Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.

Published byDorthy Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D."— Presentation transcript:

1 DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D

2 Internet: Authoritive DNS Servers A Short Overview on DNS Resolver: gethostbyname(www.microsoft.com) Server: www.microsoft.com is 1.2.3.4 Client Caching DNS Server dns.microsoft.com dns.hacker.com

3 A Simple Attack – Sending Additional Resource Records gethostbyname(www.hacker.com) www.hacker.com is 1.2.3.4 And www.microsoft.com is 5.5.5.5 Server DNS Cache: www.hacker.com = 1.2.3.4 www.microsoft.com = 5.5.5.5 Client

4 An Even Easier Attack – Just Lying gethostbyname(www.microsoft.com) www.microsoft.com is 6.6.6.6 Server Client

5 The Problem DNS is not a secure protocol –Every host on the internet can claim that it is an authority for resolving queries –Even if a DNS server is authoritative for domain A, it does not mean it can be trusted to give true answers for domain B –All answers are assumed to be true

6 Other Protocols in the TCP/IP Protocol Suite DHCP – non-secure HTTPS – secure

7 More Sophisticated Attacks PRNG Vulnerability The Birthday Attack Both attacks relay on the “First answer wins” property

8 Query ID Each DNS query contains an ID A response contains the matching query ID The ID is generated by a PRNG –In most past implementations the ID was generated by a weak PRNG function.

9 PRNG Attack gethostbyname(www.microsoft.com) Server www.microsoft.com is 6.6.6.6 I don’t know… I better ask somebody else www.microsoft.com is 1.2.3.4 gethostbyname(www.microsoft.com) First answer wins! Client

10 PRNG Attack (cont) In older systems it was possible to predict the next PRNG number by observing only the last number generated. In newer systems it is possible to predict the next number with success probability of 0.2 by observing the last 5000 numbers. –Much better, but still not perfect.

11 The Birthday Attack Gethostbyname(www.microsoft.com) www.microsoft.com 6.6.6.6

12 The Birthday Attack (cont) Based on the mathematical phenomena called The Birthday Paradox: –If there are 23 people in the room, the probability that you share the same birthday with another person is at most 23/365. –But, what is the probability that 2 persons share same birthday? It is greater than 0.5! The problem is that the server generates a recursive query for each of the client’s queries This vulnerability has nothing to do with the strength of the PRNG function. There are many DNS servers that are still vulnerable to this attack, including Microsoft’s implementation.

13 The Birthday Attack (cont) The probability of succeeding in the birthday attack while sending 700 queries is very close to 1 The probability of succeeding with just sending 700 packets is 0.01

14 How Can Be done to Mitigate the Attack? Firewalls: –Truncate packets with additional resource records –How should it deal with the birthday attack? –How should it deal with the PRNG vulnerability attack? Deployment –“Split DNS”, protect your network caching DNS server from Man-in-the-Middle attacks

Download ppt "DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.

DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.
Implementing Domain Name System

Implementing Domain Name System
Describe four (4) services that are part of the TCP/IP protocol suite that would probably be implemented within a network centre to manage: naming within.

Describe four (4) services that are part of the TCP/IP protocol suite that would probably be implemented within a network centre to manage: naming within.
Internet: Authoritive DNS Servers Resolver: gethostbyname(www.microsoft.com) Server: www.microsoft.com is 1.2.3.4 Client Caching DNS Server.

Internet: Authoritive DNS Servers Resolver: gethostbyname( Server: is Client Caching DNS Server.
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Domain Name System: DNS

Domain Name System: DNS
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Similar presentations

Ads by Google