Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d.

Published byAlannah Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d."— Presentation transcript:

1 DNS Security Risks Section 0x02

2 Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d c

3 DNS Overview (Basics) World’s largest distributed database (maybe?) World’s largest distributed database (maybe?) Maintains name address relationship on the Internet Maintains name address relationship on the Internet Critical component of the Internet Critical component of the Internet

4 DNS Overview (Data Flow) Client tries to resolve a name Client tries to resolve a name Asks the next level (“zone”) up Asks the next level (“zone”) up If the next highest zone knows, it answers If the next highest zone knows, it answers If not, it asks the next highest zone If not, it asks the next highest zone Each zone has an authoritative server responsible for answering these requests Each zone has an authoritative server responsible for answering these requests

5 Potential Attacks Why might we want to exploit DNS requests? Why might we want to exploit DNS requests? How might we exploit DNS requests? How might we exploit DNS requests?

6 Simple Attacks Typosquatting Typosquatting Denial of Service Denial of Service Registrar Hacking Registrar Hacking

7 Typosquatting Register an address that’s very similar to a well- known, legitimate one Register an address that’s very similar to a well- known, legitimate one Examples: www.goggle.com, www.yaho.com, www.whitehouse.com Examples: www.goggle.com, www.yaho.com, www.whitehouse.com Occasionally used for phishing attacks Occasionally used for phishing attacks Usually just for ad views or financial squatting Usually just for ad views or financial squatting

8 Denial of Service Hosts must query DNS servers to find the IP addresses mapped to by unknown hostnames Hosts must query DNS servers to find the IP addresses mapped to by unknown hostnames Overloading these servers can cause them to be unable to respond to requests Overloading these servers can cause them to be unable to respond to requests Root DNS servers are the prime targets of attacks Root DNS servers are the prime targets of attacks Can make it impossible to connect to web servers without knowing their IP address Can make it impossible to connect to web servers without knowing their IP address

9 Registrar Hacking Domain name-to-IP mappings are registered with a number of companies Domain name-to-IP mappings are registered with a number of companies These companies’ name servers supply IP information about their managed domains These companies’ name servers supply IP information about their managed domains If these servers are hacked, traffic can be redirected If these servers are hacked, traffic can be redirected Happened to www.nytimes.com in August 2013 Happened to www.nytimes.com in August 2013 Melbourne IT registrar was hacked by the Syrian Electronic Army (with valid user credentials) and IP addresses were changed Melbourne IT registrar was hacked by the Syrian Electronic Army (with valid user credentials) and IP addresses were changed

10 Complex Attacks Rogue DNS Servers Rogue DNS Servers DNS Cache Poisoning DNS Cache Poisoning

11 Rogue DNS Servers When a system doesn’t know a name IP mapping, it goes to the next level up When a system doesn’t know a name IP mapping, it goes to the next level up If this next level up is a server controlled by a malicious entity, the response it gets may be wrong! If this next level up is a server controlled by a malicious entity, the response it gets may be wrong! Malware can manipulate the IP address that a system accesses to get DNS responses Malware can manipulate the IP address that a system accesses to get DNS responses Alternatively, a DNS server along the chain may maliciously return incorrect data Alternatively, a DNS server along the chain may maliciously return incorrect data Packets can be introduced into the flow, even without a proper DNS server in place: this is DNS spoofing! Packets can be introduced into the flow, even without a proper DNS server in place: this is DNS spoofing! Certain ISPs (e.g., Comcast) use this technique as well! Certain ISPs (e.g., Comcast) use this technique as well! Common example: if an uncommon or nonexistent hostname is typed in, the ISP’s DNS server may respond with a search page rather than an error Common example: if an uncommon or nonexistent hostname is typed in, the ISP’s DNS server may respond with a search page rather than an error A.k.a. “DNS hijacking” or “DNS redirection” A.k.a. “DNS hijacking” or “DNS redirection”

12 DNS Cache Poisoning Various DNS servers along the chain serve requests from a local cache (your own system also has a cache) Various DNS servers along the chain serve requests from a local cache (your own system also has a cache) This cache is supposed to expire regularly, but should mostly be correct This cache is supposed to expire regularly, but should mostly be correct By directly or indirectly altering this cache data can cause a trusted nameserver to return incorrect responses By directly or indirectly altering this cache data can cause a trusted nameserver to return incorrect responses

13 DNS attack story #1 October 2002 and February 2007 root server attacks October 2002 and February 2007 root server attacks DDoS attacks on DNS root servers DDoS attacks on DNS root servers Peak ~900 Mbps; ~2000 Mbps Peak ~900 Mbps; ~2000 Mbps Only briefly affected performance Only briefly affected performance DNS redundancy, large number of root servers DNS redundancy, large number of root servers

14 DNS attack story #2 ICANN June 2008 attack ICANN June 2008 attack Internet Corporation for Assigned Names and Numbers Internet Corporation for Assigned Names and Numbers Social engineering attack Social engineering attack Compromised name servers redirected www.icann.com to hacker-controlled IP address Compromised name servers redirected www.icann.com to hacker-controlled IP address

15 DNS attack story #2

16 Possible Solutions Typosquatting Typosquatting Buying up typos Buying up typos Trademarking Trademarking Denial of Service Denial of Service Redundancy Redundancy Selectively blocking traffic Selectively blocking traffic Already mostly solved! Already mostly solved! Registrar Hacking Registrar Hacking Strong passwords Strong passwords Anti-social engineering training Anti-social engineering training

17 Possible Solutions (cont.) Rogue DNS Servers and Cache Poisoning Rogue DNS Servers and Cache Poisoning Trusted DNS servers (8.8.8.8, etc.) Trusted DNS servers (8.8.8.8, etc.) ISPs may still rewrite certain DNS requests ISPs may still rewrite certain DNS requests Cryptographic security for requests Cryptographic security for requests Digital signatures for data authenticity (secure DNS) Digital signatures for data authenticity (secure DNS) Server certificates (to verify that you’ve reached the right IP address) Server certificates (to verify that you’ve reached the right IP address)

18 www.questions.com ? 173.194.79.121 173.194.79.121

Download ppt "DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Email and DNS Hacking. Overview Email Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2.

1 and DNS Hacking. Overview Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.

CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi

Similar presentations

Ads by Google