© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.

Slides:



Advertisements
Similar presentations
DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Domain Name System: DNS
Threat infrastructure: proxies, botnets, fast-flux
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
DUKE UNIVERSITY DNSSEC 101 Kevin Miller.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi
Attacks on DHCP and DNS Most slides used with persmission from CS 161: Computer Security Prof. Vern Paxson University of California, Berkeley.
Geoff Huston APNIC Labs
CS526Topic 19: DNS Security1 Information Security CS 526 Topic 19: DNS Security.
By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 17 Domain Name System
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
1 Kyung Hee University Chapter 18 Domain Name System.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 18 Domain Name System (DNS)
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Security Issues with Domain Name Systems
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
CS 5565 Network Architecture and Protocols
DNS Cache Poisoning Attack
DNS security.
Information Security CS 526 Omar Chowdhury
(DNS – Domain Name System)
Cleaning Up the Internet of Evil Things
Presentation transcript:

© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul UKNOF 26 – 13 Sep 2013, London DNS: Abused Child 1

© 2013 Infoblox Inc. All Rights Reserved. Attacking your cache 2

© 2013 Infoblox Inc. All Rights Reserved. Recursion  DNS queries are either recursive or nonrecursive root name server resolver com name server google.com name server 1) Recursive query for 2) Nonrecursive query for 6) Nonrecursive query for 4) Nonrecursive query for 3) Referral to com name servers 5) Referral to google.com name servers 7) A records for 8) A records for recursive servername

© 2013 Infoblox Inc. All Rights Reserved. Cache Poisoning  What is it? –Inducing a name server to cache bogus records  Made possible by –Flaws in name server implementations –Short DNS message IDs (only 16 bits, or )  Made easier on –Open recursive name servers 4

© 2013 Infoblox Inc. All Rights Reserved. Cache Poisoning Consequences  A hacker can fool your name server into caching bogus records  Your users might connect to the wrong web site and reveal sensitive  Your users might go to the wrong destination  Man in the middle attacks 5

© 2013 Infoblox Inc. All Rights Reserved. The Kashpureff Attack  Eugene Kashpureff’s cache poisoning attack used a flaw in BIND’s additional data processing alternic.net name server Recursive name server Evil resolver Query: xxx.alternic.net/A? Reply: xxx.alternic.net/A + Cache Owns nameserver

© 2013 Infoblox Inc. All Rights Reserved. DNS Message IDs  Message ID in a reply must match the message ID in the query  The message ID is a “random,” 16-bit quantity ns1ns2 Query [Msg ID 38789] Query [Msg ID 38789] Reply [Msg ID 38789] Reply [Msg ID 38789]

© 2013 Infoblox Inc. All Rights Reserved. How Random - Not!  Amit Klein of Trusteer found that flaws in most versions of BIND’s message ID generator (PRNG) don’t use sufficiently random message IDs –If the current message ID is even, the next one is one of only 10 possible values –Also possible, with queries, to reproduce the state of the PRNG entirely, and guess all successive message IDs

© 2013 Infoblox Inc. All Rights Reserved. Birthday Attacks  Barring a man in the middle or a vulnerability, a hacker must guess the message ID in use –Isn’t that hard? –As it turns out, not that hard  Brute-force guessing is a birthday attack: –365 (or 366) possible birthdays, possible message IDs –Chances of two people chosen at random having different birthdays: –Chances of n people (n > 1) chosen at random all having different birthdays:

© 2013 Infoblox Inc. All Rights Reserved. Birthday Attacks (continued) PeopleChances of two or more people having the same birthday 1012% 2041% % 3070% 5097% % Number of reply messages Chances of guessing the right message ID 200~20% 300~40% 500~80% 600~90%

© 2013 Infoblox Inc. All Rights Reserved. The Kaminsky Vulnerability  How do you get that many guesses at the right message ID? paypal.com name servers Recursive name server Hacker q00001.paypal.com/A? NXDOMAIN! Hundreds of spoofed responses! (q00001.paypal.com/NS!)

© 2013 Infoblox Inc. All Rights Reserved. The Kaminsky Vulnerability (continued)  How does a response about q00001.paypal.com poison A record?  Response: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;;; QUESTION SECTION: ;q00001.paypal.com.INA ;;; AUTHORITY SECTION q00001.paypal.com.86400INNSwww.paypal.com. ;;; ADDITIONAL SECTION

© 2013 Infoblox Inc. All Rights Reserved. Initial Kaminsky fixes  To make it more difficult for a hacker to spoof a response, we use a random query port –In addition to a random message ID –If we use 8K or 16K source ports, we increase entropy by 13 or 14 bits –This increases the average time it would take to spoof a response substantially  However, this is not a complete solution –Spoofing is harder, but still possible –Evgeniy Polyakov demonstrated that he could successfully spoof a patched BIND name server over high-speed LAN in about 10 hours

© 2013 Infoblox Inc. All Rights Reserved. Defending your cache 14

© 2013 Infoblox Inc. All Rights Reserved. Defenses  More randomness in DNS msg IDs, source ports, etc.  Better checks on glue  DNSSEC 15

© 2013 Infoblox Inc. All Rights Reserved. Overwhelming your authoritative servers 16

© 2013 Infoblox Inc. All Rights Reserved. Sheer volume and persistance  10s of thousands of bots  10s of millians of open resolvers  Gbps of traffic generated  45% of ISPs experience 1-10 DDoS/month, 47% experience DDoS/month 17

© 2013 Infoblox Inc. All Rights Reserved. High Yield Results  Small queries, large responses (DNSSEC records)  Using NSEC3 against you 18

© 2013 Infoblox Inc. All Rights Reserved. Make sure they’re your servers…  Vet your registry/registrar  Think about NS TTLs 19

© 2013 Infoblox Inc. All Rights Reserved. How to defend your servers 20

© 2013 Infoblox Inc. All Rights Reserved. Harden your server  Perimeter ACLs  Higher capacity servers  Clusters or load balanced servers  Response Rate limiting (RRL) – knight-rrl.pdf 21

© 2013 Infoblox Inc. All Rights Reserved. Spread yourself out  Fatter internet pipes (but makes you more dangerous to others)  More authoritative servers (up to a point)  Anycast  HA 22

© 2013 Infoblox Inc. All Rights Reserved. Being a good internet citizen 23

© 2013 Infoblox Inc. All Rights Reserved. It’s not just you being attacked  If you allow spoofed packets out from your network, you are part of the problem…  Use BCP38/BCP84 Ingress filtering  Implement RFC

© 2013 Infoblox Inc. All Rights Reserved. DNS use by the bad guys 25

© 2013 Infoblox Inc. All Rights Reserved. DNS use by bad guys  Command and control  DNS Amplification  Fastflux –single flux –double flux  Storm, Conficker, etc. 26

© 2013 Infoblox Inc. All Rights Reserved. Protecting your users 27

© 2013 Infoblox Inc. All Rights Reserved. Dealing with malware  Prevent infections (antivirus)  Block at the perimeter (NGFW, IDS)  Block at the client (DNS) 28

© 2013 Infoblox Inc. All Rights Reserved. Antivirus  Useful but has issues: –Depends on client update cycles –Too many mutations –Not hard to disable 29

© 2013 Infoblox Inc. All Rights Reserved. Perimeter defenses  Necessary but not complete: –Limited usefulness after client is already infected –Detection of infected files only after download starts –Usually IP based reputation lists –Limited sources of data 30

© 2013 Infoblox Inc. All Rights Reserved. RPZ DNS  Uses a reputation feed(s) (ala spam)  Can be IP or DNS based ID  Fast updates via AXFR/IXFR  Protects infected clients, helps ID them  Can isolate infected clients to walled garden 31

© 2013 Infoblox Inc. All Rights Reserved. There is *not* only one Use all methods you can! 32

© 2013 Infoblox Inc. All Rights Reserved. Q&A 33

© 2013 Infoblox Inc. All Rights Reserved. Thank you! 34