DNS Cache Poisoning Detection at the end-user level.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
4.01 How Web Pages Work.
Multiple Tiers in Action
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Dreamweaver 8 Concepts and Techniques Introduction Web Site Development and Macromedia Dreamweaver 8.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Linux Operations and Administration
Website Publishing. Publishing Basics Early Web Sites Obtain a Domain Name IP Address (Internet Protocol Address) – A number that uniquely identifies.
INTRODUCTION TO WEB DATABASE PROGRAMMING
ITIS 1210 Introduction to Web-Based Information Systems Chapter 23 How Web Host Servers Work.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
Web Server.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Unit 1 – Web Concepts Instructor: Brent Presley.
Web Page Designing With Dreamweaver MX\Session 1\1 of 9 Session 1 Introduction to PHP Hypertext Preprocessor - PHP.
Web Development & Design Foundations with XHTML Chapter 1 Key Concepts 1.
Internet and World Wide Web Introduction to the Internet.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
4.01 How Web Pages Work.
4.01 How Web Pages Work.
Understand Names Resolution
4.01 How Web Pages Work.
Distributed Control and Measurement via the Internet
IS1500: Introduction to Web Development
Instructor Materials Chapter 5 Providing Network Services
Web Site Development and Macromedia Dreamweaver 8
WWW and HTTP King Fahd University of Petroleum & Minerals
CISC103 Web Development Basics: Web site:
Ad-blocker circumvention System
Lesson 4: Web Browsing.
Programming Assignment #1
Tango Administrative Tools
Practical Censorship Evasion Leveraging Content Delivery Networks
Unit 5: Providing Network Services
Developing Web-Based Applications
Working at a Small-to-Medium Business or ISP – Chapter 7
PHP / MySQL Introduction
APNIC Open Policy Meeting
Web page a hypertext document connected to the World Wide Web.
Domain Name System (DNS)
Web Development & Design Chapter 1, Sections 4, 5 & 6
Providing Network Services
Working at a Small-to-Medium Business or ISP – Chapter 7
IS333D: MULTI-TIER APPLICATION DEVELOPMENT
Working at a Small-to-Medium Business or ISP – Chapter 7
Configuring Internet-related services
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
System & Network Administration (MCSA & RHCSA)
Part of Chapter 1 Key Concepts Networks
Lesson 4: Web Browsing.
COMPUTER NETWORKS PRESENTATION
Computer Networks Primary, Secondary and Root Servers
Programming Assignment #1
MyAPNIC Project Update
Windows Name Resolution
4.01 How Web Pages Work.
Client-Server Model: Requesting a Web Page
Information Retrieval and Web Design
Your computer is the client
4.01 How Web Pages Work.
Introduction to JavaScript
Q/ Compare between HTTP & HTTPS? HTTP HTTPS
Web Application Development Using PHP
Presentation transcript:

DNS Cache Poisoning Detection at the end-user level

Caches DNS : tree of domain name

Caches DNS : tree of domain name Into DNS server TLDs ISPs, local Corporate

Caches DNS : tree of domain name Into DNS server TLDs ISPs, local Corporate In end-user computer's System cache (hosts) Browser cache (client)

DNS request Every time you try to reach a domain name

DNS request Every time you try to reach a domain name Identified by: Destination Topic (domain in the request) Port number Transaction number

DNS request Every time you try to reach a domain name Identified by: Destination Topic (domain in the request) Port number Transaction number Destination can be spoofed Topic is the target Port number is almost always 53 Transaction number can be guessed Birthday paradox

Poison: A Firefox extension XUL HTML-like Merging (Overlay) Modifiable using JavaScript

Overlay: Merging XUL documents <?xul-overlay href="chrome://.../editMenuOverlay.xul"?> <menupopup id="menu_FilePopup" onpopupshowing="AreaFrameCount();"> <?xml-stylesheet href="chrome://poison/content/info.css" ?> <script src="chrome://poison/content/poison.js" />...

Overlay: Merging XUL documents <?xul-overlay href="chrome://.../editMenuOverlay.xul"?> <menupopup id="menu_FilePopup" onpopupshowing="AreaFrameCount();"> <?xml-stylesheet href="chrome://poison/content/info.css" ?> <script src="chrome://poison/content/poison.js" />...

Poison: A Firefox extension XUL HTML-like Merging (Overlay) Modifiable using JavaScript JavaScript Object oriented High level Interpreted

JavaScript: Modifying content From DB Script: var dbzone = document.getElementById("db_traceroute"); dbzone.firstChild.nodeValue = result; db.setAttribute("hidden", "false");

Poison: A Firefox extension JavaScript Object oriented High level Interpreted XUL HTML-like Merging (Overlay) Modifiable using JavaScript XUL + JS + Firefox Event-driven UI is simple Simple modification of UI using JS Easy to do network request SQLITE provided

Verifications : Generalities For every test First time Obtain the informations (test dependent) Store the result of the test into the database for future comparison

Verifications : Generalities For every test First time Obtain the informations (test dependent) Store the result of the test into the database for future comparison Every other time Obtain the informations Compare them with what is store in the database for the same website Extract a similarity score

Verification : Similarity score Take the data from the BDD Compare with the data we just obtained No fingerprint Complete text data Use more space, but also more reliable Compare line by line

Project : Poison Window / Panel Address bar & status bar Demo : Firefox portable version on USB drive

Results From March 31 th to April 5 th 15 websites 6 tests every 30 minutes test entries

Results : global average (without poisoning)

Results : Tests description Comparing IP to the IP stored in the database

Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request

Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page

Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute

Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute Reverse DNS Get the domain names corresponding to an IP address

Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute Reverse DNS Get the domain names corresponding to an IP address WHOIS Get informations about who own the domain name,...

Results : Average by test

Attack simulation Modify hosts file (/etc/hosts) Poisoned the April 4 th at 9pm

Results : Attack ! /etc/hosts modified the April 4 th at 9PM

Improvements The data could have more meaning Currently it is only dump comparison The request and the scoring could be automatic More usability

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.