has enough broilers, the network of the victim can be dragged down to interruption. An important challenge of using DNS server to attack is that the attacker conceals his whereabouts because he does not communicate with the attacked host directly, which makes it difficult for the victim to trace the original attack< Method 2: DNS cache infection
attackers use DNS requests to put data into the cache of a vulnerable DNS server. These cache information will be returned to the user when the customer has DNS access, so as to guide the user's access to the normal domain name to the page set by the intruder, such as hanging horse, fishing, etc., or obtain the user's password information through forged e-mail and other server services, causing the customer to encounter further infringement
mode 3: DNS information hijacking
TCP / IP system avoids the insertion of counterfeit data through serial number and other ways, but if the intruder listens to the conversation between the client and the DNS server, he can guess the DNS query ID that the server responds to the client. Each DNS message includes an associated 16 bit ID number, according to which the DNS server obtains the location of the request source. Before the DNS server, the attacker gives the false response to the user, thus deceiving the client to visit the malicious website. Suppose that when the DNS packet data of a domain name resolution request submitted to a domain name server is intercepted, and then a false IP address is returned to the requester as the response information according to the interceptor's intention. The original requester will access the fake IP address as the domain name it wants to request, so that he will be cheated to other places and connect to the domain name he wants to access< Method 4: DNS redirection
the attacker redirects the DNS name query to a malicious DNS server, and the resolution of the hijacked domain name is completely under the control of the attacker
mode 5: ARP Spoofing
arp attack is to achieve ARP spoofing by forging IP address and MAC address, which can generate a large amount of ARP traffic in the network and block the network. As long as the attacker continuously sends forged ARP response packets, the IP-MAC entry in ARP cache of the target host can be changed, causing network interruption or man in the middle attack. ARP attack mainly exists in the LAN network. If a computer in the LAN is infected with ARP virus, the system infected with the ARP virus will try to intercept the communication information of other computers in the network by ARP deception, and thus cause the communication failure of other computers in the network
ARP Spoofing usually occurs in the user's office network, resulting in the wrong direction of the user's domain name. If the IDC room is also invaded by ARP virus, the attacker may also use ARP packet to suppress the normal host, or suppress the DNS server, so as to make the access guidance point to the wrong direction
mode 6: local hijacking
after the local computer system is infected by Trojan horse or rogue software, some domain names may be accessed abnormally. Such as visiting hanging horse or fishing site, unable to access, etc. Local DNS hijacking methods include hosts file tampering, local DNS hijacking, SPI chain injection, BHO plug-in and so on
well, that's about the DNS hijacking method. So it's important to do a good job in the security of your own computing.
7. In fact, storm video is not the only person responsible for this incident, nor does it deliberately want to engage in Telecom. Of course, such a disastrous result is similar to the result that hackers directly hacked the storm client, or that storm intended to kill itself to the people; But when it comes to this accident, we need to know about a service called DNSPod
after the separation of Telecom, the situation of South Telecom and North Netcom has troubled the domestic stationmaster, so all kinds of websites began to rent the North-South al line server, and use DNS resolution service to assign servers to the website domain name. DNSPod is a free service, so many domestic websites, including cnBeta and storm video, use DNSPod's service
then the next thing is very dramatic:
1. A game & quot; Private service & quot; 's website intends to attack its competitors
2. Hackers, unable to hack competitors' websites, simply started with domain names and bombarded DNSPod's servers
3. One of DNSPod's servers is down. This one just provides domain name resolution for storm video
4. The client of windstorm video secretly visited the windstorm website when the user didn't know it, but now it can't go up
5. Then the storm users all over the country turned to the DNS resolution server of Telecom to make requests
6. Because half of the computers connected to the Internet all over the country are using storm video, the telecom server will soon be paralyzed
7. After some telecom rooms temporarily blocked the IP address of storm website, the website began to recover
this incident, which affected the Internet users all over the country, was actually caused by a & quot; Private service & quot; This is a typical example of the butterfly effect. And storm video is absolutely one of the turning points. Why do you say that
■ if storm video doesn't have the habit of secretly visiting the website and downloading advertisements, there will be no nationwide users' bombing of DNS resolution
■ if the windstorm video is rubbish, but few people use it, the impact will not be so huge.
after the separation of Telecom, the situation of South Telecom and North Netcom has troubled the domestic stationmaster, so all kinds of websites began to rent the North-South al line server, and use DNS resolution service to assign servers to the website domain name. DNSPod is a free service, so many domestic websites, including cnBeta and storm video, use DNSPod's service
then the next thing is very dramatic:
1. A game & quot; Private service & quot; 's website intends to attack its competitors
2. Hackers, unable to hack competitors' websites, simply started with domain names and bombarded DNSPod's servers
3. One of DNSPod's servers is down. This one just provides domain name resolution for storm video
4. The client of windstorm video secretly visited the windstorm website when the user didn't know it, but now it can't go up
5. Then the storm users all over the country turned to the DNS resolution server of Telecom to make requests
6. Because half of the computers connected to the Internet all over the country are using storm video, the telecom server will soon be paralyzed
7. After some telecom rooms temporarily blocked the IP address of storm website, the website began to recover
this incident, which affected the Internet users all over the country, was actually caused by a & quot; Private service & quot; This is a typical example of the butterfly effect. And storm video is absolutely one of the turning points. Why do you say that
■ if storm video doesn't have the habit of secretly visiting the website and downloading advertisements, there will be no nationwide users' bombing of DNS resolution
■ if the windstorm video is rubbish, but few people use it, the impact will not be so huge.
8. Outage type 1: system failure
typical event 1: Amazon AWS outage on Christmas Eve
cause of failure: elastic load balancing service failure
on December 24, 2012, just past Christmas Eve, Amazon did not let their customers have a safe life. Amazon AWS's data center in zone 1 of the eastern United States failed, and its elastic load balancing service was interrupted, which affected Netflix, heroku and other websites. Among them, heroku was also affected by the previous AWS eastern regional service failure. However, it is a coincidence that Netflix's competitor, Amazon Prime instant video, is not affected by this failure
on December 24, Amazon's AWS service interruption was not the first time, and certainly not the last
on October 22, 2012, Amazon's AWS network service in North Virginia was also interrupted once. The reason is similar to last time. The accident affected famous websites including reddit and pinterest. The interruption affects the elastic magic bean service, followed by the console of elastic magic bean service, relational database service, elastic cache, elastic computing cloud EC2, and cloud search. The accident has led many people to believe that Amazon should upgrade the infrastructure of its North Virginia data center
on April 22, 2011, Amazon's cloud data center server went down in a large area, which is considered to be the most serious cloud computing security incident in Amazon's history. Due to the outage of Amazon's cloud computing center in Northern Virginia, some websites including quora, reddit, houtsuite and foursquare have been affected. Amazon's official report claimed that the event was e to the existence of loopholes and design defects in its EC2 system design, and is constantly repairing these known loopholes and defects to improve the competitiveness of EC2 (Amazon Elastic Compute Cloud Service)
in January 2010, nearly 68000 salesforce.com users experienced at least one hour of downtime. Salesforce.com, with its own data center's & quot; Systematic error;, All services, including backup, were temporarily paralyzed. This also reveals the lock-in strategy that salesforce.com does not want to disclose: its PAAS platform and force.com cannot be used outside of salesforce.com. So if there's a problem with salesforce.com, there's a problem with force.com. So if the service is interrupted for a long time, the problem will become very difficult< On August 6, 2011, lightning occurred in Dublin, Northern Ireland, causing massive downtime of Amazon and Microsoft cloud computing networks in Europe e to power failure of the data center. Lightning struck a transformer near the Dublin data center, causing it to explode. The explosion caused a fire, which temporarily interrupted the work of all public service agencies, resulting in the downtime of the entire data center
this data center is Amazon's only data storage location in Europe, that is to say, EC2 cloud computing platform customers have no other data center for temporary use ring the accident. Due to the outage, many websites using Amazon EC2 cloud service platform were interrupted for two days<
typical event 2: Calgary data center fire
cause of failure: fire in the data center
Calgary data center fire on July 11, 2012: a fire in the Calgary Alberta data center of Shaw Communications Inc., a Canadian communications service provider, delayed hundreds of operations in the local hospital. As the data center provides management emergency services, the fire affected the main backup systems supporting key public services. This incident has sounded an alarm for a series of government agencies, which must ensure timely recovery and have a fail over system, combined with the introction of a disaster management plan<
typical event 3: Super hurricane sandy attacked the data center
cause of failure: storm and flood caused the data center to stop operation
on October 29, 2012, super hurricane Sandy: the data centers in New York and New Jersey were affected by the hurricane, and the adverse effects included the flood in lower Manhattan and the shutdown of some facilities, The generators in the surrounding data center are out of order. The impact of Hurricane Sandy is beyond the general single interruption accident, bringing unprecedented disaster to the data center instry in the disaster area. In fact, diesel has become the lifeline for the data center to resume work. As a backup power system, it takes over the load of the whole area, prompting special measures to keep the fuel of the generator. With the focus of immediate work graally shifting to post disaster reconstruction, it is necessary for us to discuss the location, engineering and disaster recovery of data center for a long time. This topic may last for months or even years<
the third cause of network outage: human factor
typical event 1: service interruption accident of hosting.com
fault cause: UPS shutdown caused by incorrect operation sequence of circuit breaker executed by service provider
outage event of hosting.com on July 28, 2012: human error is generally considered to be one of the leading factors of data center shutdown. A case in point is the 1100 customer service disruptions caused by the hosting.com disruption in July. The outage occurred because the company's data center in Newark, Delaware, was undergoing preventive maintenance of its ups system; UPS shutdown caused by incorrect operation sequence of circuit breaker performed by service provider is one of the key factors causing facility loss in data center suite& quot; Said art zeile, chief executive of hosting.com& quot; There is no failure of any important power system or standby power system, which is completely caused by human error& quot;
typical event 2: Microsoft broke out BPOs service interruption event
cause of failure: an undetermined setup error in Microsoft's data centers in the United States, Europe and Asia
in September 2010, Microsoft appeared at least three hosting service interruption events in the western United States within a few weeks, apologizing to users. This is Microsoft's first major cloud computing incident
at the time of the accident, when users visited the BPOs (business activity online suite) service, if the customers who used Microsoft North America facilities to access the service might have encountered problems, the failure lasted for two hours. Although Microsoft engineers later claimed to solve this problem, they did not solve the fundamental problem, resulting in the service interruption on September 3 and September 7
Clint Patterson of Microsoft said that the data breakthrough was caused by an undetermined setup error in Microsoft's data centers in the United States, Europe and Asia. The offline address book in BPOs software is in & quot; Very special case & quot; Provided to unauthorized users. This address book contains the contact information of the enterprise
Microsoft said the bug was fixed two hours after it was discovered. Microsoft says it has tracking facilities that allow it to contact people who download the data by mistake to clear it< The fourth cause of network outage: system failure
typical event 1: DNS server outage of GoDaddy website
cause of failure: network outage caused by data table of a series of routers in the system
DNS server outage of GoDaddy website on September 10, 2012: domain name giant godaddy is the most important DNS server supplier, which has 5 million websites and manages more than 50 million domain names. That's why the September 10 disruption is one of the most devastating events of 2012
some people even speculated that the 6-hour interruption was the result of a denial of service attack, but GoDaddy later said that it was caused by the damaged data in the router table& quot; Service disruption is not caused by external influences& quot; Godaddy's interim chief executive, Scott Wagner, said& quot; This is not a hacker attack or a denial of service (DDoS) attack. We have determined that the service interruption is e to network event damage caused by a series of internal router data tables& quot;<
typical event 2: Shanda cloud storage network outage
cause of failure: a physical server disk in the data center is damaged
at 8:10 pm on August 6, 2012, Sheng Dayun issued a public statement on the event of user data loss e to the failure of cloud host on its official microblog. On August 6, Sheng Dayun's data center in Wuxi was damaged by a physical server disk, resulting in & quot; Indivial users & quot; Loss of data. Sheng Dayun is already doing his best to help users recover their data
for a & quot; The physical server disk is damaged;, Lead to & quot; Indivial users & quot; In the case of data loss, Sheng Dayun's technical personnel give their own explanation: there are two proction methods of virtual machine disk, one is to directly use the physical disk of the host computer. In this case, if the physical disk of the host fails, the virtual machine will inevitably cause data loss, which is also the cause of this event; Another way is to use remote storage, that is, Shanda hard disk procts. In this way, the user's data is actually stored in a remote cluster, and multiple backups are made at the same time. Even if the host fails, the data of the virtual machine will not be affected. Because the damage of physical machine is difficult to avoid, in order to avoid unexpected losses, we suggest that you do a good job of data backup in addition to the virtual machine<
typical event 3: Google App Engine service interruption
cause of failure: network delay
Google App Engine: gae is a platform for developing and hosting web applications, and the data center is managed by Google. The interruption time is October 26, lasting for 4 hours, because it suddenly becomes slow and makes mistakes. As a result, 50% of gae requests failed
Google said that there is no data loss, and the application behavior can be restored by backup. As a sign of apology, Google announced that in November users could, and Google said that it was strengthening its network services to cope with network delays; We have enhanced the traffic routing capability and adjusted the configuration, which will effectively prevent the recurrence of such problems
the fifth cause of network outage: system bug
typical event 1: azure global service outage
cause of accident: software bug led to incorrect calculation of leap year time
on February 28, 2012, e to & quot; Leap year bug & quot; As a result, a large area of Microsoft azure service was interrupted worldwide, and the interruption time was more than 24 hours. Although Microsoft said the software bug was caused by incorrect calculation of leap year time, the incident aroused strong reaction from many users, and many people asked Microsoft to make a more reasonable and detailed explanation<
typical event 2: global failure of Gmail e-mail
cause of the accident: side effect of new program code ring routine maintenance of data center
on February 24, 2009, global failure of Google's Gmail e-mail broke out, and the service interruption time was as long as 4 hours. Google explained the cause of the accident: some of the new code (trying to focus geographically similar data on everyone) had side effects ring routine maintenance of data centers in Europe
typical event 1: Amazon AWS outage on Christmas Eve
cause of failure: elastic load balancing service failure
on December 24, 2012, just past Christmas Eve, Amazon did not let their customers have a safe life. Amazon AWS's data center in zone 1 of the eastern United States failed, and its elastic load balancing service was interrupted, which affected Netflix, heroku and other websites. Among them, heroku was also affected by the previous AWS eastern regional service failure. However, it is a coincidence that Netflix's competitor, Amazon Prime instant video, is not affected by this failure
on December 24, Amazon's AWS service interruption was not the first time, and certainly not the last
on October 22, 2012, Amazon's AWS network service in North Virginia was also interrupted once. The reason is similar to last time. The accident affected famous websites including reddit and pinterest. The interruption affects the elastic magic bean service, followed by the console of elastic magic bean service, relational database service, elastic cache, elastic computing cloud EC2, and cloud search. The accident has led many people to believe that Amazon should upgrade the infrastructure of its North Virginia data center
on April 22, 2011, Amazon's cloud data center server went down in a large area, which is considered to be the most serious cloud computing security incident in Amazon's history. Due to the outage of Amazon's cloud computing center in Northern Virginia, some websites including quora, reddit, houtsuite and foursquare have been affected. Amazon's official report claimed that the event was e to the existence of loopholes and design defects in its EC2 system design, and is constantly repairing these known loopholes and defects to improve the competitiveness of EC2 (Amazon Elastic Compute Cloud Service)
in January 2010, nearly 68000 salesforce.com users experienced at least one hour of downtime. Salesforce.com, with its own data center's & quot; Systematic error;, All services, including backup, were temporarily paralyzed. This also reveals the lock-in strategy that salesforce.com does not want to disclose: its PAAS platform and force.com cannot be used outside of salesforce.com. So if there's a problem with salesforce.com, there's a problem with force.com. So if the service is interrupted for a long time, the problem will become very difficult< On August 6, 2011, lightning occurred in Dublin, Northern Ireland, causing massive downtime of Amazon and Microsoft cloud computing networks in Europe e to power failure of the data center. Lightning struck a transformer near the Dublin data center, causing it to explode. The explosion caused a fire, which temporarily interrupted the work of all public service agencies, resulting in the downtime of the entire data center
this data center is Amazon's only data storage location in Europe, that is to say, EC2 cloud computing platform customers have no other data center for temporary use ring the accident. Due to the outage, many websites using Amazon EC2 cloud service platform were interrupted for two days<
typical event 2: Calgary data center fire
cause of failure: fire in the data center
Calgary data center fire on July 11, 2012: a fire in the Calgary Alberta data center of Shaw Communications Inc., a Canadian communications service provider, delayed hundreds of operations in the local hospital. As the data center provides management emergency services, the fire affected the main backup systems supporting key public services. This incident has sounded an alarm for a series of government agencies, which must ensure timely recovery and have a fail over system, combined with the introction of a disaster management plan<
typical event 3: Super hurricane sandy attacked the data center
cause of failure: storm and flood caused the data center to stop operation
on October 29, 2012, super hurricane Sandy: the data centers in New York and New Jersey were affected by the hurricane, and the adverse effects included the flood in lower Manhattan and the shutdown of some facilities, The generators in the surrounding data center are out of order. The impact of Hurricane Sandy is beyond the general single interruption accident, bringing unprecedented disaster to the data center instry in the disaster area. In fact, diesel has become the lifeline for the data center to resume work. As a backup power system, it takes over the load of the whole area, prompting special measures to keep the fuel of the generator. With the focus of immediate work graally shifting to post disaster reconstruction, it is necessary for us to discuss the location, engineering and disaster recovery of data center for a long time. This topic may last for months or even years<
the third cause of network outage: human factor
typical event 1: service interruption accident of hosting.com
fault cause: UPS shutdown caused by incorrect operation sequence of circuit breaker executed by service provider
outage event of hosting.com on July 28, 2012: human error is generally considered to be one of the leading factors of data center shutdown. A case in point is the 1100 customer service disruptions caused by the hosting.com disruption in July. The outage occurred because the company's data center in Newark, Delaware, was undergoing preventive maintenance of its ups system; UPS shutdown caused by incorrect operation sequence of circuit breaker performed by service provider is one of the key factors causing facility loss in data center suite& quot; Said art zeile, chief executive of hosting.com& quot; There is no failure of any important power system or standby power system, which is completely caused by human error& quot;
typical event 2: Microsoft broke out BPOs service interruption event
cause of failure: an undetermined setup error in Microsoft's data centers in the United States, Europe and Asia
in September 2010, Microsoft appeared at least three hosting service interruption events in the western United States within a few weeks, apologizing to users. This is Microsoft's first major cloud computing incident
at the time of the accident, when users visited the BPOs (business activity online suite) service, if the customers who used Microsoft North America facilities to access the service might have encountered problems, the failure lasted for two hours. Although Microsoft engineers later claimed to solve this problem, they did not solve the fundamental problem, resulting in the service interruption on September 3 and September 7
Clint Patterson of Microsoft said that the data breakthrough was caused by an undetermined setup error in Microsoft's data centers in the United States, Europe and Asia. The offline address book in BPOs software is in & quot; Very special case & quot; Provided to unauthorized users. This address book contains the contact information of the enterprise
Microsoft said the bug was fixed two hours after it was discovered. Microsoft says it has tracking facilities that allow it to contact people who download the data by mistake to clear it< The fourth cause of network outage: system failure
typical event 1: DNS server outage of GoDaddy website
cause of failure: network outage caused by data table of a series of routers in the system
DNS server outage of GoDaddy website on September 10, 2012: domain name giant godaddy is the most important DNS server supplier, which has 5 million websites and manages more than 50 million domain names. That's why the September 10 disruption is one of the most devastating events of 2012
some people even speculated that the 6-hour interruption was the result of a denial of service attack, but GoDaddy later said that it was caused by the damaged data in the router table& quot; Service disruption is not caused by external influences& quot; Godaddy's interim chief executive, Scott Wagner, said& quot; This is not a hacker attack or a denial of service (DDoS) attack. We have determined that the service interruption is e to network event damage caused by a series of internal router data tables& quot;<
typical event 2: Shanda cloud storage network outage
cause of failure: a physical server disk in the data center is damaged
at 8:10 pm on August 6, 2012, Sheng Dayun issued a public statement on the event of user data loss e to the failure of cloud host on its official microblog. On August 6, Sheng Dayun's data center in Wuxi was damaged by a physical server disk, resulting in & quot; Indivial users & quot; Loss of data. Sheng Dayun is already doing his best to help users recover their data
for a & quot; The physical server disk is damaged;, Lead to & quot; Indivial users & quot; In the case of data loss, Sheng Dayun's technical personnel give their own explanation: there are two proction methods of virtual machine disk, one is to directly use the physical disk of the host computer. In this case, if the physical disk of the host fails, the virtual machine will inevitably cause data loss, which is also the cause of this event; Another way is to use remote storage, that is, Shanda hard disk procts. In this way, the user's data is actually stored in a remote cluster, and multiple backups are made at the same time. Even if the host fails, the data of the virtual machine will not be affected. Because the damage of physical machine is difficult to avoid, in order to avoid unexpected losses, we suggest that you do a good job of data backup in addition to the virtual machine<
typical event 3: Google App Engine service interruption
cause of failure: network delay
Google App Engine: gae is a platform for developing and hosting web applications, and the data center is managed by Google. The interruption time is October 26, lasting for 4 hours, because it suddenly becomes slow and makes mistakes. As a result, 50% of gae requests failed
Google said that there is no data loss, and the application behavior can be restored by backup. As a sign of apology, Google announced that in November users could, and Google said that it was strengthening its network services to cope with network delays; We have enhanced the traffic routing capability and adjusted the configuration, which will effectively prevent the recurrence of such problems
the fifth cause of network outage: system bug
typical event 1: azure global service outage
cause of accident: software bug led to incorrect calculation of leap year time
on February 28, 2012, e to & quot; Leap year bug & quot; As a result, a large area of Microsoft azure service was interrupted worldwide, and the interruption time was more than 24 hours. Although Microsoft said the software bug was caused by incorrect calculation of leap year time, the incident aroused strong reaction from many users, and many people asked Microsoft to make a more reasonable and detailed explanation<
typical event 2: global failure of Gmail e-mail
cause of the accident: side effect of new program code ring routine maintenance of data center
on February 24, 2009, global failure of Google's Gmail e-mail broke out, and the service interruption time was as long as 4 hours. Google explained the cause of the accident: some of the new code (trying to focus geographically similar data on everyone) had side effects ring routine maintenance of data centers in Europe
9. Since 21:00 on May 19, China's Internet has experienced a chain reaction of "dominoes". Many provinces across the country have experienced large-scale network failures, which eventually evolved into the most serious large-scale network congestion event since the submarine optical cable broke in 2006
according to the data from the telecommunications department, among the large number of domain name resolution requests that lead to network congestion, the traffic of storm video player software accounts for 40%, and its massive user applications become the most important driving force of the event. In recent days, storm company has become the focus of netizens' attention. There are endless discussions about the causes of 5.19 network congestion and the security of storm video program design
according to the judicial process and audited by a third-party accounting firm, the direct economic loss of Fengfeng company reached 2.38 million yuan in the May 19 storm gate incident
the network engineer of windstorm company explained that the reason for the disconnection on May 19 was that the DNSPod website, which provides domain name resolution for many websites, including windstorm video, was first attacked by the network, while the client's windstorm video software program caused it to continuously send requests when it was unable to obtain the DNSPod service, and finally all of them were congested in the local domain name server, It takes up a lot of network resources< Feng Xin, CEO of storm company, said: the detection of the case can give warning to future network attackers. 2.38 million yuan is only the first claim of storm company, and the related indirect economic loss is more huge, which is still in the process of judicial process statistics<
storm company said that although the truth is clear, the "recall action" released by storm recently will continue, and called on 120 million users of broadcast software to jointly support China's Internet construction<
most of them have been solved now, but the new version has not been released yet
several hackers involved in the case have been caught
a new version of storm will be released on June 19 to completely solve the problem
according to the data from the telecommunications department, among the large number of domain name resolution requests that lead to network congestion, the traffic of storm video player software accounts for 40%, and its massive user applications become the most important driving force of the event. In recent days, storm company has become the focus of netizens' attention. There are endless discussions about the causes of 5.19 network congestion and the security of storm video program design
according to the judicial process and audited by a third-party accounting firm, the direct economic loss of Fengfeng company reached 2.38 million yuan in the May 19 storm gate incident
the network engineer of windstorm company explained that the reason for the disconnection on May 19 was that the DNSPod website, which provides domain name resolution for many websites, including windstorm video, was first attacked by the network, while the client's windstorm video software program caused it to continuously send requests when it was unable to obtain the DNSPod service, and finally all of them were congested in the local domain name server, It takes up a lot of network resources< Feng Xin, CEO of storm company, said: the detection of the case can give warning to future network attackers. 2.38 million yuan is only the first claim of storm company, and the related indirect economic loss is more huge, which is still in the process of judicial process statistics<
storm company said that although the truth is clear, the "recall action" released by storm recently will continue, and called on 120 million users of broadcast software to jointly support China's Internet construction<
most of them have been solved now, but the new version has not been released yet
several hackers involved in the case have been caught
a new version of storm will be released on June 19 to completely solve the problem
Hot content