Network Security: DNS Spoofing, SQL Injection, ARP Poisoning By: Usman Jamil, Zach Black, Frank Brahmbhatt, Kurt Floyd, Jason James, Ross Stewart, Hunter Wall

DNS Spoofing - Overview Domain Name Server (DNS) poisoning or spoofing is a type of cyber-attack that exploits system vulnerabilities in the domain name server to divert traffic away from legitimate servers and directs it towards fake ones The code for DNS spoofing is often found in URLs sent via spam emails The emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer Once poisoned, a user's computer will take them to fake websites that are spoofed to look like the real thing, exposing them to risks such as spyware, keyloggers or worms

DNS Spoofing - Cascading attack If a high level DNS server is affected, all downstream servers may be affected as well If a single subdomain is spoofed, an entire domain can be hijacked for a period of time. For www.targetdomain.com, DNS now redirects to the attacker’s server for: Targetdomain.com Mail.targetdomain.com CDN.targetdomain.com Potato.targetdomain.com etc

DNS Spoofing - Cascading Attack Affected machines at Location A Company location A DNS (Uses attacked DNS server for authoritative info) ISP DNS Company “root” DNS (containing spoofed records) Affected machines at Location B Company location B DNS (ditto)

SQL Injection - Overview SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form fields, as part of a database query SQL injection (SQLi) is an application security weakness that allows attackers to control an application’s database This lets them access or delete data, change an application’s data-driven behavior, and do other undesirable things – by tricking the application into sending unexpected SQL commands

SQL Injection - Dual Defense Application side: Input sanitation Trust nothing! Parameterized queries Procedures for everything SQL injection will usually throw an error if used as a procedure argument App-side validation of inputs App-side encrypted data Quality ORM SQL server side: Permission/access separation Separation of schemas Support for app-side encrypted data Separation of databases

Preventing SQLi Use parameterized queries Escape inputs before adding them to the query Use of Prepared Statements (with Parameterized Queries) Use of Stored Procedures White List Input Validation Escaping All User Supplied Input Enforcing Least Privilege Performing Whitelist Input Validation as a Secondary Defense

ARP poisoning - Overview ARP is short for Address Resolution Protocol. Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol. ARP spoofing attacks typically follow a similar progression.

ARP poisoning - Basic Steps ARP spoofing attack usually include: The attacker opens an ARP spoofing tool and sets the tool’s IP address to match the IP subnet of a target. Examples of popular ARP spoofing software include Arpspoof, Cain & Abel, Arpoison and Ettercap. The attacker uses the ARP spoofing tool to scan for the IP and MAC addresses of hosts in the target’s subnet. The attacker chooses its target and begins sending ARP packets across the LAN that contain the attacker’s MAC address and the target’s IP address. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.

ARP poisoning - OS Issues Different OSs handle ARP differently Linux Ignores unsolicited replies Watches the network to update its own cache Solaris Only updates after timeout Windows Depends on OS/version/Service Pack/security updates/phases of moon/etc Can specify timeout length Built-in randomization for length of time until refresh

Sources http://linux-ip.net/html/ether-arp.html - ARP behavior https://technet.microsoft.com/en-us/library/2005.01.howitworksdns.aspx - DNS server hierarchy https://cran.r- project.org/web/packages/RODBCext/vignettes/Parameterized_SQL_queries.html - SQL query parameterization https://support.microsoft.com/en-us/help/949589/description-of-address-resolution- protocol-arp-caching-behavior-in-win - Vista ARP cache behavior https://www.veracode.com/blog/intro-appsec/sql-injection-attacks-and-how-prevent- them-infographic - SQL Injection - Overview https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet - Preventing SQLi https://usa.kaspersky.com/resource-center/definitions/dns - DNS Spoofing - Overview https://www.techopedia.com/definition/27471/address-resolution-protocol-poisoning-arp- poisoning