Computer Security CS 426

Similar documents
CSE 565 Computer Security Fall 2018

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

CS4700/5700: Network fundamentals

Network Security Part 3 Domain Name System

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Remote DNS Cache Poisoning Attack Lab

CSE 127 Computer Security

CSC 574 Computer and Network Security. DNS Security

Domain Name System.

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

A Security Evaluation of DNSSEC with NSEC Review

Advanced Networking. Domain Name System

Advanced Networking. Domain Name System. Purpose of DNS servers. Purpose of DNS servers. Purpose of DNS servers

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

Internet Security: How the Internet works and some basic vulnerabilities. Slides from D.Boneh, Stanford and others

Domain Name System (DNS)

DNS and HTTP. A High-Level Overview of how the Internet works

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

More on DNS and DNSSEC

DNS & Iodine. Christian Grothoff.

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

Remote DNS Cache Poisoning Attack Lab

DNS Attacks. Haythem EL MIR, CISSP CTO, NACS

CSCE 463/612 Networks and Distributed Processing Spring 2018

DNS Cache Poisoning Looking at CERT VU#800113

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

The big picture. Security. Some consequences. Three types of threat. LAN Eavesdropping. Network-based access control

The big picture. Security. Some consequences. Three types of threat. Warm up: phishing. Danger: malicious servers

Security. - All kinds of bad things attackers can do over the network. Next lecture: defense building blocks

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Chapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

CNT Computer and Network Security: DNS Security

The Application Layer: Sockets, DNS

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Overview General network terminology. Chapter 9.1: DNS

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

EECS 122: Introduction to Computer Networks DNS and WWW. Internet Names & Addresses

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

Lecture 7: Application Layer Domain Name System

Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

CS 43: Computer Networks. 10: Naming and DNS September 24, 2018

Internet Security: How the Internet works and some basic vulnerabilities

Introduction to the Domain Name System

ECE 650 Systems Programming & Engineering. Spring 2018

DNS. Introduction To. everything you never wanted to know about IP directory services

Security Impact of DNS Delegation Structure and Configuration Problems

CS 3640: Introduction to Networks and Their Applications

DNS Cache Poisoning Chris Racki CMPT-585 Dr. Robila 8 Dec 2008

Configuration of Authoritative Nameservice

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Foundations of Network and Computer Security

Domain Name System (DNS)

Network Security. DNS (In)security. Radboud University, The Netherlands. Spring 2017

CSE Computer Security

CS 3640: Introduction to Networks and Their Applications

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

What is Birthday attack?? - By Ganesh Gupta

Venugopal Ramasubramanian Emin Gün Sirer SIGCOMM 04

Practices on DNS Management and Domain Name Emerging Topics. Jirasak Jullawat July 14, 2016

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Applications & Application-Layer Protocols: (SMTP) and DNS

Homework 3 1 DNS. A root. A com. A google.com

Application Layer Protocols

The Domain Name System

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Part 2. Use Cases (40 points). Consider examples of such signed records R (as in Part 1) from systems we discussed.

6 March 2012

Attacks on DNS: Risks of Caching

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

DOMAIN NAME SYSTEM (DNS) BEYAZIT BESTAMİ YÜKSEL

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

DNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015

Protecting Against DNS Cache Poisoning Attacks

IP ADDRESSES, NAMING, AND DNS

ROOT SERVERS MANAGEMENT AND SECURITY

Less is More Cipher-Suite Negotiation for DNSSEC

DOMAIN NAME SECURITY EXTENSIONS

The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla

DNSSEC PLNOG 5. Eric Ziegast Internet Systems Consortium. Zbigniew Jasinski NASK.PL. Deck Version 0.2

Networking Applications

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Risks and Security for the Domain Name System

Domain Name System (DNS)

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

CSCE 463/612 Networks and Distributed Processing Spring 2018

Transcription:

Computer Security CS 426 Lecture 34 DNS Security 1

Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And back From IP addresses to DNS name Analogy: Phone book for the Internet Where they differ? 2

DNS is a Distributed Database Information is stored in a distributed ib t d way Highly dynamic Decentralized authority 3

Domain Name System Hierarchical Name Space root org net edu com uk ca wisc illinois purdue indiana umich cs ece www 4

Domain Name Space Domain: A node in the DNS tree DNS Zones A zone is a group of nodes in the tree, authoritatively served by an authoritative nameserver. Each zone may be sub-divided, ded, the parent zone Authority servers Answer queries about their zones Provide mapping for leaf nodes or downward delegation Hierarchical service Root name servers for top-level domains Authoritative name servers for subdomains 5

Domain Name Space (cont ) 6

DNS Resolver: Recursive Resolver Recursive resolver Normally thought of as a DNS server Accept queries from users, understand the zone hierarchy, interact with the authority servers Cache answers From wikipedia 7

DNS Resolver: Stub Resolver Stub resolver Not interact with the zone hierarchy Pose basic queries to recursive servers May cache answers PC, client applications From wikipedia 8

A Normal DNS Lookup Stub resolver asks www.google.com Assume no previous results cached at the recursive resolver Query the root servers (authority servers for. zone) Answer: downward delegation com NS a.gtld-servers.net NS: Name Server a.gtld-servers.net A 74.292.124.59 A: Address Query the.com zone authority servers Answer: downward delegation google.com NS ns1.google.com ns1.google.com A 122.45.212.57 9

A Normal DNS Lookup p( (cont ) Query the google.com zone authority servers Answer: www.google.com A 24.122.49.76 The answer is returned to the stub resolver The results are cached by the recursive resolver 10

Caching DNS responses are cached Quick response for repeated translations Useful for finding servers as well as addresses NS records for domains Negative results are cached Save time for nonexistent sites, e.g. misspelling Cached data periodically times out Each record has a TTL field 11

Inherent DNS Vulnerabilities Users/hosts typically trust the host-address mapping provided by DNS What bad things can happen with wrong DNS info? DNS resolvers trust responses received after sending out queries How to attack? Responses can include DNS information unrelated to the query Obvious problems No authentication for DNS responses 12

Pharming Exploit DNS poisoning attack Change IP addresses to redirect URLs to fraudulent sites Potentially more dangerous than phishing attacks No email solicitation is required DNS poisoning attacks have occurred: January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops" 13

DNS cache poisoning (Vulnerability 1) (Chris Schuba in 1993) DNS resource records (see RFC 1034) An A record supplies a host IP address A NS record supplies name server for domain Example evil.org NS ns.yahoo.com /delegate to yahoo ns.yahoo.com A 1.2.3.4 / address for yahoo Result If resolver looks up www.evil.org, then evil name server will give resolver address 1.2.3.4 for yahoo Lookup pyahoo through cache goes to 1.2.3.4 14

Defense Using The Bailiwicks Rules The bailiwick system prevents foo.com from declaring anything about com, or some other new TLD, or www.google.com Using the bailiwicks rules The root servers can return any record The com servers can return any record for com The google.com g servers can return any record for google.com 15

DNS cache poisoning: Racing to Respond First 16

DNS Cache Poisoning Attacker wants his IP address returned for a DNS query When the resolver asks ns1.google.com for www.google.com, the attacker could reply first, with his own IP What is supposed to prevent this? Transaction ID 16-bit random number The real server knows the number, because it was contained in the query The attacker has to guess 17

DNS cache poisoning g( (Vulnerability 2) Responding before the real nameserver An attacker can guess when a DNS cache entry times out and a query has been sent, and provide a fake response. The fake response will be accepted only when its 16- bit transaction ID matches the query CERT reported in 1997 that BIND uses sequential transaction ID and is easily predicted fixed by using random transaction IDs 18

DNS cache poisoning g( (Vulnerability 3) Improve the chance of responding before the real nameserver (discovered by Vagner Sacramento in 2002) Have many (say hundreds of) clients send the same DNS request to the name server Each generates a query Send hundreds of reply with random transaction IDs at the same time Due to the Birthday Paradox, the success probability can be close to 1 19

DNS cache poisoning g( (Vulnerability 4) Kaminsky Attack Big security news in summer of 2008 DNS servers worldwide were quickly patched to defend against the attack In previous attacks, when the attacker loses the race, the record is cached, with a TTL. Before TTL expires, no attack can be carried out Posining address for google.com in a DNS server is not easy. 20

Guess the ID Early versions of DNS servers ers deterministically incremented the ID field Vulnerabilities were discovered in the random ID generation Weak random number generator The attacker is able to predict the ID if knowing several IDs in previous transactions Birthday attack Force the resolver to send many identical queries, with different IDs, at the same time Increase the probability of making a correct guess 21

What is New in the Kaminsky Attack? The bad guy does not need to wait to try again The bad guy asks the resolver to look up www.google.com If the bad guy lost the race, the other race for www.google.com will be suppressed by the TTL If the bad guy asks the resolver to look up 1.google.com, 2.google.com, 3.google.com, and so on Each new query starts a new race Eventually, the bad guy will win he is able to spoof 183.google.com g So what? No one wants to visit 183.google.com 22

Kaminsky-Style y Poisoning Ab bad guy who wins the race for 183.google.com can end up stealing www.google.com as well The malicious response google.com NS www.google.com www.google.com A 6.6.6.6 OR google.com NS ns.badguy.com 23

Kaminsky-Style y Poisoning (cont ) Can start t anytime; no waiting for old good cached entries to expire No wait penalty for racing failure The attack is only bandwidth limited Defense (alleviate, but not solve the problem) Also randomize the UDP used to send the DNS query, the attacker has to guess that port correctly as well. 24

DNS Poisoning Defenses Difficulty to change the protocol Protocol stability (embedded devices) Backward compatible Long-term Cryptographic protections ti E.g., DNSSEC, DNSCurve Require changes to both recursive and authority servers A multi-year process Short-term Only change the recursive server Easy to adopt 25

Short-Term Defenses Source port randomization Add 16-bits entropy resource intensive (select on a potentially large pool of ports) NAT could de-randomize d the port DNS 0x20 encoding From Georgia tech, CCS 2008 Tighter logic for accepting responses 26

DNS-0x20 Bit Encoding DNS labels are case insensitive Matching and resolution is entirely case insensitive A resolver can query in any case pattern E.g., WwW.ExAmpLe.cOM It will get the answer for www.example.com 27

DNS-0x20 DNS Encoding g( (cont ) A DNS response contains the query being asked When generating the response, the query is copied from the request exactly into the response The case pattern of the query is preserved in the response Open source implementations exhibit this behavior The DNS request is rewritten in place The mixed pattern of upper and lower case letters constitutes a channel, which can be used to improve DNS security Only the real server knows the correct pattern 28

Query Encoding Transforms the query into all lowercase Encrypt the query with a key shared by all queries on the recursive server (A) The cipher text is used to encode the query 0: buff[i] = 0x20 1: buff[i] &= 0x20 29

DNS-0x20 Encoding Analysis Do existing authority servers preserve the case pattern? Scan 75 million name servers, 7 million domains Only 0.3% mismatch observed 30

DNS-0x20 Encoding Analysis (cont ) Not every character is 0x20 capable Improve the forgery resistance of DNS messages only in proportion to the number of upper or lower case characters cia.gov 6-bit entropy licensing.disney.com 12-bit entropy 163.com 3-bit entropy TLDs are also vulnerable to Kaminsky-style y attacks; but they have few 0x20-capable bits 31

Other DNS attacks Attacking home routers/gateways t Incidence in Mexica in 2008 an email sent to users email include URL (HTTP requests) to the HTTPbased interface of wireless routers using the default password to reconfigure the router/gateway t 32

Readings for This Lecture Optional: An Illustrated Guide to the Kaminsky DNS Vulnerability Dan Kaminsky's s Black Hat presentation (PowerPoint) 33

Coming Attractions Network Security Defenses 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback