DNS Attacks

10,311 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
10,311
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
166
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DNS Attacks

  1. 1. DNS ATTACKS MAIN WEAKNESS OF THE SYSTEM. HOW ATTACKS WORK IN GENERAL? BY: HIMANSHU PRABHAKAR DNS ATTACKS
  2. 2. WHAT IS DNS?DOMAIN NAME SYSTEM DNS ATTACKS 2
  3. 3. WHAT IS DNS?HOW INTERNET WORKS : DNS ATTACKS 3
  4. 4. WHAT IS DNS?www.facebook.com 72.190.12.206www.yahoo.com 85.206.25.156www.google.com 56.25.25.128 DNS ATTACKS 4
  5. 5. WHAT IS DNS?Its like Yellow Pages of the Internet.A globally distributed, loosely coherent, scalable, reliable, dynamicdatabaseComprised of three components1. A “name space”2. Servers making that name space available3. Resolvers (clients) which query the servers about the name space DNS ATTACKS 5
  6. 6. HOW DNS WORKS? DOMAIN NAME SYSTEM DNS ATTACKS 6
  7. 7. HOW DNS WORKS? DNS ATTACKS 7
  8. 8. HOW DNS WORKS? root org net edu com uk cawisc ucb utdallas cmu mit cs1 ee www 129.110.92.15 DNS ATTACKS 8
  9. 9. HOW DNS WORKS?DNS Message Header Format DNS ATTACKS 9
  10. 10. DNS VULNERABILITIES DOMAIN NAME SYSTEM DNS ATTACKS 10
  11. 11. DNS VULNERABILITIES DNS ATTACKS 11
  12. 12. DNS VULNERABILITIESDNS was designed with usability in mind and not Security.Security: Confidentiality: NOT A CONCERN Data Integrity: BIG CONCERNUDP Based design: Any correctly formatted DNS response over UDPcan be considered legitimate.DNS attack tools are readily available on the Internet (for example,dsniff, dnshijack, and many more) and they are all FREE! DNS ATTACKS 12
  13. 13. DNS VULNERABILITIES Cache impersonation Corrupting data Impersonating master Zoneadministrator Master RecursorZone fileDynamicupdates Slaves Resolver Cache pollution by Unauthorized updates Data spoofing DNS ATTACKS 13
  14. 14. DNS ATTACKS?DOMAIN NAME SYSTEM DNS ATTACKS 14
  15. 15. DNS ATTACKS?DNS KNOWN THREATS: (Source RFC 3833)1. Packet Interception2. ID Guessing and Query Prediction3. Name Chaining4. Betrayal By Trusted Server5. Denial of Service6. Authenticated Denial of Domain Names DNS ATTACKS 15
  16. 16. DNS ATTACKS?1. DNS Amplification Attack2. DNS Cache Poisoning / DNS Spoofing3. (DDoS) Distributed Denial of Service attack4. BIND9 Spoofing DNS ATTACKS 16
  17. 17. DNS AMPLIFICATION ATTACKAttacker use DNS open resolversby sending DNS requests withsource IP address of the target.When Resolvers receive DNSqueries, they respond by DNSresponses to the target address.Attacks of these types usemultiple DNS open resolvers sothe effects on the target devicesare magnified. DNS ATTACKS 17
  18. 18. DNS CACHE POISONINGThis technique can be usedto direct users of a websiteto another site of theattackers choosing.A user whose computer hasreferenced the poisonedDNS server would be trickedinto accepting contentcoming from a non-authentic server andunknowingly downloadmalicious content. DNS ATTACKS 18
  19. 19. DNS CACHE POISONING1. Attacker poisons the cache of Local DNS Server by either remotely attacking or breaking into the server.2. Legitimate User tries to log onto www.nicebank.com3. DNS request to DNS server.4. DNS server replies with IP of fake website.5. User is redirected to www.n1cebank.com DNS ATTACKS 19
  20. 20. (DDOS) DISTRIBUTED DENIAL OF SERVICEThe attacker tries to target one or more of 13 DNS root name servers.The root name servers are critical components of the Internet.Attacks against the root name servers could, in theory, impact operation ofthe entire global Domain Name System.On October 21, 2002 an attacklasting for approximately onehour was targeted at all 13DNS root name serversOn February 6, 2007 a similarattack lasted twenty-four hours. DNS ATTACKS 20
  21. 21. BIND9 SPOOFINGBIND is most widely used DNS software on Internet. BIND 9 (StableProduction Release)BIND 9 DNS queries are predictable (Source: bind-9-dns-cache-poisoning )Source UDP port and DNS transaction ID can be effectively predicted.BIND9 is found to be predictable to 10 choice.This enables a much more effective DNS cache poisoning than thecurrently known attacks against BIND 9. DNS ATTACKS 21
  22. 22. HOW TO PREVENT DNS ATTACKS? DOMAIN NAME SYSTEM DNS ATTACKS 22
  23. 23. HOW TO PREVENT DNS ATTACKS?Band-Aid solutions• Only cache information from authoritative servers• Cross-check IP DNS mappings• Transaction signatures for zone transfer, dynamic updates• Split-split strategy: Advertising name server for DNS servers• No cache to poison• Only allow internal trafficFirewalls can be utilized to minimize attacks against the DNS protocol.• Query and Response Verification• Transaction ID randomization• DNS Header Flag Filtering• DNS message size limitations DNS ATTACKS 23
  24. 24. DNSSECDNS Security Extensions (DNSSEC)• Adds security functions to the DNS protocol• Can prevent some attacks like DNS cache poisoning.• It adds data origin authentication and data integrity to DNS protocol.• Digitally Sign DNS lookup using Public Key Crypto.• DNSKEY record is authenticated via Chain of Trust starting with trusted root.• Its kind of SSL authentication for the DNS. DNS ATTACKS 24
  25. 25. DNSSEC1. RECORDS: RRSIG, DNSKEY, DS, NSEC and NSEC32. ALGORITHMS: RSA/MD5, DSA/SHA-1, RSA/SHA-256/5123. LOOKUP PROCEDURE: Recursive Name Servers, Stub Resolver4. TRUST ANCHORS AND AUTHENTICATION CHAIN5. SIGNATURE AND ZONE SIGNING6. KEY MANAGEMENT DNS ATTACKS 25
  26. 26. HOW DNSSEC WORKS? Stubns.utdallas.edu ns.dns.edu Root Server Recursor Resolver IP for www.utdallas.edu Check Cache Req DNSKEY Root DNSKEY: KSKRoot + RRSIG(KSKRoot) + DNSKEY:ZSKroot + RRSIG(ZSKroot) Check RRSIG with KSKroot => Valid ZSKroot IP for www.utdallas.edu gotoNS:ns.dns.edu DS(KSKedu) + RRSIG(DS) NS:root + RRSIG(NS) Check RRSIG with KSKroot => Valid DS(KSKedu) Check RRSIG with KSKroot => Valid NS:root DNS ATTACKS 26
  27. 27. HOW DNSSEC WORKS? Stubns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKroot => Req DNSKEYedu Valid DS(KSKedu) Check RRSIG with ZSKroot => Valid NS:root DNSKEY: KSKorg + RRSIG(KSKorg) + DNSKEY:ZSKorg + RRSIG(ZSKorg) Validate KSKedu with DS(KSKedu) => Valid KSKedu Check RRSIG with KSKedu IP for www.utdallas.edu => Valid ZSKedu gotoNS:ns.utdallas.edu DS(KSKutd) + RRSIG(DS) NS:ns.dns.edu + RRSIG(NS) Check RRSIG with ZSKedu => Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNS ATTACKS 27
  28. 28. HOW DNSSEC WORKS? Stubns.utdallas.edu ns.dns.edu Root Server Recursor Resolver Check RRSIG with ZSKedu => Req DNSKEYutd Valid DS(KSKutd) Check RRSIG with ZSKedu => Valid NS:ns.dns.edu DNSKEY: KSKutd + RRSIG(KSKutd) + DNSKEY:ZSKutd + RRSIG(ZSKutd) Validate KSKutd with DS(KSKutd) => Valid KSKutd Check RRSIG with KSKutd IP for www.utdallas.edu => Valid ZSKutd A;123.123.123.123 RRSIG(A) NS:ns.utdallas.edu + RRSIG(NS) Check RRSIG with ZSKutd => Valid A record Check RRSIG with ZSKutd => Valid NS:ns.utdallas.edu A;123.123.123.123 DNS ATTACKS 28
  29. 29. DNSSEC STANDARDSRFC4033 DNS Security Introduction and Requirements :What is provided by DNSSEC?  Origin Authentication and data integrity • Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • New Header bits: Checking Disabled (CD) and Authenticated Data (AD)What is not provided by DNSSEC?  Confidentiality, ACL, No protection against DoS attacks.CONSIDERATIONS:Resolver  Cryptographic analysis on signatures, authentication chaining, validate DNS replies.Stub Resolver  DNSSEC validity checks, IPSec, setting of AD bitZones  signed and unsigned zones, regular maintenance of RRsetName Server  DNSSEC records (RRSIG, DNSKEY, DS, and NSEC), EDNS "senders UDP payload"mechanism, private part of DNSSEC key pair should be kept offlineSecurity  a channel secured by IPsec, DNS transaction authentication mechanism such as TSIG DNS ATTACKS 29
  30. 30. DNSSEC STANDARDSRFC4034 Resource Records for the DNS Security Extensions: DNSKEY Resource Record RRSIG Resource Record NSEC Resource Record DS Resource RecordRFC4035 Protocol Modifications for the DNS Security Extensions: Zone Signing: DNSKEY, RRSIG, NSEC, DS Serving : Authoritative Name Servers and Recursive Name Servers Resolving : EDNS Support, Signature verification, trust anchors Authenticating DNS ResponsesRFC5155: DNSSEC Hashed Authenticated Denial of ExistenceRFC4310: DNS Security Extensions Mapping for the Extensible Provisioning Protocol(EPP)RFC4641: DNSSEC Operational Practices DNS ATTACKS 30
  31. 31. ARE WE SECURE WITH DNSSEC?DNSSEC has some problems of its own:Trivial Zone Configuration errors or expired keys can prove bad for DNSSEC-aware resolver.Increased size of DNSSEC response could encourage DoS amplifiers.Slow response due to extra overhead of signature validation could result intimeouts/re-queries. (Impatient DNS Clients)Compromise in any of the zones between the root and target coulddamage DNSSECs ability to protect the integrity of data owned by thattarget name DNS ATTACKS 31
  32. 32. THANKShxp101120@utdallas.edu DNS ATTACKS 32
  33. 33. REFERENCEShttp://www.cisco.com/web/about/security/intelligence/dns-bcp.htmlhttp://tools.ietf.org/html/rfc4033http://tools.ietf.org/html/rfc4034http://tools.ietf.org/html/rfc4035http://tools.ietf.org/html/rfc5155http://tools.ietf.org/html/rfc4310http://tools.ietf.org/html/rfc4641https://www.dnssec.nl/wiki/index.php/DNSSEC_explainedhttp://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensionshttp://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFormat.htm DNS ATTACKS 33

×