DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Security Awareness: Applying Practical Security in Your World

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

Domain Name Services Oakton Community College CIS 238.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 3 DNS Types.

Advanced Module 3 Stealth Configurations.

TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

IIT Indore © Neminath Hubballi

CS526Topic 19: DNS Security1 Information Security CS 526 Topic 19: DNS Security.

By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.

CHAPTER 4 PLANNING A NAME RESOLUTION STRATEGY. Determining Name Resolution Requirement What is name resolution ? ◦ The name into 32-bit IP address conversion.

October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.

Sistem Jaringan dan Komunikasi Data #9. DNS The Internet Directory Service  the Domain Name Service (DNS) provides mapping between host name & IP address.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

How to use DNS during the evolution of ICN? Zhiwei Yan.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

COMP 431 Internet Services & Protocols

So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Domain Name System (DNS) The Technology Context – B101 Coursework 2 The Technology Context – B101.

© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.

Security Issues with Domain Name Systems

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

DNS Session 5 Additional Topics

DNS Cache Poisoning Attack

Information Security CS 526 Omar Chowdhury

Chapter 19 Domain Name System (DNS)

CS4622: Computer Networking

(DNS – Domain Name System)

Presentation transcript:

DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005

Domain Name System: a Quick Review URL  IP mapping Hierarchical in nature, subdivided by domains and sub-domains. Distributed database of servers manage domain subsets (too large to centralize). We don’t want to work down the tree every time as root servers have a heavy load. So local name-server may often have cached hit. This is called a non-authoritative answer.

DNS Protocol Refresher

Cache Poisoning - Motivation Corrupt cache mapping: URL  ??? Why? Redirect web traffic (DOS):   Man-in-the-Middle Attack  

Brief History 1993: First paper outlining several vulnerabilities in DNS, including the technique of cache poisoning. 1997: CERT releases advisory on BIND (used by virtually every name-server) vulnerability revolving around sequential transaction ID #’s. Newer versions now randomize. 2002: Discovered that BIND will send multiple recursive queries for same IP address, opening up 16-bit transaction ID#’s to Birthday attack or more savvy Phase-Space Analysis Spoofing attack.

The BIND Birthday Attack

The Birthday Attack Send n queries to vulnerable nameserver (for URL to hijack) while sending equal number of phony replies at the same time. Each spoofed reply packet has randomly generated transaction ID#. Attacker needs to win race between the 1 st successful collision of his spoofed transactions and the legitimate answer from the Authoritative NS.* 100% success n=700. * Can further slant race in attacker’s favor by flooding ANS with bogus packets to slow it down.

Birthday Attack (n queries) vs. Conventional Spoofing (1 query)

Successful Packet must match: Transaction ID (guessed) Source and destination IP addresses (easy) Destination port (always 53) Source port: BIND often reuses same source port for replies to the same client. tcpdump of DNS request to target ANS before attack should reveal this. An example: 10:54: > : [1au] A? (42) (DF) 10:54: > : [1au] A? (43) (DF) 10:54: > : [1au] A? (45) (DF) 10:54: > : [1au] A? (42) (DF)

Phase Space Analysis Spoofing Michael Zalewski's paper "Strange Attractors and TCP/IP Sequence Number Analysis" describes a method for analyzing the predictability of transaction IDs. Tools plot random number dumps into 3-D space, revealing clustering and exposing predictability. Geometric patterns are “attractors”. An ideal random number generator appears as an evenly dispersed cloud.

Phase Space of BIND 8.3.4

Attacking BIND Limit spoofing set to attractors and greatly increase odds in Birthday attack. With phase space data, Zalewski’s second tool predicts next transaction ID# with 100% probability by looking at the 3 previous ID#s. So even if birthday attack patched, BIND 8 still vulnerable (no attack specifics in paper).

Phase Space of BIND 9

BIND 9 Uses completely new random number generating engine – /dev/random Trans. ID# predictable 20% of the time w/spoofing set of n=5000. Very high bandwidth required to win race with Authoritative NS unless combined with successful DOS attack on ANS.

Phase Space for djbdns

D.J. Bernstein DNS Despite nice looking “cloud”, randomness is actually slightly worse than BIND ). However, djbdns randomizes source ports of each query: 22:42: > : A? (31) (DF) 22:42: > : 1776 A? (32) (DF) 22:43: > : A? (34) (DF) 22:43: > : 5110 A? (31) (DF) Forces attacker to guess trans. ID# and source port of spoofed reply – approx. 1 billion possible id-port pairs.

Recommended Defenses Users Conform SSL certificates when making secure online transactions (man-in-the-middle) Use if suspect site is being spoofed. Run own resolver and bypass ISP altogether! Web-Servers Can use SSL to authenticate self with browsers. Be on lookout for short DOS attacks (wipe cache?)

ISP Nameserver Defenses Upgrade BIND to 9.x series, rewritten from scratch with security in mind. Not vulnerable to this attack. Djbdns also more resilient to Birthday attacks. Divides NS responsibilities between two separate servers (resolver/advertiser). Public server disallows recursive queries, and recursive (caching) server firewalled. Drawback: expensive, more hardware and overhead. If can’t use split-split, use “listen-on” option to bind nameserver daemon to interface protected from outside world.

DNSSec DNS Security Extensions IETF working group Designed to counter Cache Poisoning dynamic DNS updates KEY/SIG records using RSA public keys zone authority may sign all DNS records

Questions?