Hackers can intercept the traffic to your website and divert it to other websites by means of DNS hijacking. How does this work, and how can you protect yourself against it?
What is DNS hijacking?
In brief, the DNS data of your domain name are changed through DNS hijacking. As a result, your visitor is no longer sent to the numeric IP address of the server to which your domain name normally refers, but to the IP address that the hacker has entered. The hacker can even request a certificate for the hijacked domain name and install it on the servers to which he redirects the traffic so that it looks legitimate.
In this way, the hacker can view the incoming traffic to your domain, and in so doing intercept e-mails, log-in data and input from users on your applications, by diverting the traffic to a specially created website which is a perfect imitation of your website. This can lead to serious damage being caused in websites of financial institutions, webshops, and so much more.
Recent cases point to the seriousness of the situation
Such DNS hijacking can take place on a small scale – an individual change made to the settings in the control panel of your host provider or domain administrator. But in recent weeks, such hijacking has occurred on a large scale. DNS settings of organisations were (temporarily) changed in various countries. ICANN and various security firms such as FireEye had already issued warnings before this large-scale attack.
The attacks themselves were directed against organisations and companies in various countries, including Lebanon, the United Arab Emirates, but also American governmental institutions. It is not yet known which data have been stolen.
How can you protect yourself against DNS hijacking?
As registrant , owner of a website, system administrator or hosting company, it is important for you to try and prevent unauthorised changes of DNS data.
Follow these tips:
- Check who has administrator rights to your system and limit such access to what is strictly necessary.
- Use safe passwords. Tips for a strong and safe password are available on www.safeonweb.be.
- Work, if possible, with multi-factor authentication when logging in, especially for administrators.
- Make sure that all security updates for your system are applied.
- Monitor the logfiles of your system/website to detect unauthorised access.
- Check the Certificate Transparency logs also to see whether certificates have been issued for your domain name which you had not requested. You can do this for instance on https://crt.sh/
- Check each DNS record under your purview and go through the history to determine whether changes have been carried out.