DNS security
description
Transcript of DNS security
-
1
DNS Security Module
Quick DNS Refresher
-
2
What is DNS?
The Domain Name System (DNS) associates various information with domain names; most importantly, it serves as the "phone book" for the Internet by translating human-readable computer hostnames, e.g. www.example.com, into IP addresses, e.g. 208.77.188.166, which networking equipment needs to deliver information.
A DNS also stores other information such as the list of mail servers that accept email for a given domain. By providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of contemporary Internet use. Source Wikipedia
-
3
Hierarchical Name Space
root
edu net org uk com ca
wisc ucb stanford cmu mit
cs ee
www
www.cs.stanford.edu
= 192.168.20.1
-
4
Zone = apricot.net
DNS Server Functions/Roles
Zone (Domain): A DNS zone is a portion of the global Domain Name System (DNS) namespace for which administrative responsibility has been delegated.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
5
DNS Server Functions/Roles
Zone Master (Primary): The authoritative server for a zone (domain). The Zone Master contains one or more zone files for which the DNS is authoritative. Other DNS Servers can automatically transfer zone files.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
6
DNS Server Functions/Roles
Zone Slave (Secondary): A Zone Slave (also called a stub name server or secondary DNS), gets zone data from the Zone Master. When Zone Slave server starts up, it contacts its Zone Master, requesting a zone transfer. The goal of the Zone Slave is scaling (load) and zone resiliency (in case the Zone Master is down). You can have multiple Zone Slaves geographically distributed to increase resiliency.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
7
DNS Server Functions/Roles
Resolvers: A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client (Customer)
-
8
DNS Server Functions/Roles
Stub Resolvers (customers): Stub Resolvers move the resolution function out of the local machine and into a name server which supports recursive queries. Little to no local caching happens.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Stub Resolvers
-
9
DNS Server Functions/Roles (Options)
External Resolvers: External Resolvers are designed to proxy all queries from inside a large organization. It becomes one of the publicly visible addresses of the large network allowing the internal DNS servers to be hidden (core hiding) and protected from outside attack.
Internal Resolvers: Internal resolvers are slaves configured in split horizon mode to allow for external zone transfers and authoritative responses. It becomes one of the publicly visible addresses of the large network allowing the internal DNS servers to be hidden (core hiding) and protected from outside attack.
-
10
DNS Information Flow
1. Zone Administrator (i.e. apricot.net) updates information in the Zone files. These files are moved to the DNS Master.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
3!
-
11
DNS Information Flow
2. Dynamic Updates are sent by the DHCP or AAA server. The DNS Master updates its records.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Resolvers
3!
-
12
DNS Information Flow
3. Zone transfer is use to push copies of the Masters Records to Slave DNS Servers. This allows for scaling and resilancy.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
3!
-
13
DNS Information Flow
4. Caching Forwarders, Proxies, and Resolvers all query the Master/Slave DNS server to get authoritative information about the DNS Zone.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
3!
-
14
DNS Information Flow
5. Resolvers query Recursive Caching Forwarders to have them get DNS records on their behalf. These are your local DNS servers set in most end devices.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
3!
-
15
DNS Query Recursive Resolution
Question: www.apricot.net A
www.apricot.net A ?
www.apricot.net A ?
go ask net server @ X.gtld-servers.net (+ glue)
www.apricot.net A ?
go ask APNIC server @ ns.apnic.net (+ glue)
www.apricot.net A ?
192.168.5.10
192.168.5.10
1! 2!
3!
4!
5!
6!
7!
Add to cache 9!
8!
10! TTL
Client Recursive Server
ROOT Server
GTLD Server
APNIC Server
-
16
What is the DNS Problem?
-
17
Industry Wide Vulnerability
DNS has a highly exploitable architectural flaw. This is an industry wide vulnerability which
impact ever DNS Server on the planet. The risk is a general breach of confidence and a
feasible ability to break chains of commercial trust.
Demonstrated ability for the exploit to be commercially capitalized by the cyber-criminal economy (miscreant economy) See http://www.getit.org/Mediawiki/index.php?
title=Miscreant_economy Suspected but not confirmed - active exploit today in
China.
-
18
DNS: Where is the Problem?
DNS Poison Entries in 4. Threat Botable and Criminally Executable Threat
to the confident of the Internet.
Zone Administrator 1!
2!
4!
5!
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive Server
Client
3!
Computer with Hijacking Malware
-
19
DNS Threat Vectors
-
20
DNS is a Critical Dependency
Services depend on DNS to be there. Applications depend on DNS to be there. People depend on DNS to be there.
The Internet could be passing plenty of packets at line rate speeds, but if DNS is not working, the customer see the Internet as not working.
-
21
DNS Security Protect the resolution path!
DNS Security is all about protecting the information that flows from one functional node to another.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Resolving DNS Server
Client
-
22
DNS Attack Vectors
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Resolving DNS Server
Client
Corrupt Zone Data
DOS Servers
Poison Recursive Caching
Impersonating Master
Unauthorized Updates
Cache Impersonation
Redirection
-
23
Server Protection Data Protection
Divide the Problem in Half!
Policy, Tools, Protocols and Technique can be easily derived by dividing the problem in half:
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Resolving DNS Server
Client
-
24
Zone Files
Are the Zone files protected? Are they edited on the Master or off on another
machine. Is the path between the Zone Administrator and
Master DNS Server protected?
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
25
Master & Slave DNS Servers
Basic 101 of Server Security. The Master is a critical resource.
What happens if its gets DOSed? Who do you allow zone transfers to and from?
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
26
Zone Transfer to Slave Servers
Data path between the Master and Slave needs protection.
File corruption of the zone transfer, hijacking the zone transfer, and DOS (low level) all could happen.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
27
Dynamic Updates
DHCP and other dynamic update tools need protection.
It could be a back door into the DNS System.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Caching Forwarders
Resolvers
-
28
DNS Cache Poising
DNS Cache poising is one of the most common attack vectors.
Anti-Spoofing and the new Source Port Randomization helps.
Zone Administrator
Zone Files Master DNS Server
Slave DNS Server (s)
Dynamic Updates (DHCP & AAA)
Recursive DNS Server
Client
-
29
172.13.1.66
DNS Poison Basic
DNS Poisoning is a by product of DNS using UDP. When a query goes out, the resolver will take the
first UDP packet back which seems to be authoritative.
It is a race to see who gets the UDP packet back first.
Once the Caching Forwarder is poisoned, all queries from all other resolvers will get the poisoned data.
www.apricot.net A ? www.apricot.net A ?
Client Recursive DNS Server
APNIC DNS Server
UDP UDP 192.168.5.10
ME
ME
ME ME
ME ME ME ME
-
30
+---------------------------+---------------------------+ | ID | flags | +---------------------------+---------------------------+ | numbers of questions | numbers of answer | +---------------------------+---------------------------+ | number of RR authority |number of supplementary RR | +---------------------------+---------------------------+ | | \ QUESTION \ | | +-------------------------------------------------------+ | | \ ANSWER \ | | +-------------------------------------------------------+ | | \ Stuff etc.. No matter \ | | +-------------------------------------------------------+
172.13.1.66
DNS Poison The Catch
You must match the transaction ID (query ID) of the DNS query which means you need to sniff the wire
www.apricot.net A ? www.apricot.net A ?
Client Recursive DNS Server
APNIC DNS Server
UDP UDP 192.168.5.10
ME
ME
ME ME
ME ME ME ME
-
31
DNS Poison Miscreant Workaround
If I cannot sniff the packets, but I can query the caching resolver, then I can brute force my way into a DNS Poison.
Instead of waiting for someone else to query, you send your own queries into the caching forwarder.
I can then brute force the query ID.
www.apricot.net A ? www.apricot.net A ?
Client Recursive DNS Server
APNIC DNS Server
UDP 192.168.5.10
ME
ME
ME ME
ME ME ME ME
-
32
DNS Poison Better Yet DOS the Server
DOSing the authoritative DNS Server(s) is one way to give the Miscreant Breathing room.
The DOS attack does not need to be big, just enough to clog up the DNSs servers.
It might now be a flood. It could be a computational overload attack.
www.apricot.net A ? www.apricot.net A ?
Client Recursive DNS Server
APNIC DNS Server
ME
ME
ME ME
ME ME ME ME
Low Level DOS
-
33
DNS Poison Computational Overload
A computational overload attack makes the core functions of the application work really hard.
Send queries to the DNS server where each sub-domain = a name in a password cracking database.
Consequence: DNS Server is waiting for each domain to resolve really nasty if you are forcing this to do recursive lookups.
www.apricot.net A ? www.apricot.net A ?
Client Recursive DNS Server
APRICOT DNS Server
ME
ME
ME ME
ME ME ME ME
a.apricot.net A Aapple.apricot.net A Aadvark.apricot.net A alvin.apricot.net A ake.juniper.net A A$#@.juniper.net A affrroo.juniper.net A (password crakcing file).juniper.net A
-
34
DNS Architecture Idea: Modularization & Compartmentalization
34 34 34
-
35
Most DNS Today
Zone Slaves
Caching Resolvers Zone Master
Internally DNS
Infrastructure Only Only Slave Servers
External Resolution
The Soft Underbelly of the Internet
-
36
Protecting DNS like HTTP does not work
Zone Slaves
Caching Resolvers Zone Master
Internally DNS
Infrastructure Only Only Slave Servers
External Resolution
Protective Anti-DDOS Box New Failure Point
-
37
DNS Resiliency Requires Engineering
DNS Resiliency requires engineers to execute engineering. The technology must be understood. DNSs Interdependency with all parts of the other
services must be mapped out. Architectural Plans must be drawn and tested.
Some of the worlds biggest companys have had complete DNS failures . where the root cause was based on throwing DNS into a network, putting a router/load balancer/anti-DOS device in front of it, and thinking it is going to just work.
Architectural Principles are the key to DNS Resiliency
-
38
Options There are key options a provider has to re-
architect their DNS. Two key requirements are: Investing in your own people to turn them into DNS
Gurus. Join DNS-OARC (https://www.dns-oarc.net/) Active Participation in your network operations
communities (RIPE and MENOG) The kick start options to change fast include:
Contracting with Internet Systems Consortium (http://www.isc.org/)
Outsourcing to a DNS provider (i.e. ISC) Work with one of the two big DNS product Vendors (ISC,
Nominum, or Infoblox).
-
39
DNS Backscatter Knowing when you are being Poisoned
39 39 39
-
40
Backscatter ICMP Port Unreachable
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving
the BOTNET
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com
ICMP Port Unreachable
Spoof ns.example.com
-
41
ICMP Unreachable & DNS
} ICMP Unreachable specific port unreachable are not normal packets which arrive at: } DNS Masters } DNS Slaves } DNS Split-Horizon Authoritative Servers
} Live Observation } Launching the attack results packets arriving on
closed ports of the recursive DNS Server. } This send ICMP Port Unreachable to the source
packet which is the DNS Authority being spoofed.
-
42
ICMP Port Unreachable
} This will tell you that someone somewhere is poising somewhere so that they can be a man in the middle between you and your customer!
} How to monitor: } Classification ACLs (match ingress on ICMP port
unreachable) } Netflow } IDP/IPS } Firewalls } DPI Boxes
-
43
ACLs How?
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving
the BOTNET
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com ACL on Router with SNMP trap
Spoof ns.example.com
-
44
Netflow
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving
the BOTNET
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com Netflow Export
Spoof ns.example.com
-
45
IDP/IPS
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving
the BOTNET
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com IDP/IPS
Spoof ns.example.com
-
DNS Security (DRAFT)
Barry Raveendran Greene [email protected]
Version 0.7
-
47
Attack Vector #1
Big Money Companys DNS Server get poisoned.
www.example.com is victimized Everyone going to the bad guys server is
victimized.
Home Users
Company Users
www.example.com
Bad Guys Server
DNS Poison
Big Money Company
SPs DNS
-
48
Attack Vector #2
DNS Server get poisoned. Big Money Company is victimized Everyone going to the bad guys server is
victimized.
Home Users
Company Users
www.example.com
Bad Guys Server
SPs DNS
DNS Poison
Big Money Company
-
49
Focus of the Industry
Chain of Victimization
Users Operator Domain Owner
www.example.com
Bad Guys Server
Target Target Means to a Target
Recursive DNS Resolver
-
50
Threat to any domain on the Internet!
Users Operator Domain Owner
www.example.com
Bad Guys Server
Target Target Means to a Target
Recursive DNS Resolver
-
51
These two attack vectors are just the start
Now that DNS Poison is easier, more attack vectors will be discovered.
This is a threat to the trust model(s) of the Internet.
-
52
Solution? DNSSEC!
DNSSEC = DNS SECurity Extensions Adds a cryptographic signature to a DNS
response. This signature can be validated from the root
downward by a validating resolver. Be warned, the responses WILL be bigger.
Update firewalls to accept larger then 512 byte DNS responses and UDP fragments.
Most open source (BIND/Unbound/NSD) and commercial products (Nominum, Infoblox) support DNSSEC (records and validation)
-
53
Hierarchical Name Space
root
edu net org uk com ca
wisc ucb stanford cmu mit
cs ee
www
www.cs.stanford.edu
= 192.168.20.1
-
54
DNS Architecture Idea: Modularization & Compartmentalization
-
55
Most DNS Today
Zone Slaves Caching Resolvers Zone Master
Internally DNS Infrastructure Only
Only Slave Servers
External Resolution
The Soft Underbelly to IP NGN
-
56
Robust IPNGN DNS Topology
Resolvers
Caching Forwarders (CFs)
Aggregate Caching Forwarders (ACFs) (Optional)
Internal Resolvers (iRs)
External Resolvers (eRs)
Zone Slaves Zone Master
Internally Access Only
Internally DNS Infrastructure Only
Only Slave Servers Internet Accessible
-
57
Out Bound Recursion/Resolution
Resolvers
Caching Forwarders (CFs)
Aggregate Caching Forwarders (ACFs) Internal Resolvers (iRs)
External Resolvers (eRs)
Zone Slaves Zone Master
-
58
CERT/CC #800113 Multiple DNS Implementations Vulnerable to Cache Poisoning Detailed Analysis
-
59
CERT/CC Overview
The Domain Name System (DNS) is responsible for translating host name to IP addresses (and vice versa) and is critical for the normal operation of Internet-connected systems.
DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.
The general concept has been known for some time, and a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning have previously been identified and described in public literature.
-
60
Issue #1 - Insufficient transaction ID space
The DNS protocol specification includes a transaction ID field of 16 bits. If correctly implemented and randomly selected with a strong random number generator, an attacker will require, on average, 32768 attempts to successfully predict the ID.
Some flawed implementations may be utilizing a smaller number of bits for this transaction ID, meaning that fewer attempts will suffice.
Furthermore, implementation errors in the randomness of transaction IDs generated by a number of implementations have been identified.
Amit Klein researched several such affected implementations in 2007.
These vulnerabilities were published as: VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning VU#252735 - ISC BIND generates cryptographically weak DNS query IDs VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers
-
61
Issue #2 'Birthday Attack
Multiple outstanding requests Some implementations of DNS services contain a vulnerability whereby multiple identical queries for the same resource record (RR) will generate multiple outstanding queries for that RR.
This condition leads to the feasibility of a 'Birthday Attack', significantly raising the chance of success for an attacker.
This problem was previously described in VU#457875. A number of vendors and implementations have already added mitigations to address this issue.
-
62
Issue #3 Fixed Source Port for Generating Queries
Some current implementations allocate an arbitrary port at startup (sometimes selected at random) and reuse this source port for all outgoing queries.
In some implementations, the source port for outgoing queries is fixed at the traditional assigned DNS server port number, 53/udp.
-
63
Add them together
Recent additional research into these issues and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques.
Caching DNS resolvers are primarily at risk, both those that are open (a DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain) and those that are not.
These caching resolvers are the most common target for attackers, however stub resolvers are also at risk.
-
64
Per-query source port randomization
Because attacks against these vulnerabilities all revolve around the ability for the attacker to predictably spoof traffic, the implementation of per-query source port randomization in the server presents a practical mitigation against these attacks within the boundaries of the current protocol specification.
-
65
Added Resiliency Not the Final Solution
The use of randomized source ports can be used to gain an additional approximately 16 bits of randomness in the data that an attacker must guess. In practice, implementers will be restricted to less than 65535 in the actual number of source ports they can allocate (port numbers
-
66
Restrict Access to Recursion
Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability.
-
67
Filter Traffic at Network Perimeters
Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC 3704, and RFC 3013 describe best current practices (BCPs) for implementing this defense. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
-
68
Run a Local DNS Cache
In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.
-
69
Disable Recursion
Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Securing an Internet Name Server contains instructions for disabling recursion in ISC BIND.
-
70
Two DNS Checkers available
Dan Kamiskis Tool: http://www.doxpara.com/
OARCs Tool (https://www.dns-oarc.net/)
Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net:
$ dig +short porttest.dns-oarc.net TXT
You should get back an answer that looks like this: z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev 3843.00"
Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on the standard deviation of observed source ports. In order to receive a GOOD rating, the standard deviation must be at least 10,000. For FAIR it must be at least 3,000. Anything less is POOR. The best standard deviation you can expect to see from 26 queries is in the 18,000-20,000 range.
DNS records used in this test are given 60 second TTLs. To repeat the test you should wait at least 60 seconds.
Note that you can tell dig to test a specific resolver with an @-argument: $ dig @4.2.2.3 +short porttest.dns-oarc.net TXT
-
71
How the Cyber-Criminal Might Use this Vulnerability DNS Poison The BOT Version
-
72
My Tool Kit
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
BOT Herder
-
73
Prepare Drive-by
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Send Malware
Load Malware
Victim of Crime
DNS Recursive Server
Poison Engine
BOT Herder
-
74
Send SPAM to get People To Click
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Send SPAM
Click on me now
BOT Herder
-
75
Drive By Violation
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Click on me now
BOT Herder
-
76
Poison Checker
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Redirect to new domain
Use Published DNS Check Tools to Test a Poison Candidate BOT
Herder
-
77
Prepare Violated Computer
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Call to Secondary Malware Site Load Secondary Package
Tell Malware Downloader to Push the Poison Tool BOT
Herder
-
78
Poison Test #2
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
BOT Herder
-
79
Poison Test #2 - Validation
Drive-By Secondary Malware
SPAM BOTNET Controller Proxy
Packer
Malware
Victim of Crime
DNS Recursive Server
Poison Engine
Poison Tester NS
Malware Test to see if the Poison with new NS is working.
BOT Herder
-
80
Poison Victory!
The BOT Herder now has an asset which can be cultivated and sold.
The BOT Herder can sell BOT for some good money.
Why?
-
81
Using the Poison - WWW
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving the BOTNET
Wert543.example.com Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com
-
82
Using the Poison - WWW
Controller Proxy
DNS Recursive Server
Poison Engine
ns.example.com DNS Authority
Where is www.example.com?
My DNS Server
www.example.com
www.example.com
Victims of Crime
Yea! Ive control their view!
Miscreant Driving the BOTNET
-
83
Using the Poison WWW Proxy
Controller Proxy
DNS Recursive Server
Poison Engine
ns.example.com DNS Authority
Where is www.example.com?
My DNS Server
www.example.com
www.example.com
Victims of Crime
Yea! Copy what I want like CREDIT CARDs and PASSWORD!
Miscreant Driving the BOTNET
-
84
Using the Poison E-mail
Controller Proxy
DNS Recursive Server
Poison Engine
ns.example.com DNS Authority
I need to E-mail smtp.example.com?
My DNS Server
smtp.example.com
smtp.example.com
Victim of Crime Yea! Ive got copies!
Miscreant Driving the BOTNET
-
85
Using the Poison Routers
Controller Proxy
DNS Recursive Server
Poison Engine
ns.example.com DNS Authority
I need to telnet to my router ams-23-pos23.example.com
My DNS Server
NOC Team
Yea! Ive got router Passwords!
Miscreant Driving the BOTNET
-
86
Using the Poison Routers
Controller Proxy
DNS Recursive Server
Poison Engine
ns.example.com DNS Authority
I need to send a SNMP Trap to my Network Management Tool to my smtp-nocserver1.example.com
My DNS Server
Router Services
Yea! Ive got SNMP Details!
Miscreant Driving the BOTNET
-
87
How the Cyber-Criminal Might Use this Vulnerability DNS Poison Drive By
-
88
DNS Poison The Drive-By Version
You do not need malware/BOTs to activate this attack vector.
All you need to do is to drive the resolver to a new domain and force a DNS query that you know.
You then trigger a poison. Can you say HTTP Redirect?
-
89
My Tool Kit
Drive-By SPAM BOTNET Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving the Poison Attack
-
90
Send SPAM to get People To Click
Drive-By SPAM BOTNET Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Send SPAM
Click on me now
Miscreant Driving the Poison Attack
-
91
Drive By Violation
Drive-By SPAM BOTNET Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Click on me now
Miscreant Driving the Poison Attack
-
92
Poison Checker
Drive-By SPAM BOTNET Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Redirect to domain you control
Use Published DNS Check Tools to Test a Poison Candidate
Miscreant Driving the Poison Attack
A potentially poisonable recursive server. Trigger the Poison Attack
-
93
Poison via Redirect
Drive-By Proxy
Victim of Crime
DNS Recursive Server
Poison Engine Poison
Attempt w/RR Hint
ns.example.com DNS Authority
www.example.com
Redirect to erowij.example.com Test Redirect to 49u0vfv.example.com Test Redirect to 943ofvoiv.example.com Test
Miscreant Driving the Poison Attack
-
94
Poison via Redirect Testing
Drive-By Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Poison Tester NS
Testing after each redirect tells you when you have succeeded
ns.example.com DNS Authority
www.example.com
Once Poisoned server goes to test NS, you can stop
Miscreant Driving the Poison Attack
-
95
Spotting when someone is trying to Poison Your DNS Identity
-
96
Backscatter ICMP Port Unreachable
Controller Proxy
Victim of Crime
DNS Recursive Server
Poison Engine
Miscreant Driving the BOTNET
Wert543.example.com Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
Send DNS Query to Controlled Domain
Poison Attempt w/RR Hint
My DNS Server
ns.example.com DNS Authority
www.example.com
ICMP Port Unreachable Spoof ns.example.com
-
97
ICMP Unreachable & DNS
ICMP Unreachable specific port unreachable are not normal packets which arrive at: DNS Masters DNS Slaves DNS Split-Horizon Authoritative Servers
Live Observation Lauching the attack results packets arriving on closed
ports of the recursive DNS Server. This send ICMP Port Unreachable to the source packet
which is the DNS Authority being spoofed.
-
98
ICMP Port Unreachable
This will tell you that someone somewhere is poising somewhere so that they can be a man in the middle between you and your customer!
How to monitor: Classification ACLs (match ingress on ICMP port
unreachable) Netflow IDP NetScreen (any matches on ICMP Unreachable
-
DNS Anycast and Security
-
100
DNS & Anycast
Problem #1 How to manage the load on those two DNS entries in customers TCP/IP Stack?
Problem #2 How to manage saturation attacks targeted at your DNS infrastructure?
Answer Anycast the DNS Caching Servers.
-
101
Anycast DNS Caches
Peer B
Peer A IXP-W
IXP-E
Upstream A
Upstream A
Upstream B Upstream B
POP
Customer
Primary DNS Servers
Sink Hole Network
171.68.19.0/24
171.68.19.1 DNS Caching Server Cluster
SAFE - Architecture
DNS Caching Server Cluster
DNS Caching Server Cluster
DNS Caching Server Cluster
DNS Secondary Server Cluster
DNS Secondary Server Cluster
DNS Secondary Server Cluster
-
102
Anycast DNS Caches
Peer B
Peer A IXP-W
IXP-E
Upstream A
Upstream A
Upstream B Upstream B
POP
Customer
Primary DNS Servers
Sink Hole Network
171.68.19.0/24
171.68.19.1 DNS Caching Server Cluster
SAFE - Architecture
DNS Caching Server Cluster
DNS Caching Server Cluster
DNS Caching Server Cluster
DNS Secondary Server Cluster
DNS Secondary Server Cluster
DNS Secondary Server Cluster
DNS Forwarded to the closed Caching
Cluster
-
103
DNS Anycast What is needed?
Two IP Addresses to be used for the DNS Caching clusters.
Router to perform the load balancing and advertise the two IP addresses.
-
104
Agenda
DNS Server Roles DNS Server Communications DNS Architecture Layout Types of Attacks Protecting the DNS Monitoring and Forensics Summary