Aacks'Against'The'DNS' - The Security Skeptic · 2016-06-27 · A"acks'Against'The'DNS'...
Transcript of Aacks'Against'The'DNS' - The Security Skeptic · 2016-06-27 · A"acks'Against'The'DNS'...
A"acks'Against'The'DNS'
Dave'Piscitello'VP'Security'and'ICT'Coordina=on'27'June'2016'[email protected]'
| 2
Introduction
• VP'Security'and'ICT'Coordina=on,'ICANN'• 40'year'network'and'security'prac==oner'• Roles'at'ICANN:'
• Technology'Advisor'• Threat'responder'• Inves=gator'• Researcher'
| 3
Part'1'
• How'does'the'DNS'work?'• Overview'and'Examples'of'the'DNS'a"ack'landscape'
| 4
What Is The Domain Name System?
A'distributed'database'primarily'used'to'obtain'
'''the'IP'address,'a'number,'e.g.,'
''192.168.23.1'or'fe80::226:bbff:fe11:5b32'
'that'is'associated'with'a''
'
userYfriendly'name'(www.example.com)''!
'
| 5
The'formal'structure'of'the'DNS'database'is''an'inverted'tree'with'the'root'node'at'the'top'
'''''''''
' 5'
Each'node'has'a'label'
The'root'node'is'designated'using'a'termina=ng'�dot�'
3rdYlevel'node'
2ndYlevel'node' 2ndYlevel'node'
topYlevel'node'
3rdYlevel'node' 3rdYlevel'node'
2ndYlevel'node'
topYlevel'node'
2ndYlevel'node' 2ndYlevel'node'
topYlevel'node'
root'node'
The'DNS'is'a'public'name'space.'It'is'one'of'many!name'spaces'used'on'the'Internet.'
''''''''
'
Structure Of The Distributed DNS Database
| 6
Labels'And'Domain'Names'
Each'node'in'the'DNS'name'space'has'a'label'The'domain'name'of'a'node'is'a'list'of'the'labels'on'the'path'from'the'node'to'the'root'of'the'DNS'
6'
3rdYlevel'node'
2ndYlevel'node' 2ndYlevel'node'
topYlevel'node'
3rdYlevel'node' 3rdYlevel'node'
2ndYlevel'node'
topYlevel'node'
2ndYlevel'node' 2ndYlevel'node'
topYlevel'node'
root'node'
''''''
When'all'labels'are''present,'the'name'is'called'a''
FULLY%QUALIFIED%DOMAIN%NAME%(FQDN)%FQDNs'are'globally'unique'in'the'public'DNS'
'''
The'root'node''
�.”'Top'Level'Domain'
e.g.'COM'
2nd'Level'Domain'e.g.'
EXAMPLE'3rd'Level'Domain'
e.g.'WWW'
| 7
Opera=onal'Elements'Of'The'DNS'
• Authorita=ve'Name'Servers'host'zone'data'– The'set'of'“DNS'data”'that'the'registrant'publishes'
• Recursive'Name'Resolvers'(“resolvers”)'– Systems'that'find'answers'to'queries'for'DNS'data'
• Caching'resolvers'– Recursive'resolvers'that'find'and'store'answers''locally'for'“TTL”'period'of'=me''
• Client'or'“stub”'resolvers'– Sogware'in'applica=ons,'mobile'apps'or'opera=ng'systems'that'query'the'DNS'and'process'responses'
7'
| 8
DNS:'Internet’s'Directory'Assistance'
• Client'“stub”'resolvers''ask'ques=ons'– Sogware'in'applica=ons,'mobile'apps'or'opera=ng'systems'that'issue'DNS'queries'and'process'responses'
• Recursive'name'resolvers'find'answers'to'queries'for'DNS'data'
8'
What'is'the'IPv6'address'for'
www.icann.org?'
dns1.icann.org
I’ll'find'that'answer'for'you'
My PC
| 9
The'Domain'Name''System'Is'“Directory'Assistance”'
How'does'a'resolver'find'the'IP'address'of'ICANN.ORG?'• Resolvers'find'answers'by'asking'ques=ons'itera,vely'
9'
dns1.icann.org
m.root-servers.net Ask'root'name'servers'for''IPv6'address'of'ICANN.ORG'
Ask'a0.org.afiliasYnst.info''for'IPv6'address'of'
ICANN.ORG'
Here�s'a'list'of'ORG'TLD'name'servers.'''Ask'one'of'these.
Here�s'a'list'of'ICANN'name'servers.'''
Ask'one'of'these.
Ask'ns.icann.org'for''for'IPv6'address'of'
ICANN.ORG''
The'IPv6'adddress'of'www.icann.org'2001:500:88:200::7
a0.org.afilias-nst.info
ns.icann.org
| 10
What Is Caching?
• Resolvers'may'cache'DNS'records'they'receive'from'other'name'servers'as'they'process'client'queries'– Speeds'up'resolu=on'– Saves'bandwidth'– Responses'are'non2authorita9ve'
• Are'cached'records'valid'forever?'– No.'The'=me'to'live'(TTL)'field'in'DNS'records'bounds'how'long'an'itera=ve'resolver'can'cache'that'par=cular'record'
10'
What'is'the'IPv6'address'of'
www.icann.org'
My local resolver
ICANN’s name server (authoritative)
www.icann.org'AAAA'2001:500:88:200::7'
I’ll'cache'this'response'
My PC
| 11
Summary
1 The DNS is a public, distributed database
2 The DNS allows us to use names rather than numbers to navigate the Internet
3 The operational elements of the DNS span from critical infrastructure to user devices
| 12
Agenda
• How'does'the'DNS'work?'• A"acking'the'DNS'
| 13
Motives To Attack Or Exploit The DNS
Actors!have!specific!mo,ves!or!
incen,ves!to!a5ack!cri,cal!
cyber!infrastructures,!including!DNS!!
Where'are'cybercrime'and'espionage'in'this'diagram?'
| 14
DNS Attack Landscape Target% Authorita9ve%
Name%Server%Recursive%Resolver%
Stub%Resolver%
Access'bandwidth' ✔' ✔' ✔'Access'network'elements' ✔' ✔' ✔'NS'or'device:'
Hardware' ✔' ✔' ✔'OS'sogware'' ✔' ✔' ✔'Name'server'sogware' ✔' ✔'Cache' ✔' ✔'Applica=on'sogware' ✔'Administra=on' ✔' ✔' ✔'Configura=on' ✔' ✔' ✔'
| 15
Attacks Against Name Servers Or Recursors
• “Exploit'to'fail”'Denial'of'Service'(DOS)'a"ack'• “Exploit'to'own”'DOS'a"ack'• Reflec=on'a"ack'• Amplifica=on'a"ack'• Distributed'DOS'a"ack'• Cache'Poisoning'a"ack'• Exhaus=on'a"ack'
Let’s!look!at!some!examples!
| 16
“Exploit To Fail” DOS Attack
• Exploit'a'vulnerability'in'some'element'of'a'name'server'infrastructure'to'cause'interrup=on'of'name'resolu=on'service'
• Example:'Malicious'DNS'message'injec=on'• h"p://www.cvedetails.com/cve/CVEY2002Y0400/'
'Malformed'DNS'message,'e.g.,'CVEY2002Y0400'
A"acker' Name'Server'running'BIND'
Name'server'fails'when'it'processes'message'
| 17
“Exploit To Own” DOS Attack
• Exploit'a'vulnerability'in'some'element'of'a'name'server'infrastructure'to'gain'system'administra=ve'privileges''
• Example:'Arbitrary/remote'code'execu=on'• h"p://www.kb.cert.org/vuls/id/844360'
Craged'DNS'Query,'e.g.,'VU#844360'
A"acker'Name'Server'running'BIND'
Message'causes'a'BUFFER!
OVERFLOW'A"acker'can'
execute'arbitrary'code'
| 18
Reflec=on'A"ack'
• A"acker'spoofs'IP'address'of'targeted'host'
• A"acker'sends'DNS'messages'to'recursor'
• Recursor'sends'response'to'targeted'host'
• Response'delivered'to'targeted'host'
A"acker' Open'Recursor'
DNS'Query'
Spoof'source'IP''of'target:'10.0.0.1'
Targeted'host''IP:'10.0.0.1'
| 19
Reflection And Amplification Attack • A"acker'spoofs'
IP'address'of'targeted'host'
• A"acker'sends'DNS'messages'to'recursor'that'elicits'a'LARGE'response'
• Recursor'sends'LARGE'responses'to'targeted'host'
• The'LARGE!responses'consume'target’s'resources'faster'
A"acker' Open'Recursor'
DNS'Query'
Spoof'source'IP''of'target:'10.0.0.1'
Targeted'host''IP:'10.0.0.1'
| 20
Distributed Reflection And Amplification Attack
• Launch'reflec=on'and'amplifica=on'a"ack'from'1000s'of'origins'
• Reflect'through'open'recursors'
• Deliver'1000s'of'large'responses'to'target'
A"ackers' Open'Recursor'
All'sources'spoof'source''IP'of'target:'10.0.0.1'
Targeted'host''IP:'10.0.0.1'
DNS'Query'
DNS'Query'
DNS'Query'
| 21
Resource Depletion DOS Attack • A"acker'sends'
flood'of'DNS'messages'over'TCP'from'spoofed'IP'address'of'target'
• Name'server'allocates'resources'for'connec=ons'un=l'resources'are'exhausted'
• Name'resolu=on'is'degraded'or'interrupted'
A"acker'Open'recursor'
TCP'SYN'
TCP'SYN'
Spoof'source'IP''of'target:'10.0.0.1'
Target'Host''IP:'10.0.0.1'
TCP'SYN'
| 22
Basic'Cache'Poisoning'
A"acker''– Launches'a'spam'campaign'where'spam'message'contains'h"p://loseweighqastnow.com'
– A"acker’s'name'server'will'respond'to'a'DNS'query'for'loseweightnow.com'with'malicious'data'about'ebay.com'
– Vulnerable'resolvers'add'malicious'data'to'local'caches'
– The'malicious'data'will'send'vic=ms'to'an'eBay'phishing'site'for'the'life=me'of'the'cached'entry'
22'
What'is'the'IPv4'address'for'loseweighqastnow.com'
My PC
My local resolver
ecrime name server
loseweighqastnow.com'IPv4'address'is'192.168.1.1''
ALSO%www.ebay.com*is*at*192.168.1.2'
I’ll'cache'this'response…'and'
update'www.ebay.com''
| 23
NXDOMAIN Cache Exhaustion
• A"acker'floods'recursor'with'DNS'queries'for'nonYexistent'domain'names'
• Recursor'a"empts'to'resolve'queries'and'adds'each'NXDOMAIN'answer'to'cache'
• Recursor’s'cache'fills'with'useless'answers'• Processing'of'legi=mate'DNS'queries'is'degraded'
A"acker' Recursor'Cache'fills'with'NXDOMAIN'answers'
DNS'query'for'nonYexistent'domain'DNS'query'for'nonYexistent'domain'DNS'query'for'nonYexistent'domain'
Phantom Domain Attack has similar effects
| 24
Attacks Against Stub Resolvers
• Query'intercep=on'a"ack'• DNS'Response'modifica=on''
– Also'called'Name'Error'resolu=on'
• Configura=on'poisoning'a"ack'• DNS'hostname'overflow'a"ack'
Let’s!look!at!some!examples'
| 25
Query Interception (DNS Hijacking)
6/27/16' 25'
• A'man'in'the'middle'(MITM)'or'spoofing'a"ack'forwards'DNS'queries'to'a'name'server'that'returns'forge'responses'– Can'be'done'using'a'DNS'proxy,'compromised'access'router'or'recursor,'ARP'poisoning,'or'evil'twin'Wifi'access'point'
Bank''Web''Site'Intended%path%for%online%banking%transac9ons%
Redirected%path%%Redire
cted%path%%
Fake'Bank''Web''Site'
Evil'Twin'AP'
A"acker’s'resolver'
Evil'twin'AP'or'compromised'router'
redirects'DNS'queries'to'a"acker’s'name'server'
A"acker’s'name'server'returns'fake'
bank'web'site'address'
| 26
Response Modification
• Recursive'resolver'is'configured'to'return'IP'address'of'web,'payYperYclick,'or'search'page'when'it'receives'NXDOMAIN'response''
• Also'used'by'ISPs'and'3rd'par=es'for'mone=zing'purposes'
example.com'Name'Server'
What'is'the'address'of'
ww.example.com?'
ww.example.com'does'not'exist'(NXDOMAIN)'
Address'of'ww.example.com'is'192.168.12.113'
Modified%response%path%%
192.168.12.113'
| 27
Configura=on'Poisoning:'DNSChanger'
A5acker'distributes'DNS'configura=on'altering'malware'via'• Spam,'driveYby'download…'
DNSChanger!malware''• Alters'DNS'configura=on'of'infected'PC'
• Causes'all'requests'to'go'to'a'malicious'name'server'run'by'a"ackers'
• A"acker'updates'malware'to'redirect'web'traffic'to'a'des=na=on'of'his'choosing' 27'Intended%path%to%local%recursive%resolver%
Your'recursive'resolver'is'
at'192.168.3.13'
DNSChanger'malware'
A"acker’s'resolver'sends'user'to'forged'web'sites'
192.168.3.13'
| 28
DNS Hostname Overflow Attack
• A"acker'crags'response'message'containing''domain'name'>'255'bytes'
• Vulnerable'client'queries'a"acker’s'name'server,'fails'to'check'hostname'length'in'response'
• Buffer'overflow'allows'a'a"acker'to'gain'root'or'execute'arbitrary'commands'
A"acker’s'name'server'
A"acker’s'name'server'responds'with'hostname'>'
255'bytes'
DNS'query'
Client'induced'to'query'a"acker’s'name'server'(e.g.,'
spam,'URL)'
| 29
Domain Registration Hijacking
• A"acker'compromises'registra=on'account,'e.g.,'– Succeeds'with'brute'force,'social'engineering,'or'login'a"ack'– Launches'a'registrar!impersona,on!phishing!a5ack!– Compromise'gives'a"acker'administra=ve'control'over'
domains'registered'under'this'account''
• A"acker'modifies/adds'name'server'record'for'domain''– NS'record'that'is'published'in'TLD'zone''associates'domain’s'
name'server'with'IP'address'of'a"acker’s'host''
• A"acker'publishes'“a"ack”'zone'data'''– Resource'records'in'zone'data'support'phishing,'fraud,'or'
defacement'sites,'spam'mail'exchanges,'VoIP'servers…'Note:'An'a"acker'can'also'compromise'a'name'server'directly'
| 30
Summary
1 The'DNS'is'an'open'system'and'open!also!to!abuse!
2 The'DNS'is'a'cri=cal'Internet'database'and'thus'a'target'for'a"ack'
3 Any'element'of'the'DNS'may'be'exploited'to'facilitate'other'a"acks'
| 31
Reading List (Partial) Title% URL%
Top'10'DNS'a"acks' h"p://www.networkworld.com/ar=cle/2886283/security0/topY10YdnsYa"acksYlikelyYtoYinfiltrateYyourYnetwork.html'
Manage'your'domain'porqolio' h"p://securityskep=c.typepad.com/theYsecurityYskep=c/2014/01/avoidYrisksYmanageYyourYdomainYporqolio.html'
Securing'open'DNS'resolvers' h"p://www.gtri.com/securingYopenYdnsYresolversYagainstYdenialYofYserviceYa"acks/'
DNS'Tunneling' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsYtunnelingYv01.pdf'
DNS'cache'bus=ng' h"p://blog.cloudmark.com/2014/10/07/aYdnsYcacheYbus=ngYtechniqueYforYddosYstyleYa"acksYagainstYauthorita=veYnameYservers/'
DNS'Cache'Poisoning' h"p://www.securityskep=c.com/dnsYcacheYpoisoning.html'
Anatomy'of'a'DDOS'a"ack' h"p://www.securityskep=c.com/anatomyYofYdnsYddosYa"ack.html'
DNS'reflec=on'defense' h"ps://blogs.akamai.com/2013/06/dnsYreflec=onYdefense.html'
Protect'the'world'from'your'network' h"p://securityskep=c.typepad.com/theYsecurityYskep=c/2013/04/protec=ngYtheYworldYfromYyourYnetwork.html'
DNS'Traffic'Monitoring'Series' h"p://www.securityskep=c.com/2014/09/dnsYtrafficYmonitoringYseriesYatYdarkYreading.html'
Protect'your'DNS'servers'against'DDoS'a"acks'
h"p://www.gtcomm.net/blog/protec=ngYyourYdnsYserverYagainstYddosYa"acks/'
Fast'Flux'Botnet'Detec=on'in'Real=me' h"p://www.iis.sinica.edu.tw/~swc/pub/fast_flux_bot_detec=on.html'
DNS'resource'exhaus=on' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsYresourceYexhaus=onYv01.pdf'
| 32
My Contact Info: [email protected] @securityskeptic www.securityskeptic.com about.me/davepiscitello
Thank You and Questions
Ques=ons?'
Contact'ICANN:'[email protected]'@icann'icann.org'safe.mn/icannsecurityteam'