Protecting Browsers from DNS Rebinding Attacks 2 - Adam Barth
DNS Attacks
-
Upload
himanshu-prabhakar -
Category
Technology
-
view
2.851 -
download
0
Transcript of DNS Attacks
MAIN WEAKNESS OF THE SYSTEM. HOW ATTACKS WORK IN GENERAL?
DNS ATTACKS
BY: HIMANSHU PRABHAKAR
DNS ATTACKS
WHAT IS DNS?
DOMAIN NAME SYSTEM
DNS ATTACKS 2
WHAT IS DNS?
DNS ATTACKS 3
HOW INTERNET WORKS :
WHAT IS DNS?
www.facebook.com www.yahoo.com www.google.com
72.190.12.206
85.206.25.156
56.25.25.128
DNS ATTACKS 4
WHAT IS DNS?
Its like Yellow Pages of the Internet.
A globally distributed, loosely coherent, scalable, reliable, dynamic
database
Comprised of three components
1. A “name space”
2. Servers making that name space available
3. Resolvers (clients) which query the servers about the name
space
DNS ATTACKS 5
HOW DNS WORKS?
DOMAIN NAME SYSTEM
DNS ATTACKS 6
HOW DNS WORKS?
DNS ATTACKS 7
HOW DNS WORKS?
root
edu net org uk com ca
wisc ucb utdallas cmu mit
cs1 ee
www
129.110.92.15 DNS ATTACKS 8
HOW DNS WORKS?
DNS ATTACKS 9
DNS Message Header Format
DNS VULNERABILITIES
DOMAIN NAME SYSTEM
DNS ATTACKS 10
DNS VULNERABILITIES
DNS ATTACKS 11
DNS VULNERABILITIES
DNS was designed with usability in mind and not Security. Security: Confidentiality: NOT A CONCERN Data Integrity: BIG CONCERN UDP Based design: Any correctly formatted DNS response over UDP can be considered legitimate.
DNS attack tools are readily available on the Internet (for example,
dsniff, dnshijack, and many more) and they are all FREE!
DNS ATTACKS 12
DNS VULNERABILITIES
Zone file
Slaves
Master Recursor
Resolver
Zone
administrator
Dynamic
updates
Cache pollution by
Data spoofing Unauthorized updates
Corrupting data Impersonating master
Cache impersonation
DNS ATTACKS 13
DNS ATTACKS?
DOMAIN NAME SYSTEM
DNS ATTACKS 14
DNS ATTACKS?
1. Packet Interception
2. ID Guessing and Query Prediction
3. Name Chaining
4. Betrayal By Trusted Server
5. Denial of Service
6. Authenticated Denial of Domain Names
DNS ATTACKS 15
DNS KNOWN THREATS: (Source RFC 3833)
DNS ATTACKS?
1. DNS Amplification Attack
2. DNS Cache Poisoning / DNS Spoofing
3. (DDoS) Distributed Denial of Service attack
4. BIND9 Spoofing
DNS ATTACKS 16
DNS AMPLIFICATION ATTACK
Attacker use DNS open resolvers
by sending DNS requests with
source IP address of the target.
When Resolvers receive DNS
queries, they respond by DNS
responses to the target address.
Attacks of these types use
multiple DNS open resolvers so
the effects on the target devices
are magnified.
DNS ATTACKS 17
DNS CACHE POISONING
This technique can be used
to direct users of a website
to another site of the
attacker's choosing.
A user whose computer has
referenced the poisoned
DNS server would be tricked
into accepting content
coming from a non-
authentic server and
unknowingly download
malicious content.
DNS ATTACKS 18
DNS CACHE POISONING
1. Attacker poisons the cache
of Local DNS Server by either
remotely attacking or
breaking into the server.
2. Legitimate User tries to log
onto www.nicebank.com
3. DNS request to DNS server.
4. DNS server replies with IP of
fake website.
5. User is redirected to
www.n1cebank.com
DNS ATTACKS 19
(DDOS) DISTRIBUTED DENIAL OF SERVICE
The attacker tries to target one or more of 13 DNS root name servers.
The root name servers are critical components of the Internet.
Attacks against the root name servers could, in theory, impact operation of
the entire global Domain Name System.
DNS ATTACKS 20
On October 21, 2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers
On February 6, 2007 a similar attack lasted twenty-four hours.
BIND9 SPOOFING
BIND is most widely used DNS software on Internet. BIND 9 (Stable
Production Release)
BIND 9 DNS queries are predictable (Source: bind-9-dns-cache-poisoning )
Source UDP port and DNS transaction ID can be effectively predicted.
BIND9 is found to be predictable to 10 choice.
This enables a much more effective DNS cache poisoning than the
currently known attacks against BIND 9.
DNS ATTACKS 21
HOW TO PREVENT DNS ATTACKS?
DOMAIN NAME SYSTEM
DNS ATTACKS 22
DNS ATTACKS 23
Band-Aid solutions
• Only cache information from authoritative servers
• Cross-check IP DNS mappings
• Transaction signatures for zone transfer, dynamic updates
• Split-split strategy: Advertising name server for DNS servers
• No cache to poison
• Only allow internal traffic
Firewalls can be utilized to minimize attacks against the DNS protocol.
• Query and Response Verification
• Transaction ID randomization
• DNS Header Flag Filtering
• DNS message size limitations
HOW TO PREVENT DNS ATTACKS?
DNSSEC
DNS ATTACKS 24
DNS Security Extensions (DNSSEC)
• Adds security functions to the DNS protocol
• Can prevent some attacks like DNS cache poisoning.
• It adds data origin authentication and data integrity to DNS protocol.
• Digitally Sign DNS lookup using Public Key Crypto.
• DNSKEY record is authenticated via Chain of Trust starting with trusted
root.
• Its kind of SSL authentication for the DNS.
DNSSEC
DNS ATTACKS 25
1. RECORDS: RRSIG, DNSKEY, DS, NSEC and NSEC3
2. ALGORITHMS: RSA/MD5, DSA/SHA-1, RSA/SHA-256/512
3. LOOKUP PROCEDURE: Recursive Name Servers, Stub Resolver
4. TRUST ANCHORS AND AUTHENTICATION CHAIN
5. SIGNATURE AND ZONE SIGNING
6. KEY MANAGEMENT
HOW DNSSEC WORKS?
DNS ATTACKS 26
Stub Resolver
ns.utdallas.edu ns.dns.edu Root Server Recursor
IP for www.utdallas.edu
Check Cache Req DNSKEY Root
DNSKEY: KSKRoot +
RRSIG(KSKRoot) +
DNSKEY:ZSKroot +
RRSIG(ZSKroot)
IP for www.utdallas.edu
gotoNS:ns.dns.edu
DS(KSKedu) + RRSIG(DS)
NS:root + RRSIG(NS)
Check RRSIG with KSKroot =>
Valid ZSKroot
Check RRSIG with KSKroot =>
Valid DS(KSKedu)
Check RRSIG with KSKroot =>
Valid NS:root
HOW DNSSEC WORKS?
DNS ATTACKS 27
Stub Resolver
ns.utdallas.edu ns.dns.edu Root Server Recursor
Validate KSKedu with DS(KSKedu) => Valid KSKedu
Req DNSKEYedu
DNSKEY: KSKorg +
RRSIG(KSKorg) +
DNSKEY:ZSKorg +
RRSIG(ZSKorg)
Check RRSIG with ZSKroot =>
Valid DS(KSKedu)
Check RRSIG with ZSKroot =>
Valid NS:root
Check RRSIG with KSKedu
=> Valid ZSKedu IP for www.utdallas.edu
gotoNS:ns.utdallas.edu
DS(KSKutd) + RRSIG(DS)
NS:ns.dns.edu + RRSIG(NS)
Check RRSIG with ZSKedu =>
Valid DS(KSKutd) Check RRSIG with ZSKedu =>
Valid NS:ns.dns.edu
HOW DNSSEC WORKS?
DNS ATTACKS 28
Stub Resolver
ns.utdallas.edu ns.dns.edu Root Server Recursor
Validate KSKutd with DS(KSKutd) => Valid KSKutd
Req DNSKEYutd
DNSKEY: KSKutd +
RRSIG(KSKutd) +
DNSKEY:ZSKutd +
RRSIG(ZSKutd)
Check RRSIG with KSKutd
=> Valid ZSKutd IP for www.utdallas.edu
A;123.123.123.123
RRSIG(A)
NS:ns.utdallas.edu + RRSIG(NS)
Check RRSIG with ZSKedu =>
Valid DS(KSKutd)
Check RRSIG with ZSKedu =>
Valid NS:ns.dns.edu
Check RRSIG with ZSKutd =>
Valid A record Check RRSIG with ZSKutd =>
Valid NS:ns.utdallas.edu
A;123.123.123.123
DNSSEC STANDARDS
DNS ATTACKS 29
RFC4033 DNS Security Introduction and Requirements :
What is provided by DNSSEC? Origin Authentication and data integrity
• Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • New Header bits: Checking Disabled (CD) and Authenticated Data (AD)
What is not provided by DNSSEC? Confidentiality, ACL, No protection against DoS attacks.
CONSIDERATIONS:
Resolver Cryptographic analysis on signatures, authentication chaining, validate DNS replies.
Stub Resolver DNSSEC validity checks, IPSec, setting of AD bit
Zones signed and unsigned zones, regular maintenance of RRset
Name Server DNSSEC records (RRSIG, DNSKEY, DS, and NSEC), EDNS "sender's UDP payload" mechanism, private part of DNSSEC key pair should be kept offline
Security a channel secured by IPsec, DNS transaction authentication mechanism such as TSIG
DNS ATTACKS 30
RFC4034 Resource Records for the DNS Security Extensions: DNSKEY Resource Record
RRSIG Resource Record
NSEC Resource Record
DS Resource Record
RFC4035 Protocol Modifications for the DNS Security Extensions: Zone Signing: DNSKEY, RRSIG, NSEC, DS
Serving : Authoritative Name Servers and Recursive Name Servers
Resolving : EDNS Support, Signature verification, trust anchors
Authenticating DNS Responses
RFC5155: DNSSEC Hashed Authenticated Denial of Existence
RFC4310: DNS Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
RFC4641: DNSSEC Operational Practices
DNSSEC STANDARDS
ARE WE SECURE WITH DNSSEC?
DNS ATTACKS 31
DNSSEC has some problems of its own:
Trivial Zone Configuration errors or expired keys can prove bad for DNSSEC-
aware resolver.
Increased size of DNSSEC response could encourage DoS amplifiers.
Slow response due to extra overhead of signature validation could result in
timeouts/re-queries. (Impatient DNS Clients)
Compromise in any of the zones between the root and target could
damage DNSSEC's ability to protect the integrity of data owned by that
target name
THANKS [email protected]
DNS ATTACKS 32
REFERENCES
DNS ATTACKS 33
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
http://tools.ietf.org/html/rfc4033
http://tools.ietf.org/html/rfc4034
http://tools.ietf.org/html/rfc4035
http://tools.ietf.org/html/rfc5155
http://tools.ietf.org/html/rfc4310
http://tools.ietf.org/html/rfc4641
https://www.dnssec.nl/wiki/index.php/DNSSEC_explained
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSecti
onFormat.htm