CAPEC-589: DNS Blocking
An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed.
Last updated
Overview
CAPEC-589 (DNS Blocking) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection.
Consequences
What a successful CAPEC-589 attack can achieve.
Other
Affects: Availability
Preventing DNS from resolving a request denies the availability of a target site or service for the user.
How to mitigate it
Defenses that reduce the risk of CAPEC-589.
- Hard Coded Alternate DNS server in applications
- Avoid dependence on DNS
- Include "hosts file"/IP address in the application.
- Ensure best practices with respect to communications channel protections.
- Use a .onion domain with Tor support
Examples
Full URL Based Filtering: Filtering based upon the requested URL. URL String-based Filtering: Filtering based upon the use of particular strings included in the requested URL.