SlideShare a Scribd company logo

DNS Security Issues NES 554 for DNS Security

Download as PPTX, PDF
A
AliAlwesabi

DNS Security Issues NES 554 for DNS Security

Technology
1 of 39
2 DNS: Domain Name System People: many identifiers: • SSN, name, passport # Internet hosts, routers: • IP address (32 bit) – 128.119.40.12 • unique ID • “name”, e.g., www.yahoo.com - used by humans Q: How to map between IP addresses and name ? Domain Name System: • distributed database implemented in hierarchy of many name servers
3 DNS Why not centralize DNS? • single point of failure • traffic volume • distant centralized database • maintenance doesn’t scale! DNS services • Hostname to IP address translation • Host aliasing • Canonical and alias names • Many names for a single host • Mail server aliasing • Load distribution • Replicated Web servers: set of IP addresses for one canonical name
4 Root DNS Servers com DNS servers org DNS servers edu DNS servers ucf.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers Distributed, Hierarchical Database Client wants IP for www.amazon.com: • Client queries a root server to find com DNS server • Client queries “com” DNS server to get amazon.com DNS server • Client queries amazon.com DNS server to get IP address for www.amazon.com
5 DNS: Root name servers b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 13 root name servers worldwide
6 TLD and Authoritative Servers • Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. • Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). • Can be maintained by organization or service provider (paid by the organization)
7 Local Name Server • Does not strictly belong to hierarchy • Each ISP (residential ISP, company, university) has one • Also called “default name server” • When a host makes a DNS query, query is sent to its local DNS server first • Acts as a proxy (cache), forwards query into hierarchy
8 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 3 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server Iterative and Recursive queries • Host at cis.poly.edu wants IP address for gaia.cs.umass.edu • The query to root DNS rarely happens due to cache of all TLD DNS information at local DNS server recursive iterative
9 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server 3 Recursive queries recursive query: • DNS client requires DNS server respond with either the requested resource record, or an error message stating that the record or domain name does not exist. iterative query: • contacted server replies with name of server to contact • “I don’t know this name, but ask this server” Reference: http://technet.microsoft.com/en-us/library/cc961401.aspx
10 DNS: caching and updating records • once (any) name server learns mapping, it caches mapping • cache entries timeout (disappear) after some time (keep fresh copy) • TLD servers typically cached in local name servers • Thus root name servers not often visited]
11 DNS records DNS: distributed db storing Resource Records (RR) Type=NS • name is domain (e.g. foo.com) • value is IP address of authoritative DNS server for this domain RR format: (name, value, type, ttl) Type=A  name is hostname  value is IP address Type=CNAME  name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com  value is canonical name Type=MX  value is name of mailserver associated with name
12 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header • identification: 16 bit # for query, reply to query uses same # • flags:  query or reply  recursion desired  recursion available  reply is authoritative
13 DNS protocol, messages (UDP 53) Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used
Example • Let’s check a web example using Wireshark! • Check MX record: • nslookup –type=MX just.edu.jo (Under Windows) • dig mx just.edu.jo (Under Unix) 14
DNS main issues • DNS amplification attacks • Targeting Domain name system by DDoS attack • DNS Man in the Middle Attack (redirection attack) • DNS cache poisoning
DNS Security 17
Cybersquatting • Cybersquatting is to register a domain in anticipation of that domain being desirable to another organization • Intent to sell to that organization for big profit • For example, someone registers www.burjkhalifa.com, since it was named at first www.burjdubai.com • Sell it for big profit if it is true! • Domain name purchase is cheap! • Many organizations have to buy all related domain names to prevent cybersquatting • A legitimate example: http://teaparty.com/ • suspicious ones for tea party: http://tparty.com/, http://t- party.com/ • http://en.wikipedia.org/wiki/Cybersquatting 18
Typosquatting • Register all possible typo domain names for another organization • Should a user accidentally enter an incorrect website address, he may be led to an alternative website owned by a cybersquatter. • Could lead to phishing attack (malicious), or increase web visits (not very malicious) • For example, for “bankofamerica.com”, a cybersquatter could register: • “bankamerica.com”, “bankoamerica.com”, “bankofamerican.com”, “bankfoamerica.com”, …… • Domain name purchase is cheap! 19
OS DNS Cache Privacy • Windows OS maintain a local DNS cache • Command “ipconfig/displaydns” • DNS cache reveals a user’s browsing history • Even if the user deletes browsing cache and cookies • Internet Explorer does not have its own DNS cache • Cross-platform browser, such as Firefox, has its own DNS cache 20
Flush DNS cache
DNS Vulnerability • Most DNS queries and responses are in plaintext • No authentication is done for DNS response • You really has no good way to tell if the DNS response you get are trustable or not! • DNS is mostly relying on UDP packets • IP address spoofing is very easy for UDP packets • No seq/ack numbers 23
DNS Redirection • There are 3 main different ways to do DNS redirection • The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. • The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. • The third variant just involves “racing” the real nameserver to give an answer.
DNS redirection network attacker client local DNS server hub or WiFi 1 2 1. Client sends DNS query to its local DNS server; sniffed by attacker 2. Attacker responds with bogus DNS reply Issues: • Must spoof IP address: set to local DNS server (easy) •Must match reply ID with request ID (easy) •May need to stop reply from the local DNS server (harder)
DNS Cache Poisoning Basic idea: give DNS servers false records and get it cached DNS uses a 16-bit request identifier to pair queries with answers Cache may be poisoned when a name server:  Disregards identifiers  Has predictable ids  Accepts unsolicited DNS records
DNS Cache Poisoning Procedure • Eve wants to poison attack an ISP DNS server • Eve transmits a DNS query to this server • which in turn queries authoritative DNS on behalf of Eve. • Eve simultaneously sends a DNS response(reply) to the server • spoofing with the authoritative server’s IP • The ISP’s DNS server accepts the forged response and caches a wrong DNS entry • All downstream users of this ISP will be directed to the wrong website 27
Poisoning DNS Cache (1) • Poisoning: Attempt to put bogus records into DNS name server caches • Bogus records could point to attacker nodes • Attacker nodes could phish • But unsolicited replies are not accepted at a name server. • Name servers use IDs in DNS messages to match replies to queries • So can’t just insert a record into a name server by sending a DNS reply message. • But can send a reply to a request.
Poisoning local DNS server (2) Local DNS Server (eg, Berkeley) Attacker in Australia: 17.32.8.9 1. DNS query poly.edu=? 3. DNS reply poly.edu= 17.32.8.9 2. iterative DNS queries authoritative DNS for poly.edu Goal: Put bogus IP address for poly.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for poly.edu.
Poisoning local DNS server (3) Poisoned local DNS server (eg, Berkeley) Attacker in Australia 17.32.8.9 1. DNS query ftp.poly.edu=? 2. DNS query ftp.poly.edu=? authoritative DNS for poly.edu DNS response can provide IP address of malicious server!
DNS Poisoning (4) • Issues: • Attacker needs to know sequence number in request message sent to upstream server • Not easy! • Attacker may need to stop upstream name server from responding • So that server under attack doesn’t get suspicious • Ping of death, DoS, overflows, etc
DNS Cache Poisoning Prevention • Use random identifiers for queries • Make it hard to guess the ID number • Always check identifiers • Port randomization for DNS requests • Deploy DNSSEC • DNSSEC authenticates the resolution of IP addresses with a cryptographic signature • Discussed later! • Challenging because it is still being deployed and requires reciprocity
DNS Cache Poisoning against Query ID • Even if a DNS server checks response IDs and use random IDs, it is still vulnerable to the attack • Attacker generates a flux of DNS requests and send the corresponding flux of DNS response back • If one of the pair has matched ID, the attack is successful • Birthday Paradox: the prob. Of two persons in 23 people share the same birthday is more than 50%! 33
Some Defenses • Fact: Most DNS poisoning target local DNS (LDNS) server • Solution: Configure LDNS to only accept requests from internal networks • Why does it need to serve outside users? • Source-port randomization (SPR) • DNS query sent out will have two randomized numbers: • Source port number (destination port always 53) • Query ID number (16 bits) • Check DNS response for both of these numbers 34
DNSSEC • Guarantees:  Authenticity of DNS answer origin  Integrity of reply  Authenticity of denial of existence • Accomplishes this by signing DNS replies at each step of the way • Uses public-key cryptography to sign responses • Typically use trust anchors, entries in the OS to bootstrap the process
DNS Signing Hard-coded with TLD’s public keys TLDs serve as Certificate Authority
DNSSEC Deployment • As the internet becomes regarded as critical infrastructure there is a push to secure DNS • NIST is in the process of deploying it on root servers now • May add considerable load to dns servers with packet sizes considerably larger than 512 byte size of UDP packets • There are political concerns with the US controlling the root level of DNS
DDos DNS Attack • Oct 21, 2002 • Ping packets sent from bots to the 13 DNS root servers. Goal: bandwidth flood servers • Minimal impact: • DNS caching • rate limiting at upstream routers: filter ping when they arrive at an excessive rate • During attack, some networks filtered pings; corresponding root servers remained up. • Root server attack is easy to defend: download root server database to local (default) name servers • Not much data in root server; changes infrequently • TLD servers are more volatile • Similar kind of attack in May 2004, Feb 2007
DNS attacks: Summary • DNS is a critical component of the Internet infrastructure • But is surprisingly robust: • DDoS attacks against root servers have been largely unsuccessful • Poisoning and redirection attacks are difficult unless you can sniff DNS requests • And even so, may need to stop DNS servers from replying • DNS can be leveraged for reflection attacks against non-DNS nodes

Recommended

Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Domain name system advanced power point presentation
Domain name system advanced power point presentationDomain name system advanced power point presentation
Domain name system advanced power point presentationrituchouhan1508
 
Computer Networks Module 1 - part 2.pdf
Computer Networks Module 1 - part 2.pdfComputer Networks Module 1 - part 2.pdf
Computer Networks Module 1 - part 2.pdfShanthalaKV
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
Dns
DnsDns
DnsSanoj Kumar
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
10 - Domain Name System.ppt
10 - Domain Name System.ppt10 - Domain Name System.ppt
10 - Domain Name System.pptssuserf7cd2b
 
DNS - Jaringan Komputer
DNS - Jaringan KomputerDNS - Jaringan Komputer
DNS - Jaringan KomputerImam Suharjo
 

Recommended

Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 
Domain name system advanced power point presentation
Domain name system advanced power point presentationDomain name system advanced power point presentation
Domain name system advanced power point presentationrituchouhan1508
 
Computer Networks Module 1 - part 2.pdf
Computer Networks Module 1 - part 2.pdfComputer Networks Module 1 - part 2.pdf
Computer Networks Module 1 - part 2.pdfShanthalaKV
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
Dns
DnsDns
DnsSanoj Kumar
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
10 - Domain Name System.ppt
10 - Domain Name System.ppt10 - Domain Name System.ppt
10 - Domain Name System.pptssuserf7cd2b
 
DNS - Jaringan Komputer
DNS - Jaringan KomputerDNS - Jaringan Komputer
DNS - Jaringan KomputerImam Suharjo
 
08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.pptMalikNuman8
 
Domain name system
Domain name systemDomain name system
Domain name systemlehri_rasheeda
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemAashima Wadhwa
 
Internet Host Name
Internet Host NameInternet Host Name
Internet Host Nameadil raja
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
DNS
DNSDNS
DNSbhavanatmithun
 
13 dns
13 dns13 dns
13 dnsIssam Jamal
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptxEidTahir
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
Dns
DnsDns
Dnshoangdinhhanh88
 
Common Network Services
Common Network ServicesCommon Network Services
Common Network ServicesŐŔaṉģ Zaib
 
Domain name service
Domain name serviceDomain name service
Domain name serviceishapadhy
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemGurkamal Rakhra
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptxhoangdinhhanh88
 
Dns 2
Dns 2Dns 2
Dns 2Tech_MX
 
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...AliAlwesabi
 

More Related Content

Similar to DNS Security Issues NES 554 for DNS Security

Internet Host Name
Internet Host NameInternet Host Name
Internet Host Nameadil raja
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution processkannanragothaman
 
Domain name service
Domain name serviceDomain name service
Domain name serviceishapadhy
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 

Similar to DNS Security Issues NES 554 for DNS Security (20)

08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.ppt
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Internet Host Name
Internet Host NameInternet Host Name
Internet Host Name
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
DNS
DNSDNS
DNS
 
13 dns
13 dns13 dns
13 dns
 
DNS.pptx
DNS.pptxDNS.pptx
DNS.pptx
 
Dns name resolution process
Dns name resolution processDns name resolution process
Dns name resolution process
 
Dns
DnsDns
Dns
 
Common Network Services
Common Network ServicesCommon Network Services
Common Network Services
 
Domain name service
Domain name serviceDomain name service
Domain name service
 
Dns security
Dns securityDns security
Dns security
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx
 
Dns 2
Dns 2Dns 2
Dns 2
 

More from AliAlwesabi

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...AliAlwesabi
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...AliAlwesabi
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...AliAlwesabi
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...AliAlwesabi
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdfAliAlwesabi
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfAliAlwesabi
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...AliAlwesabi
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfAliAlwesabi
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfAliAlwesabi
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfAliAlwesabi
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfAliAlwesabi
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfAliAlwesabi
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresAliAlwesabi
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfAliAlwesabi
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityAliAlwesabi
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router SecurityAliAlwesabi
 
Intrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfIntrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfAliAlwesabi
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksAliAlwesabi
 

More from AliAlwesabi (18)

pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
pdfslide.net_ims-enabling-services-wherever-the-customer-and-whatever-the-acc...
 
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
pdfslide.net_ims-basics-standardization-ims-components-and-ip-multimedia-subs...
 
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
pdfslide.net_status-of-ims-based-next-generation-networks-for-fixed-of-ims-ba...
 
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
pdfslide.net_architectural-overview-of-ip-multimedia-subsystem-3-3gpp-ims-arc...
 
lte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdflte-design-and-deployment-strategies-zeljko-savic.pdf
lte-design-and-deployment-strategies-zeljko-savic.pdf
 
Securing the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdfSecuring the LTE Core the Road to NFV 2014.pdf
Securing the LTE Core the Road to NFV 2014.pdf
 
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...
 
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdfeu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
eu-19-Yazdanmehr-Mobile-Network-Hacking-IP-Edition-2.pdf
 
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdfCCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
CCC-AdaptiveMobileSecurity_WhoWatchesTheWatchers_v7_FINAL.pdf
 
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdfD1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
D1T2 - Bypassing GSMA Recommendations on SS7 Networks - Kirill Puzankov.pdf
 
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdfD2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
D2T2 - Emmanuel Gadaix and Philippe Langlois - The SS7 Protocols.pdf
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
VPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasuresVPN Guide to Network Defense and countermeasures
VPN Guide to Network Defense and countermeasures
 
zero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdfzero trust - how to build zero trust.pdf
zero trust - how to build zero trust.pdf
 
Foot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurityFoot printing as phase of Hacking in cybersecurity
Foot printing as phase of Hacking in cybersecurity
 
Guide to Network Defense Router Security
Guide to Network Defense Router SecurityGuide to Network Defense Router Security
Guide to Network Defense Router Security
 
Intrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdfIntrusion detection and prevention systems.pdf
Intrusion detection and prevention systems.pdf
 
ISP Network Design workshops how to design networks
ISP Network Design workshops how to design networksISP Network Design workshops how to design networks
ISP Network Design workshops how to design networks
 

Recently uploaded

State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 

Recently uploaded (20)

State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 

DNS Security Issues NES 554 for DNS Security

  • 1.
  • 2. 2 DNS: Domain Name System People: many identifiers: • SSN, name, passport # Internet hosts, routers: • IP address (32 bit) – 128.119.40.12 • unique ID • “name”, e.g., www.yahoo.com - used by humans Q: How to map between IP addresses and name ? Domain Name System: • distributed database implemented in hierarchy of many name servers
  • 3. 3 DNS Why not centralize DNS? • single point of failure • traffic volume • distant centralized database • maintenance doesn’t scale! DNS services • Hostname to IP address translation • Host aliasing • Canonical and alias names • Many names for a single host • Mail server aliasing • Load distribution • Replicated Web servers: set of IP addresses for one canonical name
  • 4. 4 Root DNS Servers com DNS servers org DNS servers edu DNS servers ucf.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers Distributed, Hierarchical Database Client wants IP for www.amazon.com: • Client queries a root server to find com DNS server • Client queries “com” DNS server to get amazon.com DNS server • Client queries amazon.com DNS server to get IP address for www.amazon.com
  • 5. 5 DNS: Root name servers b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 13 root name servers worldwide
  • 6. 6 TLD and Authoritative Servers • Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. • Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). • Can be maintained by organization or service provider (paid by the organization)
  • 7. 7 Local Name Server • Does not strictly belong to hierarchy • Each ISP (residential ISP, company, university) has one • Also called “default name server” • When a host makes a DNS query, query is sent to its local DNS server first • Acts as a proxy (cache), forwards query into hierarchy
  • 8. 8 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 3 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server Iterative and Recursive queries • Host at cis.poly.edu wants IP address for gaia.cs.umass.edu • The query to root DNS rarely happens due to cache of all TLD DNS information at local DNS server recursive iterative
  • 9. 9 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server 3 Recursive queries recursive query: • DNS client requires DNS server respond with either the requested resource record, or an error message stating that the record or domain name does not exist. iterative query: • contacted server replies with name of server to contact • “I don’t know this name, but ask this server” Reference: http://technet.microsoft.com/en-us/library/cc961401.aspx
  • 10. 10 DNS: caching and updating records • once (any) name server learns mapping, it caches mapping • cache entries timeout (disappear) after some time (keep fresh copy) • TLD servers typically cached in local name servers • Thus root name servers not often visited]
  • 11. 11 DNS records DNS: distributed db storing Resource Records (RR) Type=NS • name is domain (e.g. foo.com) • value is IP address of authoritative DNS server for this domain RR format: (name, value, type, ttl) Type=A  name is hostname  value is IP address Type=CNAME  name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com  value is canonical name Type=MX  value is name of mailserver associated with name
  • 12. 12 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header • identification: 16 bit # for query, reply to query uses same # • flags:  query or reply  recursion desired  recursion available  reply is authoritative
  • 13. 13 DNS protocol, messages (UDP 53) Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used
  • 14. Example • Let’s check a web example using Wireshark! • Check MX record: • nslookup –type=MX just.edu.jo (Under Windows) • dig mx just.edu.jo (Under Unix) 14
  • 15.
  • 16. DNS main issues • DNS amplification attacks • Targeting Domain name system by DDoS attack • DNS Man in the Middle Attack (redirection attack) • DNS cache poisoning
  • 18. Cybersquatting • Cybersquatting is to register a domain in anticipation of that domain being desirable to another organization • Intent to sell to that organization for big profit • For example, someone registers www.burjkhalifa.com, since it was named at first www.burjdubai.com • Sell it for big profit if it is true! • Domain name purchase is cheap! • Many organizations have to buy all related domain names to prevent cybersquatting • A legitimate example: http://teaparty.com/ • suspicious ones for tea party: http://tparty.com/, http://t- party.com/ • http://en.wikipedia.org/wiki/Cybersquatting 18
  • 19. Typosquatting • Register all possible typo domain names for another organization • Should a user accidentally enter an incorrect website address, he may be led to an alternative website owned by a cybersquatter. • Could lead to phishing attack (malicious), or increase web visits (not very malicious) • For example, for “bankofamerica.com”, a cybersquatter could register: • “bankamerica.com”, “bankoamerica.com”, “bankofamerican.com”, “bankfoamerica.com”, …… • Domain name purchase is cheap! 19
  • 20. OS DNS Cache Privacy • Windows OS maintain a local DNS cache • Command “ipconfig/displaydns” • DNS cache reveals a user’s browsing history • Even if the user deletes browsing cache and cookies • Internet Explorer does not have its own DNS cache • Cross-platform browser, such as Firefox, has its own DNS cache 20
  • 21.
  • 23. DNS Vulnerability • Most DNS queries and responses are in plaintext • No authentication is done for DNS response • You really has no good way to tell if the DNS response you get are trustable or not! • DNS is mostly relying on UDP packets • IP address spoofing is very easy for UDP packets • No seq/ack numbers 23
  • 24. DNS Redirection • There are 3 main different ways to do DNS redirection • The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. • The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. • The third variant just involves “racing” the real nameserver to give an answer.
  • 25. DNS redirection network attacker client local DNS server hub or WiFi 1 2 1. Client sends DNS query to its local DNS server; sniffed by attacker 2. Attacker responds with bogus DNS reply Issues: • Must spoof IP address: set to local DNS server (easy) •Must match reply ID with request ID (easy) •May need to stop reply from the local DNS server (harder)
  • 26. DNS Cache Poisoning Basic idea: give DNS servers false records and get it cached DNS uses a 16-bit request identifier to pair queries with answers Cache may be poisoned when a name server:  Disregards identifiers  Has predictable ids  Accepts unsolicited DNS records
  • 27. DNS Cache Poisoning Procedure • Eve wants to poison attack an ISP DNS server • Eve transmits a DNS query to this server • which in turn queries authoritative DNS on behalf of Eve. • Eve simultaneously sends a DNS response(reply) to the server • spoofing with the authoritative server’s IP • The ISP’s DNS server accepts the forged response and caches a wrong DNS entry • All downstream users of this ISP will be directed to the wrong website 27
  • 28. Poisoning DNS Cache (1) • Poisoning: Attempt to put bogus records into DNS name server caches • Bogus records could point to attacker nodes • Attacker nodes could phish • But unsolicited replies are not accepted at a name server. • Name servers use IDs in DNS messages to match replies to queries • So can’t just insert a record into a name server by sending a DNS reply message. • But can send a reply to a request.
  • 29. Poisoning local DNS server (2) Local DNS Server (eg, Berkeley) Attacker in Australia: 17.32.8.9 1. DNS query poly.edu=? 3. DNS reply poly.edu= 17.32.8.9 2. iterative DNS queries authoritative DNS for poly.edu Goal: Put bogus IP address for poly.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for poly.edu.
  • 30. Poisoning local DNS server (3) Poisoned local DNS server (eg, Berkeley) Attacker in Australia 17.32.8.9 1. DNS query ftp.poly.edu=? 2. DNS query ftp.poly.edu=? authoritative DNS for poly.edu DNS response can provide IP address of malicious server!
  • 31. DNS Poisoning (4) • Issues: • Attacker needs to know sequence number in request message sent to upstream server • Not easy! • Attacker may need to stop upstream name server from responding • So that server under attack doesn’t get suspicious • Ping of death, DoS, overflows, etc
  • 32. DNS Cache Poisoning Prevention • Use random identifiers for queries • Make it hard to guess the ID number • Always check identifiers • Port randomization for DNS requests • Deploy DNSSEC • DNSSEC authenticates the resolution of IP addresses with a cryptographic signature • Discussed later! • Challenging because it is still being deployed and requires reciprocity
  • 33. DNS Cache Poisoning against Query ID • Even if a DNS server checks response IDs and use random IDs, it is still vulnerable to the attack • Attacker generates a flux of DNS requests and send the corresponding flux of DNS response back • If one of the pair has matched ID, the attack is successful • Birthday Paradox: the prob. Of two persons in 23 people share the same birthday is more than 50%! 33
  • 34. Some Defenses • Fact: Most DNS poisoning target local DNS (LDNS) server • Solution: Configure LDNS to only accept requests from internal networks • Why does it need to serve outside users? • Source-port randomization (SPR) • DNS query sent out will have two randomized numbers: • Source port number (destination port always 53) • Query ID number (16 bits) • Check DNS response for both of these numbers 34
  • 35. DNSSEC • Guarantees:  Authenticity of DNS answer origin  Integrity of reply  Authenticity of denial of existence • Accomplishes this by signing DNS replies at each step of the way • Uses public-key cryptography to sign responses • Typically use trust anchors, entries in the OS to bootstrap the process
  • 36. DNS Signing Hard-coded with TLD’s public keys TLDs serve as Certificate Authority
  • 37. DNSSEC Deployment • As the internet becomes regarded as critical infrastructure there is a push to secure DNS • NIST is in the process of deploying it on root servers now • May add considerable load to dns servers with packet sizes considerably larger than 512 byte size of UDP packets • There are political concerns with the US controlling the root level of DNS
  • 38. DDos DNS Attack • Oct 21, 2002 • Ping packets sent from bots to the 13 DNS root servers. Goal: bandwidth flood servers • Minimal impact: • DNS caching • rate limiting at upstream routers: filter ping when they arrive at an excessive rate • During attack, some networks filtered pings; corresponding root servers remained up. • Root server attack is easy to defend: download root server database to local (default) name servers • Not much data in root server; changes infrequently • TLD servers are more volatile • Similar kind of attack in May 2004, Feb 2007
  • 39. DNS attacks: Summary • DNS is a critical component of the Internet infrastructure • But is surprisingly robust: • DDoS attacks against root servers have been largely unsuccessful • Poisoning and redirection attacks are difficult unless you can sniff DNS requests • And even so, may need to stop DNS servers from replying • DNS can be leveraged for reflection attacks against non-DNS nodes