What is an LLMNR poisoning attack?
LLMNR (Link-Local Multicast Name Resolution) poisoning is an attack method to compromise the local network name resolution process. This attack is based on the malicious use of the LLMNR protocol, which is designed to find resources on the local network when a DNS query fails.
How does LLMNR poisoning work?
Let's take a closer look at the general mechanism of the LLMNR poisoning attack.
1. LLMNR queries and responses
When a device on the LAN requests name resolution and receives no response from DNS, it can use LLMNR to attempt name resolution on the LAN. The device sends an LLMNR request (UDP packet) to find the appropriate IP address for the requested name.
2. Spoofing responses
Attackers conduct an LLMNR poisoning attack, monitoring network traffic and detecting LLMNR requests. Then, they send spoofed LLMNR responses as a legitimate source on the network.
3. Identity attack
When a device receives a spoofed response, it establishes a connection to an IP address provided by the attacker. This opens the door for the attacker to intercept, analyze, and even modify the data being transmitted between the device and the target resource.
How to prevent LLMNR poisoning?
There are 4 effective ways to prevent such attacks.
A simple but effective solution is to disable the LLMNR for network devices, at least where its use may be redundant. This decreases the chance of LLMNR poisoning, as an attacker cannot abuse the protocol in most cases. Disabling LLMNR can be easily accomplished through settings, giving the administrator additional control over the use of this protocol on the network.
Using GPOs (Group Policy Objects)
It is also effective to use GPOs, a tool for managing the configuration of devices on the network. An administrator can create a new GPO or edit an existing one by opening the Group Policy Management Console on a domain controller. Then, by configuring security settings, including disabling the LLMNR and activating necessary policies, the administrator creates uniform security standards. Applying GPOs to organizational units or groups of computers ensures consistent security settings across the network, dramatically reducing the risk of attack.
Manual traffic monitoring and analysis
Manually monitoring and analyzing traffic using tools such as Wireshark or tcpdump provides an additional active layer of security. Administrators can quickly identify LLMNR traffic patterns, analyze suspicious activity, and respond to each incident instantly and accurately.
Using IPS/IDS (Intrusion Detection and Prevention Systems)
IDS and IPS are advanced security components that provide an intrusion detection and prevention system by continuously analyzing traffic for suspicious patterns. Installation and configuration of these systems, signature rules, system alerts, and necessary automatic responses provide a robust mechanism to protect the network from various attacks, including LLMNR poisoning.
- The mechanism behind the LLMNR poisoning attack is that an attacker monitors and misleads devices by sending fake LLMNR responses, which allows them to intercept and analyze the transmitted data.
- The first and simplest solution to prevent an LLMNR poisoning attack is to disable LLMNR where it is not clearly needed.
- Configuration management via GPOs for uniform security standards is also necessary.
- Manual monitoring of network traffic can be used to target potential attacks and respond to suspicious activity.
- IPS/IDS significantly increases the level of defense against such attacks by further automating their timely detection and response.