Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Cache Poisoning Detection at the end-user level.

Published byDayna Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Cache Poisoning Detection at the end-user level."— Presentation transcript:

1 DNS Cache Poisoning Detection at the end-user level

2 Caches DNS : tree of domain name

3 Caches DNS : tree of domain name Into DNS server TLDs ISPs, local Corporate

4 Caches DNS : tree of domain name Into DNS server TLDs ISPs, local Corporate In end-user computer's System cache (hosts) Browser cache (client)

5 DNS request Every time you try to reach a domain name

6 DNS request Every time you try to reach a domain name Identified by: Destination Topic (domain in the request) Port number Transaction number

7 DNS request Every time you try to reach a domain name Identified by: Destination Topic (domain in the request) Port number Transaction number Destination can be spoofed Topic is the target Port number is almost always 53 Transaction number can be guessed Birthday paradox

8 Poison: A Firefox extension XUL HTML-like Merging (Overlay) Modifiable using JavaScript

9 Overlay: Merging XUL documents <?xul-overlay href="chrome://.../editMenuOverlay.xul"?> <menupopup id="menu_FilePopup" onpopupshowing="AreaFrameCount();">......... <?xml-stylesheet href="chrome://poison/content/info.css" ?> <script src="chrome://poison/content/poison.js" />...

10 Overlay: Merging XUL documents <?xul-overlay href="chrome://.../editMenuOverlay.xul"?> <menupopup id="menu_FilePopup" onpopupshowing="AreaFrameCount();">......... <?xml-stylesheet href="chrome://poison/content/info.css" ?> <script src="chrome://poison/content/poison.js" />...

11 Poison: A Firefox extension XUL HTML-like Merging (Overlay) Modifiable using JavaScript JavaScript Object oriented High level Interpreted

12 JavaScript: Modifying content From DB Script: var dbzone = document.getElementById("db_traceroute"); dbzone.firstChild.nodeValue = result; db.setAttribute("hidden", "false");

13 Poison: A Firefox extension JavaScript Object oriented High level Interpreted XUL HTML-like Merging (Overlay) Modifiable using JavaScript XUL + JS + Firefox Event-driven UI is simple Simple modification of UI using JS Easy to do network request SQLITE provided

14 Verifications : Generalities For every test First time Obtain the informations (test dependent) Store the result of the test into the database for future comparison

15 Verifications : Generalities For every test First time Obtain the informations (test dependent) Store the result of the test into the database for future comparison Every other time Obtain the informations Compare them with what is store in the database for the same website Extract a similarity score

16 Verification : Similarity score Take the data from the BDD Compare with the data we just obtained No fingerprint Complete text data Use more space, but also more reliable Compare line by line

17 Project : Poison Window / Panel Address bar & status bar Demo : Firefox portable version on USB drive

18 Results From March 31 th to April 5 th 15 websites 6 tests every 30 minutes 21 620 test entries

19 Results : global average (without poisoning)

20 Results : Tests description Comparing IP to the IP stored in the database

21 Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request

22 Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page

23 Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute

24 Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute Reverse DNS Get the domain names corresponding to an IP address

25 Results : Tests description Comparing IP to the IP stored in the database Check IP make a second DNS request Error page Access a nonexistent page Traceroute Reverse DNS Get the domain names corresponding to an IP address WHOIS Get informations about who own the domain name,...

26 Results : Average by test

27 Attack simulation Modify hosts file (/etc/hosts) Poisoned the April 4 th at 9pm

28 Results : Attack ! /etc/hosts modified the April 4 th at 9PM

29 Improvements The data could have more meaning Currently it is only dump comparison The request and the scoring could be automatic More usability

Download ppt "DNS Cache Poisoning Detection at the end-user level."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
4.01 How Web Pages Work.

4.01 How Web Pages Work.
Multiple Tiers in Action

Multiple Tiers in Action
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.

Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Dreamweaver 8 Concepts and Techniques Introduction Web Site Development and Macromedia Dreamweaver 8.

Dreamweaver 8 Concepts and Techniques Introduction Web Site Development and Macromedia Dreamweaver 8.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.

CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Linux Operations and Administration

Linux Operations and Administration
Website Publishing. Publishing Basics Early Web Sites Obtain a Domain Name IP Address (Internet Protocol Address) – A number that uniquely identifies.

Website Publishing. Publishing Basics Early Web Sites Obtain a Domain Name IP Address (Internet Protocol Address) – A number that uniquely identifies.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
ITIS 1210 Introduction to Web-Based Information Systems Chapter 23 How Web Host Servers Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 23 How Web Host Servers Work.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 

Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
Web Server.

Web Server.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Unit 1 – Web Concepts Instructor: Brent Presley.

Unit 1 – Web Concepts Instructor: Brent Presley.

Similar presentations

Ads by Google