DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

Similar documents
DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

network security cs642 computer security adam everspaugh

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Internet Security: How the Internet works and some basic vulnerabilities

Internet Security: How the Internet works and some basic vulnerabilities. Slides from D.Boneh, Stanford and others

CSC 574 Computer and Network Security. DNS Security

CSE 565 Computer Security Fall 2018

Computer Security CS 426

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

CS Paul Krzyzanowski

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

Domain Name System.

Security in inter-domain routing

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

A Security Evaluation of DNSSEC with NSEC Review

Introduction to Network. Topics

DNS and HTTP. A High-Level Overview of how the Internet works

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

Network security. CSE 127 Computer Security. TCP/IP Protocol Stack. Packet Switched Network Architecture. Protocols are structured in layers

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Network Security Part 3 Domain Name System

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

In the Domain Name System s language, rcode 0 stands for: no error condition.

Routing and router security in an operator environment

CS 3640: Introduction to Networks and Their Applications

Network Security. Thierry Sans

DNS Attacks. Haythem EL MIR, CISSP CTO, NACS

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

DOMAIN NAME SECURITY EXTENSIONS

Registry Vulnerabilities An Overview

ARAKIS An Early Warning and Attack Identification System

Internet Infrastructure

A Root DNS Server. Akira Kato. Brief Overview of M-Root. WIDE Project

A Survey of BGP Security: Issues and Solutions

Introducción al RPKI (Resource Public Key Infrastructure)

SecSpider: Distributed DNSSEC Monitoring and Key Learning

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

ECE 650 Systems Programming & Engineering. Spring 2018

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

On the State of the Inter-domain and Intra-domain Routing Security

CISNTWK-440. Chapter 5 Network Defenses

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Internet Kill Switches Demystified

Worldwide Detection of Denial of Service (DoS) Attacks

DNS. Introduction To. everything you never wanted to know about IP directory services

Firewalls, Tunnels, and Network Intrusion Detection

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

Authors: Mark Handley, Vern Paxson, Christian Kreibich

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Closed book. Closed notes. No electronic device.

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

CS514: Intermediate Course in Computer Systems

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Securing Core Internet Functions Resource Certification, RPKI. Mark Kosters ARIN CTO

IP ADDRESSES, NAMING, AND DNS

DNS & Iodine. Christian Grothoff.

«On the Internet, nobody knows you are a dog» Twenty years later

EECS 122: Introduction to Computer Networks DNS and WWW. Internet Names & Addresses

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Life After IPv4 Depletion

CS 3640: Introduction to Networks and Their Applications

Domain Name System (DNS)

ECE 435 Network Engineering Lecture 7

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Remote DNS Cache Poisoning Attack Lab

CNT Computer and Network Security: DNS Security

NETWORK SECURITY. Ch. 3: Network Attacks

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

ROOT SERVERS MANAGEMENT AND SECURITY

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

CS System Security 2nd-Half Semester Review

CIS 551 / TCOM 401 Computer and Network Security

A Survey of BGP Security Review

0 0& Basic Background. Now let s get into how things really work!

Chapter 8 roadmap. Network Security

Domain Name System Security

Chapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Application Firewalls

Putting it all together

TCP/IP SECURITY GRAD SEC NOV

CNT Computer and Network Security: BGP Security

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

Remote DNS Cache Poisoning Attack Lab

20-CS Cyber Defense Overview Fall, Network Basics

CS Networks and Distributed Systems. Lecture 11: DNS + NAT. Revised 3/10/14

Configuring attack detection and prevention 1

Security. - All kinds of bad things attackers can do over the network. - Techniques for protecting against these and other attacks

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

CS 161 Computer Security

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Transcription:

DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

Network DMZ Web server Internet Customer databases Inner firewall IDS Outer firewall DMZ (demilitarized zone) helps isolate public network components from private network components Firewall rules to disallow traffic from Internet to internal services

CIDF (Common intrusion detecson framework) Event generators (E- box) Analysis engine (A- box) From h9p://insecure.org/sy/secnet_ids/secnet_ids.html

Two broad classes Anomaly detecson What does normal traffic look like? Flag abnormal traffic Signature based Define some explicit traffic pa9erns as bad Flag them E.g., regular expressions

Basic NIDS setup From h9p://insecure.org/sy/secnet_ids/secnet_ids.html

Some examples Snort (MarSn Roesch) Bro (Vern Paxson) 1999: 27,000 lines of C++ code

A9acking or bypassing NIDS How can one circumvent a NIDS? Web server Internet Customer databases Inner firewall IDS Outer firewall Overload a9acks, crash a9acks, subterfuge a9acks

Subterfuge a9ack example (10 hops) seq= 6... 9 ttl=20 USER (18 hops) Attacker ttl=12 10.. 13 nice 10.. 13 ttl expires Victim USER root ttl=20 root USER nice USER root?? Monitor Figure 2: A TTL-based evasion attack on an intrusion detection system From Paxson, Bro: A System for DetecSng Network Intruders in Real- Time, 1999

Anomalous, non- a9ack traffic Storms of 10,000s of FIN or RST packets due to protocol implementason error Storms due to foggy days Fog in SF bay area killed a connecson, causing rousng flaps and in turn rousng loops SYN packet with URG flag set Flags == SYN fails

Honeypots Systems that should have no legismate traffic Isolated and monitored Any traffic routed to it is spurious High interacson (e.g., a full system) Low interacson (e.g., Honeyd) Honeynets, honeyfarms lots of honeypots Honeytoken email address credit card number

DNS and BGP University of Wisconsin CS 642

128.105.5.31 We don t want to have to remember IP addresses Early days of ARPANET: manually managed hosts.txt served from single computer at SRI

Heirarchical domain name space (unnamed) root org net edu com tv ca wisc ucsd davis Top Level domains (TLD) Second Level domains max 63 characters cs www ece ICANN (Internet CorporaSon for Assigned Names and Numbers) root nameservers and authoritasve nameservers Zone: subtree

Resolving names From h9p://en.wikipedia.org/wiki/file:an_example_of_theorescal_dns_recursion.svg

Example DNS query types A AAAA NS TXT MX address (get me an IPv4 address) IPv6 address name server human readable text, has been used for some encrypson mechanisms mail exchange

Caching DNS servers will cache responses Both negasve and posisve responses Speeds up queries periodically Smes out. TTL set by data owner

DNS packet on wire Query ID is 16- bit random value We ll walk through the example from Friedl s document From Friedl explanason of DNS cache poisoning, as are following diagrams

Query from resolver to NS

Response contains IP addr of next NS server (called glue ) Response ignored if unrecognized QueryID

bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)

Here we go again What security checks are in place? Random query ID s to link responses to queries Bailiwick checking (sanity check on response) No authenscason DNSsec is supposed to fix this but no one uses it yet Many things trust hostname to IP mapping Browser same- origin policy URL address bar

What are clear problems? Corrupted nameservers Intercept & manipulate requests Other obvious issues?

DDoS against DNS Denial of Service take down DNS server, clients can t use Internet Feb 6, 2007 a9ack against 6 of 13 root servers: 2 suffered very badly Others experienced heavy traffic DoD purportedly has interessng response: In the event of a massive cybera9ack against the country that was perceived as originasng from a foreign source, the United States would consider launching a countera9ack or bombing the source of the cybera9ack, Hall said. But he noted the preferred route would be warning the source to shut down the a9ack before a military response. h9p://www.computerworld.com/s/arscle/9010921/ RSA_U.S._cyber_countera9ack_Bomb_one_way_or_the_other

DNS cache poisoning Victm DNS server bankofsteve.com 10.1.1.1 Clients Internet goodguy.com IP = 10.9.9.9 A9acker site 10.9.9.99 How might an a9acker do this? Assume DNS server uses predictable UDP port

Another idea: - Poison cache for NS record instead - Now can take over all of second level domain How many tries does this require? - Try 256 different QIDs - Good chance of success

Does happen in the wild h9p://www.zdnet.com/blog/security/hd- moore- pwned- with- his- own- dns- exploit- vulnerable- at- t- dns- servers- to- blame/1608? tag=content;siu- container

Defenses Query ID size is fixed at 16 bits Repeat each query with fresh Query ID Doubles the space Randomize UDP ports Dan Bernstein s DJBDNS did this already Now other implementasons do, too DNSsec Cryptographically sign DNS responses, verify via chain of trust from roots on down

Phishing is common problem Typo squawng: www.ca.wisc.edu www.goggle.com Other shenanigans: www.badguy.com/(256 characters of filler)/ www.google.com Phishing a9acks These just trick users into thinking a malicious domain name is the real one

DNS piggybacking From h9ps://isc.sans.edu/diary/what+s+in+a+name+/11770 A9ackers maliciously added extra lower level domain names to valid domain name This is helpful for search engine opsmizason

BGP and rousng wisc.edu charter.net BGP (exterior BGP) OSPF within AS s (Open shortest- path first) defense.gov

BGP Policy- based rousng AS can set policy about how to route economic, security, poliscal considerasons BGP routers use TCP connecsons to transmit rousng informason IteraSve announcement of routes

BGP example [D. Wetherall] 7 2 6 5 7 7 1 8 2 7 2 6 5 2 7 2 6 5 3 2 7 3 4 2 6 5 3 2 6 5 2 7 6 5 2 7 6 2 7 6 5 5 5 2, 7, 3, 6 are Transit AS 8, 1 are Stub AS 4,5 mulshomed AS Algorithm seems to work OK in pracsce BGP does not respond well to frequent node outages

IP hijacking BGP unauthenscated Anyone can adversse any routes False routes will be propagated This allows IP hijacking AS announces it originates a prefix it shouldn t AS announces it has shorter path to a prefix AS announces more specific prefix

Malicious or misconfigurasons? AS 7007 incident in 1997 Okay, so panic ensued, and we unlugged *everything* at 12:15PM almost to the second. [sic] h9p://www.merit.edu/mail.archives/nanog/ 1997-04/msg00444.html China Telecom hijacks large chunks of Internet in 2010 h9p://bgpmon.net/blog/?p=282

Youtube incident Pakistan a9empts to block Youtube youtube is 208.65.152.0/22 youtube.com = 208.65.153.238 Pakistan ISP adversses 208.65.153.0/24 more specific, prefix hijacking Internet thinks youtube.com is in Pakistan Outage resolved in 2 hours

BGPsec [D. Wetherall] 7 2 6 5 7 7 1 8 2 7 2 6 5 2 7 2 6 5 3 2 7 3 4 2 6 5 3 2 6 5 2 7 6 5 2 7 6 2 7 6 5 5 5 Route announcements must be crypographically signed AS can only adversse as itself AS cannot adversse for IP prefixes it does not own Requires a public- key infrastructure (PKI) SSll in development: h9p://tools.iey.org/html/dra}- lepinski- bgpsec- protocol- 00#ref- 7

Internet Security Recurring themes: Built without any authenscity mechanisms in mind FuncSonality mechanisms (sequence # s) become implicit security mechanisms New a9empts at backwards- compasble security mechanisms IP - > IPsec DNS - > DNSsec BGP - > BGPsec

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback