Department of Electronics and Communication Engineering

GITAM School of Technology

Communication Networks
Case Study 10
DNS Spoofing Attack on a University Network
Problem Statement: Students and Staff Redirected to Phishing
Websites Despite Entering Correct URLs
Submitted By:
• Monisha H S - BU22EECE0100439
• Darshan H - BU22EECE0100464
• Ganga Mythra H - BU22EECE0100469
• Vasanth Kumar - BU22EECE0100478
1. Introduction
DNS (Domain Name System) spoofing, also known as DNS poisoning, is a
cyberattack where attackers manipulate DNS records to redirect users to
fraudulent websites. This attack can lead to credential theft, data breaches, and
financial fraud.
In this case study, a university network was targeted, and both students and staff
were redirected to phishing websites despite entering the correct URLs. The attack
resulted in compromised personal data, including login credentials and academic
records.
Additionally, the attack caused widespread disruption across the university’s
online services, preventing students and faculty from accessing essential academic
resources, email systems, and administrative portals, further impacting daily
operations.

2. Problem Statement
Multiple students and staff reported suspicious activity when trying to access
official university portals. Instead of landing on the correct websites, they were
redirected to fake login pages that closely resembled legitimate university
platforms. Some users unknowingly entered their credentials, leading to
unauthorized access to sensitive data.
This attack posed significant risks:
• Exposure of personal and academic information.
• Potential financial fraud through access to university payment portals.
• Damage to the university's reputation and trust in its IT infrastructure.
3. Background
The university operates a large and complex network, serving thousands of
students, faculty members, and administrative staff. The network includes:
• On-campus and remote access servers.
• Multiple Wi-Fi networks for students and faculty.
• Web-based university portals for academic management, finance, and
communication.
Despite implementing basic security measures such as firewalls and antivirus
software, the university lacked advanced DNS security protocols, making it
vulnerable to DNS spoofing attacks.

4. Attack Methodology
The attackers employed multiple DNS spoofing techniques to compromise the
university’s network:
4.1 Cache Poisoning Attack
• Attackers injected malicious DNS records into the university’s DNS cache.
• When students or staff entered official university URLs, the poisoned DNS
records redirected them to attacker-controlled phishing websites.
4.2 Man-in-the-Middle (MITM) Attack
• Hackers intercepted DNS queries using compromised routers or public Wi-Fi
networks.
• Instead of reaching the legitimate DNS resolver, user requests were
rerouted to malicious DNS servers.
4.3 Rogue DNS Server Attack
• Attackers replaced the university’s legitimate DNS servers with rogue
servers.
• These fake servers redirected all DNS queries to phishing domains.
4.4 DNS Hijacking via Malware
• Some university computers were infected with malware that modified their
local DNS settings.
• This forced affected users to communicate with attacker-controlled DNS
servers, redirecting their internet traffic.

5. Incident Detection
5.1 User Reports
• Students and staff reported abnormal website behavior.
• SSL/TLS certificate warnings appeared when accessing official portals.
5.2 Network Traffic Analysis
• IT teams detected a high volume of outbound traffic to unknown IP
addresses.
• Log files revealed unauthorized modifications to DNS records.
5.3 Suspicious Login Attempts
• An unusual increase in failed login attempts was observed from different
geographic locations.
• Some users reported being locked out of their accounts.
5.4 Behavior-Based Detection
• Security teams identified unusual patterns in DNS queries.
• Automated security tools flagged unauthorized access attempts.
6. Investigation and Response
The university’s IT department launched an immediate investigation to contain
and mitigate the attack.
6.1 Containment Measures
• IT teams disabled affected DNS servers and switched to alternative trusted
DNS providers.
• Malicious domains were blacklisted across all university systems.
• Compromised devices were disconnected from the network.
6.2 Forensic Analysis
• DNS logs were analyzed to identify attack sources.
• Infected endpoints were scanned for malware.
• Attack patterns were matched with known DNS spoofing techniques.
6.3 Restoring DNS Integrity
• DNS cache was flushed to remove poisoned entries.
• University DNS servers were reconfigured with stricter security policies.
• DNSSEC (Domain Name System Security Extensions) was deployed to
authenticate DNS records.
6.4 User Awareness and Mitigation
• An urgent cybersecurity advisory was issued to students and staff.
• Affected users were instructed to reset passwords and enable multi-factor
authentication.
• Employees were trained on recognizing phishing attempts.
7. Preventive Measures and Security Enhancements
7.1 Implementation of DNSSEC
• DNSSEC uses cryptographic signatures to verify the authenticity of DNS
responses.
• This prevents cache poisoning and MITM attacks.
7.2 Secure DNS Services
• The university switched to a secure, cloud-based DNS service with advanced
threat detection.
• A centralized DNS firewall was implemented to block malicious domains.
7.3 Network Traffic Monitoring
• AI-driven threat detection tools were deployed to analyze DNS query
behavior in real-time.
• Suspicious DNS queries were flagged for immediate investigation.
7.4 System Hardening and Patch Management
• DNS servers and network infrastructure were regularly updated to fix
security vulnerabilities.
• Network configurations were adjusted to prevent unauthorized access.
7.5 Multi-Factor Authentication (MFA)
• MFA was mandated for all university login systems.
• This added an extra layer of security even if credentials were compromised.
7.6 Security Awareness Training
• Regular training sessions were conducted for students and staff.
• Users were educated on identifying phishing scams and secure browsing
habits.
8. Real-World Examples of Similar Attacks
8.1 Google Brazil DNS Hijacking (2014)
• Attackers modified DNS settings on Brazilian ISPs.
• Users were redirected to fake Google login pages, leading to credential
theft.
8.2 Turkish DNS Hijacking (2014)
• The Turkish government allegedly manipulated ISP DNS records to redirect
users.
• Citizens were blocked from accessing certain websites.
8.3 MyEtherWallet DNS Attack (2018)
• Hackers hijacked DNS servers of MyEtherWallet.
• Cryptocurrency investors were redirected to phishing pages and lost funds.

9. Future Cybersecurity Trends

As cyber threats evolve, organizations must adopt proactive strategies to counter
DNS spoofing attacks.
9.1 AI-Powered Threat Detection
• Machine learning models can analyze network traffic and detect abnormal
DNS behavior in real-time.
• Automated response systems can mitigate threats before damage occurs.
9.2 Zero-Trust Security Model
• Implementing a zero-trust approach ensures continuous verification of
users and devices.
• Strict access control policies minimize the risk of unauthorized access.
9.3 Blockchain-Based DNS Security
• Decentralized DNS solutions prevent centralized DNS hijacking.
• Blockchain technology ensures DNS integrity by verifying domain ownership
cryptographically.
9.4 Quantum Cryptography for DNS Protection
• Future encryption technologies will make DNSSEC even more secure.
• Quantum-resistant algorithms will safeguard DNS communications against
advanced attacks.

10. Conclusion
The DNS spoofing attack on the university network exposed significant security
weaknesses in its IT infrastructure. The swift response by the IT team minimized
damage and led to stronger security measures.
Key takeaways:
• Early detection is critical – Continuous network monitoring is essential for
identifying threats.
• DNS security must be a priority – Implementing DNSSEC and secure DNS
services helps prevent spoofing attacks.
• User awareness is crucial – Educating students and staff on phishing threats
reduces the risk of credential theft.
• Proactive measures enhance cybersecurity – AI-based monitoring,
blockchain DNS, and zero-trust policies will play a crucial role in future
network security.
By implementing advanced security protocols and fostering a culture of
cybersecurity awareness, the university can protect its students and staff from
future DNS spoofing and phishing attacks.
11. Recommendations
1. Deploy an AI-based DNS monitoring system to detect anomalies in real-
time.
2. Mandate DNSSEC across all university DNS servers to prevent spoofing.
3. Conduct regular security drills to test response strategies against DNS
attacks.
4. Restrict access to DNS settings and limit administrative privileges.
5. Educate users on cybersecurity best practices through workshops and
simulated phishing tests.
By following these recommendations, the university can significantly enhance its
cybersecurity posture and prevent similar attacks in the future.