SlideShare a Scribd company logo

DNS Attacks

Himanshu Prabhakar
Himanshu Prabhakar
Technology
1 of 33
Download to read offline
DNS ATTACKS MAIN WEAKNESS OF THE SYSTEM. HOW ATTACKS WORK IN GENERAL? BY: HIMANSHU PRABHAKAR DNS ATTACKS
WHAT IS DNS? DOMAIN NAME SYSTEM DNS ATTACKS 2
WHAT IS DNS? HOW INTERNET WORKS : DNS ATTACKS 3
WHAT IS DNS? www.facebook.com 72.190.12.206 www.yahoo.com 85.206.25.156 www.google.com 56.25.25.128 DNS ATTACKS 4
WHAT IS DNS? Its like Yellow Pages of the Internet. A globally distributed, loosely coherent, scalable, reliable, dynamic database Comprised of three components 1. A “name space” 2. Servers making that name space available 3. Resolvers (clients) which query the servers about the name space DNS ATTACKS 5
HOW DNS WORKS? DOMAIN NAME SYSTEM DNS ATTACKS 6
HOW DNS WORKS? DNS ATTACKS 7
HOW DNS WORKS? root org net edu com uk ca wisc ucb utdallas cmu mit cs1 ee www 129.110.92.15 DNS ATTACKS 8
HOW DNS WORKS? DNS Message Header Format DNS ATTACKS 9
DNS VULNERABILITIES DOMAIN NAME SYSTEM DNS ATTACKS 10
DNS VULNERABILITIES DNS ATTACKS 11
DNS VULNERABILITIES DNS was designed with usability in mind and not Security. Security: Confidentiality: NOT A CONCERN Data Integrity: BIG CONCERN UDP Based design: Any correctly formatted DNS response over UDP can be considered legitimate. DNS attack tools are readily available on the Internet (for example, dsniff, dnshijack, and many more) and they are all FREE! DNS ATTACKS 12
DNS VULNERABILITIES Cache impersonation Corrupting data Impersonating master Zone administrator Master Recursor Zone file Dynamic updates Slaves Resolver Cache pollution by Unauthorized updates Data spoofing DNS ATTACKS 13
DNS ATTACKS? DOMAIN NAME SYSTEM DNS ATTACKS 14
DNS ATTACKS? DNS KNOWN THREATS: (Source RFC 3833) 1. Packet Interception 2. ID Guessing and Query Prediction 3. Name Chaining 4. Betrayal By Trusted Server 5. Denial of Service 6. Authenticated Denial of Domain Names DNS ATTACKS 15
DNS ATTACKS? 1. DNS Amplification Attack 2. DNS Cache Poisoning / DNS Spoofing 3. (DDoS) Distributed Denial of Service attack 4. BIND9 Spoofing DNS ATTACKS 16
DNS AMPLIFICATION ATTACK Attacker use DNS open resolvers by sending DNS requests with source IP address of the target. When Resolvers receive DNS queries, they respond by DNS responses to the target address. Attacks of these types use multiple DNS open resolvers so the effects on the target devices are magnified. DNS ATTACKS 17
DNS CACHE POISONING This technique can be used to direct users of a website to another site of the attacker's choosing. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non- authentic server and unknowingly download malicious content. DNS ATTACKS 18
DNS CACHE POISONING 1. Attacker poisons the cache of Local DNS Server by either remotely attacking or breaking into the server. 2. Legitimate User tries to log onto www.nicebank.com 3. DNS request to DNS server. 4. DNS server replies with IP of fake website. 5. User is redirected to www.n1cebank.com DNS ATTACKS 19
(DDOS) DISTRIBUTED DENIAL OF SERVICE The attacker tries to target one or more of 13 DNS root name servers. The root name servers are critical components of the Internet. Attacks against the root name servers could, in theory, impact operation of the entire global Domain Name System. On October 21, 2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers On February 6, 2007 a similar attack lasted twenty-four hours. DNS ATTACKS 20
BIND9 SPOOFING BIND is most widely used DNS software on Internet. BIND 9 (Stable Production Release) BIND 9 DNS queries are predictable (Source: bind-9-dns-cache-poisoning ) Source UDP port and DNS transaction ID can be effectively predicted. BIND9 is found to be predictable to 10 choice. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. DNS ATTACKS 21
HOW TO PREVENT DNS ATTACKS? DOMAIN NAME SYSTEM DNS ATTACKS 22
HOW TO PREVENT DNS ATTACKS? Band-Aid solutions • Only cache information from authoritative servers • Cross-check IP DNS mappings • Transaction signatures for zone transfer, dynamic updates • Split-split strategy: Advertising name server for DNS servers • No cache to poison • Only allow internal traffic Firewalls can be utilized to minimize attacks against the DNS protocol. • Query and Response Verification • Transaction ID randomization • DNS Header Flag Filtering • DNS message size limitations DNS ATTACKS 23
DNSSEC DNS Security Extensions (DNSSEC) • Adds security functions to the DNS protocol • Can prevent some attacks like DNS cache poisoning. • It adds data origin authentication and data integrity to DNS protocol. • Digitally Sign DNS lookup using Public Key Crypto. • DNSKEY record is authenticated via Chain of Trust starting with trusted root. • Its kind of SSL authentication for the DNS. DNS ATTACKS 24
DNSSEC 1. RECORDS: RRSIG, DNSKEY, DS, NSEC and NSEC3 2. ALGORITHMS: RSA/MD5, DSA/SHA-1, RSA/SHA-256/512 3. LOOKUP PROCEDURE: Recursive Name Servers, Stub Resolver 4. TRUST ANCHORS AND AUTHENTICATION CHAIN 5. SIGNATURE AND ZONE SIGNING 6. KEY MANAGEMENT DNS ATTACKS 25
HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver IP for www.utdallas.edu Check Cache Req DNSKEY Root DNSKEY: KSKRoot + RRSIG(KSKRoot) + DNSKEY:ZSKroot + RRSIG(ZSKroot) Check RRSIG with KSKroot => Valid ZSKroot IP for www.utdallas.edu gotoNS:ns.dns.edu DS(KSKedu) + RRSIG(DS) NS:root + RRSIG(NS) Check RRSIG with KSKroot => Valid DS(KSKedu) Check RRSIG with KSKroot => Valid NS:root DNS ATTACKS 26
HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKroot => Req DNSKEYedu Valid DS(KSKedu) Check RRSIG with ZSKroot => Valid NS:root DNSKEY: KSKorg + RRSIG(KSKorg) + DNSKEY:ZSKorg + RRSIG(ZSKorg) Validate KSKedu with DS(KSKedu) => Valid KSKedu Check RRSIG with KSKedu IP for www.utdallas.edu => Valid ZSKedu gotoNS:ns.utdallas.edu DS(KSKutd) + RRSIG(DS) NS:ns.dns.edu + RRSIG(NS) Check RRSIG with ZSKedu => Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNS ATTACKS 27
HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKedu => Req DNSKEYutd Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNSKEY: KSKutd + RRSIG(KSKutd) + DNSKEY:ZSKutd + RRSIG(ZSKutd) Validate KSKutd with DS(KSKutd) => Valid KSKutd Check RRSIG with KSKutd IP for www.utdallas.edu => Valid ZSKutd A;123.123.123.123 RRSIG(A) NS:ns.utdallas.edu + RRSIG(NS) Check RRSIG with ZSKutd => Valid A record Check RRSIG with ZSKutd => Valid NS:ns.utdallas.edu A;123.123.123.123 DNS ATTACKS 28
DNSSEC STANDARDS RFC4033 DNS Security Introduction and Requirements : What is provided by DNSSEC?  Origin Authentication and data integrity • Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • New Header bits: Checking Disabled (CD) and Authenticated Data (AD) What is not provided by DNSSEC?  Confidentiality, ACL, No protection against DoS attacks. CONSIDERATIONS: Resolver  Cryptographic analysis on signatures, authentication chaining, validate DNS replies. Stub Resolver  DNSSEC validity checks, IPSec, setting of AD bit Zones  signed and unsigned zones, regular maintenance of RRset Name Server  DNSSEC records (RRSIG, DNSKEY, DS, and NSEC), EDNS "sender's UDP payload" mechanism, private part of DNSSEC key pair should be kept offline Security  a channel secured by IPsec, DNS transaction authentication mechanism such as TSIG DNS ATTACKS 29
DNSSEC STANDARDS RFC4034 Resource Records for the DNS Security Extensions: DNSKEY Resource Record RRSIG Resource Record NSEC Resource Record DS Resource Record RFC4035 Protocol Modifications for the DNS Security Extensions: Zone Signing: DNSKEY, RRSIG, NSEC, DS Serving : Authoritative Name Servers and Recursive Name Servers Resolving : EDNS Support, Signature verification, trust anchors Authenticating DNS Responses RFC5155: DNSSEC Hashed Authenticated Denial of Existence RFC4310: DNS Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) RFC4641: DNSSEC Operational Practices DNS ATTACKS 30
ARE WE SECURE WITH DNSSEC? DNSSEC has some problems of its own: Trivial Zone Configuration errors or expired keys can prove bad for DNSSEC- aware resolver. Increased size of DNSSEC response could encourage DoS amplifiers. Slow response due to extra overhead of signature validation could result in timeouts/re-queries. (Impatient DNS Clients) Compromise in any of the zones between the root and target could damage DNSSEC's ability to protect the integrity of data owned by that target name DNS ATTACKS 31
THANKS hxp101120@utdallas.edu DNS ATTACKS 32
REFERENCES http://www.cisco.com/web/about/security/intelligence/dns-bcp.html http://tools.ietf.org/html/rfc4033 http://tools.ietf.org/html/rfc4034 http://tools.ietf.org/html/rfc4035 http://tools.ietf.org/html/rfc5155 http://tools.ietf.org/html/rfc4310 http://tools.ietf.org/html/rfc4641 https://www.dnssec.nl/wiki/index.php/DNSSEC_explained http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSecti onFormat.htm DNS ATTACKS 33

Recommended

DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
Fatima Qayyum
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
Fatima Qayyum
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
Akshay Tiwari
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 

Recommended

DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
Fatima Qayyum
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
Fatima Qayyum
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
Akshay Tiwari
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
Dns security
Dns securityDns security
Dns security
Dhaval Kapil
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
ThousandEyes
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
sadhana21297
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
communication-eg
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
Venkatesh Jambulingam
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
Er. Shiva K. Shrestha
 
Dns
DnsDns
Dns
tmavroidis
 
DNS Presentation
DNS PresentationDNS Presentation
DNS Presentation
Shubham Srivastava
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
FindWhitePapers
 
How DNS Poisoning works?
How DNS Poisoning works?How DNS Poisoning works?
How DNS Poisoning works?
monark111
 

More Related Content

What's hot

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Kaustubh Padwad
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 

What's hot (20)

Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 
Dns
DnsDns
Dns
 
DNS Presentation
DNS PresentationDNS Presentation
DNS Presentation
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 

Viewers also liked

Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpoint
GW1992
 
Voice over IP (VoIP)
Voice over IP (VoIP)Voice over IP (VoIP)
Voice over IP (VoIP)
Peter R. Egli
 
VOICE OVER INTERNET PROTOCOL
VOICE OVER INTERNET PROTOCOLVOICE OVER INTERNET PROTOCOL
VOICE OVER INTERNET PROTOCOL
Rajan Kumar
 

Viewers also liked (20)

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
How DNS Poisoning works?
How DNS Poisoning works?How DNS Poisoning works?
How DNS Poisoning works?
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 
Pjsmith ip addressing & subnetting madeeasy
Pjsmith ip addressing & subnetting madeeasyPjsmith ip addressing & subnetting madeeasy
Pjsmith ip addressing & subnetting madeeasy
 
tìm hiểu các lỗ hổng bảo mật
tìm hiểu các lỗ hổng bảo mậttìm hiểu các lỗ hổng bảo mật
tìm hiểu các lỗ hổng bảo mật
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
TCP IP Addressing
TCP IP AddressingTCP IP Addressing
TCP IP Addressing
 
Computer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP AddressingComputer Networking: Subnetting and IP Addressing
Computer Networking: Subnetting and IP Addressing
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
What is VoIP and How it works?
What is VoIP and How it works?What is VoIP and How it works?
What is VoIP and How it works?
 
Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP) Voice over internet protocol (VoIP)
Voice over internet protocol (VoIP)
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation
 
Voip powerpoint
Voip powerpointVoip powerpoint
Voip powerpoint
 
Voice over IP (VoIP)
Voice over IP (VoIP)Voice over IP (VoIP)
Voice over IP (VoIP)
 
VOICE OVER INTERNET PROTOCOL
VOICE OVER INTERNET PROTOCOLVOICE OVER INTERNET PROTOCOL
VOICE OVER INTERNET PROTOCOL
 

Similar to DNS Attacks

Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 

Similar to DNS Attacks (20)

bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and Servers
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
DNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxDNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptx
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Windows most important server questions for l1 level
Windows most important server questions for l1 levelWindows most important server questions for l1 level
Windows most important server questions for l1 level
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic ManagerDNS Security (DNSSEC) With BIG-IP Global Traffic Manager
DNS Security (DNSSEC) With BIG-IP Global Traffic Manager
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptx
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Dns
DnsDns
Dns
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

DNS Attacks

  • 1. DNS ATTACKS MAIN WEAKNESS OF THE SYSTEM. HOW ATTACKS WORK IN GENERAL? BY: HIMANSHU PRABHAKAR DNS ATTACKS
  • 2. WHAT IS DNS? DOMAIN NAME SYSTEM DNS ATTACKS 2
  • 3. WHAT IS DNS? HOW INTERNET WORKS : DNS ATTACKS 3
  • 4. WHAT IS DNS? www.facebook.com 72.190.12.206 www.yahoo.com 85.206.25.156 www.google.com 56.25.25.128 DNS ATTACKS 4
  • 5. WHAT IS DNS? Its like Yellow Pages of the Internet. A globally distributed, loosely coherent, scalable, reliable, dynamic database Comprised of three components 1. A “name space” 2. Servers making that name space available 3. Resolvers (clients) which query the servers about the name space DNS ATTACKS 5
  • 6. HOW DNS WORKS? DOMAIN NAME SYSTEM DNS ATTACKS 6
  • 7. HOW DNS WORKS? DNS ATTACKS 7
  • 8. HOW DNS WORKS? root org net edu com uk ca wisc ucb utdallas cmu mit cs1 ee www 129.110.92.15 DNS ATTACKS 8
  • 9. HOW DNS WORKS? DNS Message Header Format DNS ATTACKS 9
  • 10. DNS VULNERABILITIES DOMAIN NAME SYSTEM DNS ATTACKS 10
  • 11. DNS VULNERABILITIES DNS ATTACKS 11
  • 12. DNS VULNERABILITIES DNS was designed with usability in mind and not Security. Security: Confidentiality: NOT A CONCERN Data Integrity: BIG CONCERN UDP Based design: Any correctly formatted DNS response over UDP can be considered legitimate. DNS attack tools are readily available on the Internet (for example, dsniff, dnshijack, and many more) and they are all FREE! DNS ATTACKS 12
  • 13. DNS VULNERABILITIES Cache impersonation Corrupting data Impersonating master Zone administrator Master Recursor Zone file Dynamic updates Slaves Resolver Cache pollution by Unauthorized updates Data spoofing DNS ATTACKS 13
  • 14. DNS ATTACKS? DOMAIN NAME SYSTEM DNS ATTACKS 14
  • 15. DNS ATTACKS? DNS KNOWN THREATS: (Source RFC 3833) 1. Packet Interception 2. ID Guessing and Query Prediction 3. Name Chaining 4. Betrayal By Trusted Server 5. Denial of Service 6. Authenticated Denial of Domain Names DNS ATTACKS 15
  • 16. DNS ATTACKS? 1. DNS Amplification Attack 2. DNS Cache Poisoning / DNS Spoofing 3. (DDoS) Distributed Denial of Service attack 4. BIND9 Spoofing DNS ATTACKS 16
  • 17. DNS AMPLIFICATION ATTACK Attacker use DNS open resolvers by sending DNS requests with source IP address of the target. When Resolvers receive DNS queries, they respond by DNS responses to the target address. Attacks of these types use multiple DNS open resolvers so the effects on the target devices are magnified. DNS ATTACKS 17
  • 18. DNS CACHE POISONING This technique can be used to direct users of a website to another site of the attacker's choosing. A user whose computer has referenced the poisoned DNS server would be tricked into accepting content coming from a non- authentic server and unknowingly download malicious content. DNS ATTACKS 18
  • 19. DNS CACHE POISONING 1. Attacker poisons the cache of Local DNS Server by either remotely attacking or breaking into the server. 2. Legitimate User tries to log onto www.nicebank.com 3. DNS request to DNS server. 4. DNS server replies with IP of fake website. 5. User is redirected to www.n1cebank.com DNS ATTACKS 19
  • 20. (DDOS) DISTRIBUTED DENIAL OF SERVICE The attacker tries to target one or more of 13 DNS root name servers. The root name servers are critical components of the Internet. Attacks against the root name servers could, in theory, impact operation of the entire global Domain Name System. On October 21, 2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers On February 6, 2007 a similar attack lasted twenty-four hours. DNS ATTACKS 20
  • 21. BIND9 SPOOFING BIND is most widely used DNS software on Internet. BIND 9 (Stable Production Release) BIND 9 DNS queries are predictable (Source: bind-9-dns-cache-poisoning ) Source UDP port and DNS transaction ID can be effectively predicted. BIND9 is found to be predictable to 10 choice. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. DNS ATTACKS 21
  • 22. HOW TO PREVENT DNS ATTACKS? DOMAIN NAME SYSTEM DNS ATTACKS 22
  • 23. HOW TO PREVENT DNS ATTACKS? Band-Aid solutions • Only cache information from authoritative servers • Cross-check IP DNS mappings • Transaction signatures for zone transfer, dynamic updates • Split-split strategy: Advertising name server for DNS servers • No cache to poison • Only allow internal traffic Firewalls can be utilized to minimize attacks against the DNS protocol. • Query and Response Verification • Transaction ID randomization • DNS Header Flag Filtering • DNS message size limitations DNS ATTACKS 23
  • 24. DNSSEC DNS Security Extensions (DNSSEC) • Adds security functions to the DNS protocol • Can prevent some attacks like DNS cache poisoning. • It adds data origin authentication and data integrity to DNS protocol. • Digitally Sign DNS lookup using Public Key Crypto. • DNSKEY record is authenticated via Chain of Trust starting with trusted root. • Its kind of SSL authentication for the DNS. DNS ATTACKS 24
  • 25. DNSSEC 1. RECORDS: RRSIG, DNSKEY, DS, NSEC and NSEC3 2. ALGORITHMS: RSA/MD5, DSA/SHA-1, RSA/SHA-256/512 3. LOOKUP PROCEDURE: Recursive Name Servers, Stub Resolver 4. TRUST ANCHORS AND AUTHENTICATION CHAIN 5. SIGNATURE AND ZONE SIGNING 6. KEY MANAGEMENT DNS ATTACKS 25
  • 26. HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver IP for www.utdallas.edu Check Cache Req DNSKEY Root DNSKEY: KSKRoot + RRSIG(KSKRoot) + DNSKEY:ZSKroot + RRSIG(ZSKroot) Check RRSIG with KSKroot => Valid ZSKroot IP for www.utdallas.edu gotoNS:ns.dns.edu DS(KSKedu) + RRSIG(DS) NS:root + RRSIG(NS) Check RRSIG with KSKroot => Valid DS(KSKedu) Check RRSIG with KSKroot => Valid NS:root DNS ATTACKS 26
  • 27. HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKroot => Req DNSKEYedu Valid DS(KSKedu) Check RRSIG with ZSKroot => Valid NS:root DNSKEY: KSKorg + RRSIG(KSKorg) + DNSKEY:ZSKorg + RRSIG(ZSKorg) Validate KSKedu with DS(KSKedu) => Valid KSKedu Check RRSIG with KSKedu IP for www.utdallas.edu => Valid ZSKedu gotoNS:ns.utdallas.edu DS(KSKutd) + RRSIG(DS) NS:ns.dns.edu + RRSIG(NS) Check RRSIG with ZSKedu => Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNS ATTACKS 27
  • 28. HOW DNSSEC WORKS? Stub ns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKedu => Req DNSKEYutd Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNSKEY: KSKutd + RRSIG(KSKutd) + DNSKEY:ZSKutd + RRSIG(ZSKutd) Validate KSKutd with DS(KSKutd) => Valid KSKutd Check RRSIG with KSKutd IP for www.utdallas.edu => Valid ZSKutd A;123.123.123.123 RRSIG(A) NS:ns.utdallas.edu + RRSIG(NS) Check RRSIG with ZSKutd => Valid A record Check RRSIG with ZSKutd => Valid NS:ns.utdallas.edu A;123.123.123.123 DNS ATTACKS 28
  • 29. DNSSEC STANDARDS RFC4033 DNS Security Introduction and Requirements : What is provided by DNSSEC?  Origin Authentication and data integrity • Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • New Header bits: Checking Disabled (CD) and Authenticated Data (AD) What is not provided by DNSSEC?  Confidentiality, ACL, No protection against DoS attacks. CONSIDERATIONS: Resolver  Cryptographic analysis on signatures, authentication chaining, validate DNS replies. Stub Resolver  DNSSEC validity checks, IPSec, setting of AD bit Zones  signed and unsigned zones, regular maintenance of RRset Name Server  DNSSEC records (RRSIG, DNSKEY, DS, and NSEC), EDNS "sender's UDP payload" mechanism, private part of DNSSEC key pair should be kept offline Security  a channel secured by IPsec, DNS transaction authentication mechanism such as TSIG DNS ATTACKS 29
  • 30. DNSSEC STANDARDS RFC4034 Resource Records for the DNS Security Extensions: DNSKEY Resource Record RRSIG Resource Record NSEC Resource Record DS Resource Record RFC4035 Protocol Modifications for the DNS Security Extensions: Zone Signing: DNSKEY, RRSIG, NSEC, DS Serving : Authoritative Name Servers and Recursive Name Servers Resolving : EDNS Support, Signature verification, trust anchors Authenticating DNS Responses RFC5155: DNSSEC Hashed Authenticated Denial of Existence RFC4310: DNS Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) RFC4641: DNSSEC Operational Practices DNS ATTACKS 30
  • 31. ARE WE SECURE WITH DNSSEC? DNSSEC has some problems of its own: Trivial Zone Configuration errors or expired keys can prove bad for DNSSEC- aware resolver. Increased size of DNSSEC response could encourage DoS amplifiers. Slow response due to extra overhead of signature validation could result in timeouts/re-queries. (Impatient DNS Clients) Compromise in any of the zones between the root and target could damage DNSSEC's ability to protect the integrity of data owned by that target name DNS ATTACKS 31