DNS fragmentation attacks - the dangers of not validating DNSSEC

2,929 views

Published on

How to prevent DNS fragmentation attacks on your network. DNS cache poisoning attacks can, and have been used, to redirect traffic within networks and are often the first step for larger attacks.
Learn:
- why DNS fragmentation attacks work
- why DNS caching servers that do not do DNSSEC validation are especially vulnerable
- why DNSSEC signed zones can be used to launch this attack
- how IPv6 and/or DNSSEC validation can stop these attacks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,929
On SlideShare
0
From Embeds
0
Number of Embeds
1,021
Actions
Shares
0
Downloads
35
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DNS fragmentation attacks - the dangers of not validating DNSSEC

  1. 1. DNS!Cache!Spoofing "Fragmentation!Considered!Poisonous" May!2012-August!2013 ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 1
  2. 2. DNS!cache!poisoning!through! fragmentation • A!new!attack!presented!at!IETF!87!in!Berlin!August!2013 • works!with!any!large!DNS!responses!that!might!be!fragmented!on!the! transport!path!(large!TXT!record!sets!-!SPF!etc) • works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or! incorrectly!deployed: • works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non- DNSSEC!resolvers • according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are! fairly!common ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 2
  3. 3. Fragmentation!attack!(1) evil! web-server HTTP request evil!resolver Webpage!with!that!triggers! DNS!requests!with!large!DNS!answers “mybank.com” authoritative!DNS Servers Cache resolving! DNS!Server unsuspecting resolver local network, behind Firewall an NAT ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 3
  4. 4. Fragmentation!attack!(2) evil! web-server DNS!lookups! will!be!send!to! the! authoritative! DNS!Servers evil!resolver “mybank.com” authoritative!DNS Servers Cache resolving! DNS!Server DNS!lookup! for!the!domain! name unsuspecting resolver local network, behind Firewall an NAT ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 4
  5. 5. Fragmentation!attack!(3) evil! web-server Answer!with! Fragment!part! 1 “mybank.com” authoritative!DNS Servers evil!resolver Cache resolving! DNS!Server unsuspecting resolver local network, behind Firewall an NAT ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 5
  6. 6. Fragmentation!attack!(4) Attacker!will! swamp caching!DNS!Server with!fake!fragment! No.!2!packets evil! web-server Answer!with! good!fragment! part!2 “mybank.com” authoritative!DNS Servers evil!resolver Cache resolving! DNS!Server Fake!response will!be! cached unsuspecting resolver local network, behind Firewall an NAT ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 6
  7. 7. Fragmentation!attack!(5) evil! web-server Client!is! connecting!to!a! “pharming”! website HTTP request “mybank.com” authoritative!DNS Servers evil!resolver Cache resolving! DNS!Server request!for!www.mybank.com./A!RR false!answer!from!poisoned!cache unsuspecting resolver local network, behind Firewall an NAT ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 7
  8. 8. Fragmentation!attack • Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache ;; ANSWER SECTION: mybank.com. 120 IN SPF "v=spf1, a:192.0.2.10, 192.0.2.22 ..." ;; AUTHORITY SECTION: mybank.com. 86400 mybank.com. 86400 IN IN NS NS ns1.mybank.com. ns2.mybank.com. ;; ADDITIONAL SECTION: ns1.mybank.com. 604800 ns2.mybank.com. 604800 IN IN A A large!RRset!causing! fragmentation 192.0.2.20 192.0.2.30 high!TTL!for! maximum! damage Here!is!the! fake!data Fragment 1 Fragment 2 ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 8
  9. 9. Fragmentation!attack • some!operating!systems!(Windows,!FreeBSD)!use! sequential!Fragment-IDs • next!Fragment!ID!to!be!used!can!be!inferred!by!the! attacker ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 9
  10. 10. Fragmentation!attack • How!to!guard!against!fragmentation!attacks: • deploy!DNSSEC!in!a!non-permissive!mode!(full! validation) • deploy!IPv6!(UDP!Fragmentation!works!differently!in! IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not! possible!in!IPv6!networks) ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 10
  11. 11. DNSSEC!to!the!rescue!... ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 11
  12. 12. References • IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and! Implications,!or:!DNSSEC,!the!time!has!come! http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf • DNS-OARC!Presentation!Oct!2013: https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1 ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 12
  13. 13. DNSSEC!validation ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 13
  14. 14. DNSSEC!in!DNS!Messages 00 01 0 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 2 Q R Identification!(ID) Total!Number!of!Question!Resource!Records Total!Number!of!Authority!Resource!Records Opcode A A T R R C D A Z A C D D RCode Total!Number!of!Answer!Resource!Records AD!=!Authenticated! Data Total!Number!of!Additional!Resource!Records Question!Resource!Records Answer!Resource!Records EDNS: !!!EDNS:!version:!0,! !!!flags:!do;! !!!udp:!4096 CD!=!Checking! disabled Authority!Resource!Records Additional!Resource!Records ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 14
  15. 15. DNSSEC!in!DNS!Messages • DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK • this!client!can!handle!DNSSEC!records • in!addition,!each!client!signaling!“DNSSEC!OK”!also! signals!that!it!can!handle!UDP!DNS!responses!larger! 512!byte ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 15
  16. 16. DNSSEC!in!DNS!Messages • AD!Flag: • a!validating!resolver!signaling!to!the!client • that!it!has!successfully!validated!the!DNSSEC!data • invalid!DNSSEC!data!will!not!be!send!to!a! downstream!resolver!(client),!instead!the!resolver!will! send!a!SERVFAIL!error!condition ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 16
  17. 17. DNSSEC!in!DNS!Messages • CD!Flag: • an!Application!can!signal!to!the!resolving!DNS!Server! that!it!will!validate!the!DNSSEC!information • the!resolving!DNS!Server!does!not!need!to!validate! itself,!but!is!free!to!do!so ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 17
  18. 18. dig ripe.net +dnssec AD!flag:! ; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec secure! ;; global options: +cmd answer ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ripe.net. IN A EDNS0! information! including!the!DO! flag ;; ANSWER SECTION: ripe.net. 172800 ripe.net. 172800 IN IN A 193.0.6.139 RRSIG A 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY= ;; AUTHORITY SECTION: ripe.net. 172800 ripe.net. 172800 ripe.net. 172800 ripe.net. 172800 ripe.net. 172800 IN IN IN IN IN NS sns-pb.isc.org. NS sunic.sunet.se. NS ns-pri.ripe.net. NS ns3.nic.fr. RRSIG NS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U= ;; ADDITIONAL SECTION: ns-pri.ripe.net. 172800 ns-pri.ripe.net. 172800 ns-pri.ripe.net. 172800 ns-pri.ripe.net. 172800 IN IN IN IN A 193.0.0.195 AAAA 2001:610:240:0:53::3 RRSIG A 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg= RRSIG AAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k= ;; ;; ;; ;; Query time: 454 msec SERVER: 192.0.2.10#53(192.0.2.10) WHEN: Sat Oct 9 22:39:45 2010 MSG SIZE rcvd: 870 ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 18
  19. 19. DNSSEC!capable!DNS! resolver!/!caching!server • BIND!9!(starting!with!BIND!9.6-ESV):! http://www.isc.org • unbound:! http://unbound.net • PowerDNS!recursor:! http://www.powerdns.com • Windows!2012!DNS:! http://technet.microsoft.com/en-us/library/hh831667.aspx ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 19
  20. 20. http://dnssec-or-not.org ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 20
  21. 21. http://dnssectest.sidn.nl ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 21
  22. 22. dnssec-tools.org •A!collection!of!useful!tools!for!DNSSEC!deployment (!http://dnssec-tools.org!) • DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are! DNSSEC!enbled ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 22
  23. 23. DNSSEC-check ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 23
  24. 24. DNSSEC!validation!in!WebBrowser • DNSSEC!Add-On!for!Firefox Google!Chrome!and! Microsoft!Internet!Explorer (http://www.dnssec-validator.cz/)! • go!to! http://www.root-dnssec.org! or!http://www.ripe.net and!you!should!see!a!nice!green!key!icon!in!the!URL!bar! telling!you!that!this!DNS!information!was!DNSSEC!validated. ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 24
  25. 25. DNSSEC!validation!in!Windows! 2012 ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 25
  26. 26. DNSSEC!validation!in! Microsoft!DNS!Server!2012 • The!DNS!Server!in!Windows!2012!now!supports!all!bits! and!pieces!necessary!to!validate!DNSSEC!signatures!and! keys!in!the!Internet!(including!SHA256!and!NSEC3). • Windows!2008!only!supports!SHA1!and!NSEC,!and!was! not!able!to!validate!the!Internet!root!zone ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 26
  27. 27. DNSSEC!validation • DNSSEC!validation!can!be! enabled!in!the!DNS!Servers! global!properties! (Advanced!-!enable!DNSSEC! validation!for!remote! responses) ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 27
  28. 28. enabling!DNSSEC!using! 'dnscmd' • it!is!possible!to!enable!DNSSEC!validation!from!the!commandline! using!the!command! dnscmd /RetrieveRootTrustAnchors • This!command!will!first!fetch!the!delegation!signer!(DS-record)!using! https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).! • The!server!will!then!fetch!the!public!key!signing!key!from!the!root! zone!during!an!active!refresh!cycle! (RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record. ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 28
  29. 29. enabling!DNSSEC!using! 'dnscmd' ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 29
  30. 30. A!DNSSEC!validating!caching! only!configuration!for!BIND!9 ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 30
  31. 31. DNSSEC!validation!with! BIND!9 • build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server: • BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011 • BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors) • BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,! but!validation!is!disabled!by!default • BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,! DNSSEC!validation!enabled!by!default ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 31
  32. 32. getting!the!root-anchor •for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as! the!root-anchor • the!DNSKEY!record!can!be!retrieved!using!dig: dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key dig command we!want!the! DNSKEY! record "."!is!the! domain!name! of!the!root! zone we!only!want! the!KSK! (Flag!257) we!send!the! query!to!one! of!the!root! servers we!write!the! result!in!this! file we!send!an! iterative!query! (polite) ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 32
  33. 33. Verifying!the!root!zones!key •We!should!never!blindly!trust!cryptographic!keys! published!on!websites!or!slides • nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure! channel!(plain!DNS) •we!need!to!verify!the!key!material • IANA!published!the!DS!(delegation!signer!fingerprint)!on!an! HTTPS!secured!website ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 33
  34. 34. http://data.iana.org/root-anchors/ root!DS! fingerprint ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 34
  35. 35. Verifying!the!root!zone!key • we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256! hash-fingeprint!from!the!downloaded!root-zone!DNSKEY dnssec-dsfromkey -2 root.key . IN DS 19036 8 2 ( 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5 ) • if!we!compare!the!computed!hash!with!the!one!from!the! website,!they!both!match • the!downloaded!DNSKEY!record!is!valid ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 35
  36. 36. DNSSEC!setup!(BIND!9.6-ESV) • In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the! "trusted-keys"!statement!in!the!"named.conf"!file: trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; }; ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 36
  37. 37. DNSSEC!setup!(BIND!9.7.0+) • Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated! updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS! Security!(DNSSEC)!Trust!Anchors) managed-keys {    "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };  ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 37
  38. 38. general!setup options { recursion yes; allow-recursion { mynetworks; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; querylog no; recursive-clients 2000; tcp-clients 200; max-cache-size 2147483648; // 2GB }; ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 38
  39. 39. DNSSEC!maintenance!with!BIND!9! “rndc” •rndc!secroots:!dump!information!about!the!current! active!DNSSEC!trust!anchors!into!the!file! “named.secroots”.! KEY!ID!19036: current!KSK!of! the!root!zone bash-3.2# rndc secroots bash-3.2# more named.secroots 22-Nov-2013 07:48:31.775 . Start view _default ./RSASHA256/19036 ; managed root!zone!trust! anchor!key!ID Monday 9 December 13 trust!anchor!will!be! updated!according!to! RFC!5011 168851 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256; key id = 19036 ©!Men!&!Mice!!http://menandmice,com! 39
  40. 40. BIND!9!controlling!DNSSEC!validation •validation!on:!enable!DNSSEC!validation!on!a!caching! BIND!9!DNS!Server!(globally):! bash# rndc validation on •validation!off:!disable!DNSSEC!validation!on!a!caching! BIND!9!DNS!Server bash# rndc validation off ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 40
  41. 41. References • Deploying!DNSSEC!(whitepaper!by!SurfNet): http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html • A!BIND!9!configuration!template!for!a!validating,!caching- only!DNS!Server: https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98; • Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,! Solaris: http://support.menandmice.com/download/bind/ • Windows!2012!Server:!Enabling!DNSSEC!validation: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation ©!Men!&!Mice!!http://menandmice,com! Monday 9 December 13 41
  42. 42. Thank!you! E-Mail: training@menandmice.com ©!Men!&!Mice!!http://menandmice.com! Monday 9 December 13 42

×