Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various DNS security threats such as DNS hijacking, cache poisoning, and tunneling. It provides examples of how DNS tunneling works by encoding data in domain names and using subdomains for communication. The document also outlines some mitigation techniques for DNS tunneling, including payload analysis, traffic analysis, and restricting unusual DNS behaviors and record types.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the importance of DNS security for the internet. It provides background on the Domain Name System (DNS), explaining that DNS acts as the "phonebook" of the internet by translating domain names to IP addresses. While DNS was originally designed to be fault tolerant, dynamic, scalable, and redundant, security was not initially considered. The document outlines how DNS works and its hierarchical structure. It notes that traditional DNS uses UDP and lacks security features like authentication, making it vulnerable to spoofing and cache poisoning attacks. Finally, the document argues that DNSSEC is crucial for online safety as it uses digital signatures to authenticate DNS data and verify responses came from authorized servers.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the history and evolution of the Domain Name System (DNS). It describes how early computer networks like ARPANET used hosts.txt files to map hostnames to IP addresses, but this approach did not scale well. DNS was developed in the 1980s to provide a distributed, hierarchical database to resolve hostname lookups. DNS uses a client-server model with nameservers to store records and respond to queries. The 13 root servers delegate authority to top-level domains which in turn delegate to authoritative nameservers for each domain.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
Passive DNS Collection – Henry Stern, CiscoHenry Stern
This document describes Cisco's passive DNS collection and searching system. It captures over 4 billion DNS and NetBIOS packets per day from across Cisco's network. The captured data is indexed using a Bloom filter and stored in files. A Python-based search engine allows querying the data by source IP, destination IP, domain name, or other fields. The system is used for network forensics, botnet monitoring, and discovering new threats. Future work includes integrating the passive DNS data with other security systems.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various DNS security threats such as DNS hijacking, cache poisoning, and tunneling. It provides examples of how DNS tunneling works by encoding data in domain names and using subdomains for communication. The document also outlines some mitigation techniques for DNS tunneling, including payload analysis, traffic analysis, and restricting unusual DNS behaviors and record types.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the importance of DNS security for the internet. It provides background on the Domain Name System (DNS), explaining that DNS acts as the "phonebook" of the internet by translating domain names to IP addresses. While DNS was originally designed to be fault tolerant, dynamic, scalable, and redundant, security was not initially considered. The document outlines how DNS works and its hierarchical structure. It notes that traditional DNS uses UDP and lacks security features like authentication, making it vulnerable to spoofing and cache poisoning attacks. Finally, the document argues that DNSSEC is crucial for online safety as it uses digital signatures to authenticate DNS data and verify responses came from authorized servers.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses the history and evolution of the Domain Name System (DNS). It describes how early computer networks like ARPANET used hosts.txt files to map hostnames to IP addresses, but this approach did not scale well. DNS was developed in the 1980s to provide a distributed, hierarchical database to resolve hostname lookups. DNS uses a client-server model with nameservers to store records and respond to queries. The 13 root servers delegate authority to top-level domains which in turn delegate to authoritative nameservers for each domain.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
Passive DNS Collection – Henry Stern, CiscoHenry Stern
This document describes Cisco's passive DNS collection and searching system. It captures over 4 billion DNS and NetBIOS packets per day from across Cisco's network. The captured data is indexed using a Bloom filter and stored in files. A Python-based search engine allows querying the data by source IP, destination IP, domain name, or other fields. The system is used for network forensics, botnet monitoring, and discovering new threats. Future work includes integrating the passive DNS data with other security systems.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
Computer Networks Module 1 - part 2.pdfShanthalaKV
18CS52 VTU Computer Network & Security
MODULE 1-Part 2
DNS; The Internet's Directory Service: Services Provided by DNS, Overview of How DNS Works, DNS Records and Messages, Peer-to-Peer Applications: P2P File Distribution, Distributed Hash Tables, Socket Programming: creating Network Applications: Socket Programming with UDP, Socket Programming with TCP.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
This document discusses techniques for analyzing malware network signatures and developing effective network countermeasures. It describes using firewalls, proxies, and intrusion detection systems to filter malicious traffic. Deep packet inspection can detect malware beacons hidden in layers like HTTP user-agents. The document advises passively monitoring real infected networks to understand malware without tipping off attackers. It also provides methods for safely investigating attackers online anonymously. Analyzing how malware generates domain names and URLs can reveal signatures to detect similar strains. The goal is to create general signatures that still work if the malware evolves while avoiding false positives.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This chapter reviews basic networking concepts like protocols, ports, and network devices. It discusses how switches prevent flooding attacks and use protocols like STP. Routers are covered, including how they route traffic and use ACLs to filter traffic. Firewalls are also summarized, including the differences between stateful and stateless configurations and how firewall rules work. Network segmentation methods like DMZs, proxies, and VLANs are also introduced.
The document discusses various hacking techniques and intrusion detection methods. It covers external and internal footprinting, which involves passively and actively gathering information about a target organization and its network. Some external footprinting techniques include WHOIS lookups, DNS reconnaissance, and searching online databases. Internal footprinting can involve packet sniffing, port scanning the local subnet, and using tools like DHCP servers. The goal of footprinting is to map out what hosts and services are present before launching attacks.
1. The document discusses several protocols used to translate between different address types on a network, including DNS, DHCP, and ARP. DNS is a hierarchical and distributed system that maps hostnames to IP addresses. DHCP dynamically assigns IP configuration to hosts, while ARP maps IP addresses to MAC addresses for sending packets on the local link.
2. When a host first connects to the network, it uses DHCP to dynamically obtain its IP configuration including IP address, subnet mask, gateway, and DNS servers. It then uses ARP to discover the MAC address associated with destination IP addresses, allowing it to encapsulate IP packets for transmission on the link.
3. DNS uses a distributed database of name servers to lookup mappings between hostnames and
Packet Analysis - Course Technology Computing Conference
Presenter: Lisa Bock - Pennsylvania College of Technology
Most network administrators are well-versed in hardware, applications, operating systems, and network analysis tools. However, many are not trained in analyzing network traffic. Network administrators should be able to identify normal network traffic in order to determine unusual or suspicious activity. Network packet analysis is important in order to troubleshoot congestion issues, create firewall and intrusion detection system rules, and perform incident and threat detection. This hands-on presentation will review fundamental concepts necessary to analyze network traffic, beginning with an overview of network analysis, then a review the TCP/IP protocol suite and LAN operations. Participants will examine packet captures and understand the field values of the protocols and as to what is considered normal behavior, and then examine captures that show exploits, network reconnaissance, and signatures of common network attacks. The program will use Wireshark, a network protocol analyzer for Unix and Windows, to study network packets, look at basic features such as display and capture filters, and examine common protocols such as TCP, HTTP, DNS, and FTP. Time permitting, the presentation will provide suggestions on how to troubleshoot performance problems, conduct a network baseline, and how to follow a TCP or UDP stream and see HTTP artifacts. Participants should have a basic knowledge of computer networking and an interest in the subject.
DNS is a distributed database that translates hostnames to IP addresses. It operates through a hierarchy of root servers, top-level domain servers, and authoritative name servers. DNS provides additional services like load balancing and mail server aliasing. Queries are resolved through recursive or iterative lookups between clients and servers to map names to addresses.
Harden Security Devices Against Increasingly Sophisticated EvasionsIxia
separate the professional hacker from the vandal. Evasion techniques are used to bypass security measures on EVERY type of device, at EVERY layer.
Are you 100% confident your IPS, firewall and other security devices will stand up to these increasingly sophisticated evasions?
Join BreakingPoint security researchers for this free webcast and receive a comprehensive briefing on Strike Evasions. Learn how to act with precision to detect evasions with little impact on latency. Get up-to-the-minute details on the latest evasions seen in the wild, the proper ways to test for evasion resistance, and BreakingPoint's five keys for protecting your network against cyber criminals.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
The document provides an overview of DNS (Domain Name System) including registration records, common record types like A, MX, CNAME, NS, SOA, PTR and TXT records. It describes DNS queries, responses, zone transfers, and structure and interpretation of DNS records. Key points covered include registration information from WHOIS, mapping of domain names to IP addresses using record types, DNS server hierarchy, and use of records for mail servers and reverse lookups.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Similar to CNIT 40: 4: Monitoring and detecting security breaches (20)
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
Block ciphers like AES encrypt data in fixed-size blocks and use cryptographic keys and rounds of processing to encrypt the data securely. AES is the current standard, using 128-bit blocks and keys of 128, 192, or 256 bits. Modes of operation like ECB, CBC, CTR are used to handle full messages. ECB is insecure as identical plaintext blocks produce identical ciphertext, while CBC and CTR provide security if nonces and IVs are not reused. Implementation details like padding and side channels must be handled carefully to prevent attacks.
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptHenry Hollis
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapitolTechU
Slides from a Capitol Technology University webinar held June 20, 2024. The webinar featured Dr. Donovan Wright, presenting on the Department of Defense Digital Transformation.
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...indexPub
The recent surge in pro-Palestine student activism has prompted significant responses from universities, ranging from negotiations and divestment commitments to increased transparency about investments in companies supporting the war on Gaza. This activism has led to the cessation of student encampments but also highlighted the substantial sacrifices made by students, including academic disruptions and personal risks. The primary drivers of these protests are poor university administration, lack of transparency, and inadequate communication between officials and students. This study examines the profound emotional, psychological, and professional impacts on students engaged in pro-Palestine protests, focusing on Generation Z's (Gen-Z) activism dynamics. This paper explores the significant sacrifices made by these students and even the professors supporting the pro-Palestine movement, with a focus on recent global movements. Through an in-depth analysis of printed and electronic media, the study examines the impacts of these sacrifices on the academic and personal lives of those involved. The paper highlights examples from various universities, demonstrating student activism's long-term and short-term effects, including disciplinary actions, social backlash, and career implications. The researchers also explore the broader implications of student sacrifices. The findings reveal that these sacrifices are driven by a profound commitment to justice and human rights, and are influenced by the increasing availability of information, peer interactions, and personal convictions. The study also discusses the broader implications of this activism, comparing it to historical precedents and assessing its potential to influence policy and public opinion. The emotional and psychological toll on student activists is significant, but their sense of purpose and community support mitigates some of these challenges. However, the researchers call for acknowledging the broader Impact of these sacrifices on the future global movement of FreePalestine.
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...TechSoup
Whether you're new to SEO or looking to refine your existing strategies, this webinar will provide you with actionable insights and practical tips to elevate your nonprofit's online presence.
4. Types of Log Data
• Format errors in queries
• Lame delegations
– Referral from a parent zone to an invalid
name server for the child zone
• Queries for nonexistent domains
6. Clauses
• Channel
– Defines output medium, such as files, syslog,
stderr, or null to eliminate output
• Versions
– Max. number of files that can be used
– Files are rolled when "size" is reached
• Severity
– "critical" logs only critical events
– "info" stores much more
• Print
– print-time, print-severity, print-category
– Controls what is printed (link Ch 4a)
7. Categories
• queries
– Logs client IP & port, question name, type
and class of query
– Useful to record which hosts are querying for
what domains
– + indicates recursive query
– S indicates signed query
– E indicates Extended DNS (EDNS)
8. Categories
• security
– Requests that were denied
– Rejected by access control lists (ACLS) that
define which hosts are allowed to send
queries, zone transfers, etc.
– ACLs are set using these options statements
• allow-query
• allow-recursion
• allow-transfer
9. Categories
• update-security
– Denied requests to update DNS zone data
dynamically, because of ACLs or policies
– ACLs and policies defined with
• allow-update
• allow-update-forwarding
• update-policy
– BIND tool "nsupdate" generates dynamic
updates
10. Categories
• dnssec
– Only works if DNS server supports DNSSEC and
is configured to perform record validation
– DNSSEC statements
• dnssec-enable
• dnssec-validation
14. SPAN Port
• Capture packets with tcpdump or Wireshark
• From a SPAN port on a router or switch
– Provides a copy of every packet
• Or use an optical or electronic splitter
– Or a hub
• Data sent to a server that captures and
stores all the packets
• Usually uses libpcap or WinPcap with
standard pcap format
16. Flow Data
• Summarized record of a network traffic
session
• Packets with common characteristics
– Source and destination IP, Port, and Protocol
• Each flow typically goes in only one direction
• NetFlow
– Originally developed by Cisco
– Standardized by IETF as IP Flow Information
Export (IPFIX)
17. Packet Grouping
• TCP sessions
– Export flow as soon as session ends with FIN
or RST
• UDP traffic
– Must guess when flow ends
– Activity timer expiration exports after a
period of time, even if flow is still in progress
– Inactivity times generates a flow record when
there is inactivity for a period of time
18. Flow Records
• Don't contain a complete summary of a session
between two hosts
• Very long sessions, or sessions with periods of
inactivity, may appear in multiple flow records
20. Metadata
• Flow records provide very little
information
• Packet data are overwhelming, containing
too much data
– Also raise privacy concerns
• Application layer metadata
– Keeps some packet fields from application
and other layers
23. Cache Poisoning Attack Detection
• Brute force attempts to guess Transaction
ID and Source Port
• Of a query from a recursive DNS server
to an authoritative server
• First, attacker makes a request for a
record that is not cached
• Then blasts server with spoofed
responses with many Transaction ID and
Source Port values
24. Flow Records
• Keep flows with source or destination port
53 (TCP or UDP) and source or destination
IP of the DNS server
25. Limitations of Flow Records
• No Layer 7 data
– Such as the DNS request
• Cannot pinpoint the domains being
targeted
• Or the addresses being injected
26. Selecting Relevant Data
• DNS requests are irrelevant
• Poisoning is performed by replies
• Data needed
– Source & destination IP
– Domain name in the question section
– Answer, authority, and additional sections
– Transaction ID
– Timestamp
– Only include authoritative replies (AA set)
27. Transient Domains
• Resolve to a small number of IP addresses
• Change over hours or days
• IP addresses are not owned by the same
autonomous system (AS)
• Typically they are botnet controllers,
malware downloads, or file drop sites
• Could be an innocent software bug, or a
security research site
28. Identifying Transient Domains
• Collect DNS traffic with
– Small TTLs
– Collect at peering links to other AS networks
• Record
– Domain that was queried
– Answer given
– Timestamp
– Exclude client IP address for privacy
29. Round-Robin DNS
• If there's more than one A record
– The order changes for each request
• Link Ch 4b
• This is the default for most DNS servers
• Demo:
– dig a microsoft.com
– Repeat a few times
30.
31. Fast Fluxing Domains
• TTLs set to a few seconds
• IP changes rapidly
• Purposes
• Evade detection
• Resilience: maintain control of a botnet
despite attempts to block malicious
traffic
32. Example from Conficker
Answer at time 0
• www.refaourma.info. 60 IN A 65.54.40.75
• www.refaourma.info. 60 IN A 65.118.223.203
• www.refaourma.info. 60 IN A 65.130.228.46
Answer 28 sec. later
• www.refaourma.info. 32 IN A 65.130.228.46
• www.refaourma.info. 32 IN A 65.54.40.75
• www.refaourma.info. 32 IN A 65.118.223.203
33. Example from Conficker
Answer at 56 sec.
• www.refaourma.info. 4 IN A 65.118.223.203
• www.refaourma.info. 4 IN A 65.130.228.46
• www.refaourma.info. 4 IN A 65.54.40.75
Answer at 83 sec.
• www.refaourma.info. 32 IN A 209.17.184.203
• www.refaourma.info. 32 IN A 209.228.250.75
• www.refaourma.info. 32 IN A 209.229.142.35
• When cache expires, IP addresses are all new
35. Phantom Domains
• Register a domain
• Use it for only a few hours or days
• Defends malware against sinkholing
– Resolving to an address that offers no service
• Works best with domain registrars who
offer a free trial period
36. Detecting Phantom Domains
• Find domains that have been active
recently
• Find current addresses
• Find domains with no matching historical
IP addresses
• Find records with very different IP
addresses for the same domain
37. Wannacry Ransomware
• Caused hospitals across
England to divert
emergency patients in
May 2017
• Used NSA-developed
attacks leaked by
"Shadow
Brokers" (Russians)
• Microsoft released a
patch but hospital
systems didn't install it in
time
– Link Ch 1y
39. Conficker Worm Domains
• Algorithm made
50,000 new
domains per day
• Registrars tried
to block them all
– Links Ch 1u, 1v
40. Corrupted Local DNS Server Settings
(DNS Changer)
• Redirect victims to evil DNS server
• Most resolutions are correct
• Some lead to fake websites
– Such as banking sites, antivirus sites, etc.
41. Detecting DNS Changers
• Recursive DNS requests to suspicious
remote addresses
– Not in ISP's address range
– Not a known public DNS server
– Are in an IP address blacklist
– Associated with transient, fast-flux, phantom,
sinkholed or blacklisted domain
– Located more than 1000 miles away
– Have no forward DNS domains
42. Tunneling
• Firewalls allow port 53 through
• Malware can phone home via port 53
• Covert channels via DNS traffic
– Even embedded in fields of legitimate-looking
DNS packets, such as DNSSEC keys or
signatures
44. DoS Attacks
• Attacks against the DNS server
– TCP or UDP flood
– SYN flood
– Spoofed source addresses or botnets
45. DoS Attack Detection
• Watch for these to be different from
baseline
– Incoming bits/sec and outgoing bits/sec
• Imbalance indicates an attack
– DNS requests/sec (TCP and UDP)
– TCP SYN/sec
– Incoming TCP and UDP packets/sec
– ICMP incoming and outgoing packets/sec and
bits/sec