Etisalat cyber-attack explained: experts speak out

The end product of DNS cache poisoning is the replacement of a lookup entry on a DNS server with a false address. Specialists contacted by ITP.net, a sister website to ArabianBusiness.com, say this kind of attack is on the increase.

“DNS is projected to surpass HTTP to become the number one attack vector within the next 12 months,” warned Cherif Sleiman, general manager, Middle East at Infoblox. “In the past year alone, DNS attacks have increased by more than 200 percent. In the same way that today companies cannot build networks without firewalls and intrusion prevention systems, we have entered an era where organisations can no longer build networks without DNS security.”

Nicolai Solling, director, Technology Services, Help AG believes this is the first DNS poisoning attack on a telecoms provider in the region.

“From a technical perspective it is relatively straight forward to understand what happened, but not necessarily how,” he said.

“As the website is as prominent as etisalat.ae I would say that exactly due to the size and users on the site, it is a major attack.”

“For as long as the false entry is cached, incoming Web requests and emails will go to the attacker’s address,” Sleiman said. “There are many ways to accomplish this. New cache poisoning attacks… use brute force, flooding DNS responses and queries at the same time hoping to get a match on one of the responses and poison the cache.”

Both Sleiman and Solling cited a number of possible motives for the attack, including financial gain and reputation enhancement among other hackers. This is why popular, high-profile sites are chosen by attackers.

“It is important to understand that while it is Etisalat.ae that is effected the issue could be outside the Etisalat infrastructure, however as we have only heard about etisalat.ae, it is most likely the DNS servers of Etisalat that were effected,” Solling said.