Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed 17-02-2012 Jesper Buus Nielsen.

Similar presentations


Presentation on theme: "Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed 17-02-2012 Jesper Buus Nielsen."— Presentation transcript:

1 Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed Jesper Buus Nielsen

2 DNS TCP IP Link Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Internet Protokol Stack Applications

3 IP Ex.: Can send a package to port 4 on address Machines have IP address Machines have a number of ports (2 16 ) Can send individual packages to a port on an address Server Client

4 TCP/IP Ex.: Can establish a connection to port 4 on address Typically the client gets a random free local port, here 2 Server Client Machines have IP address Machines have a number of ports (2 16 ) Can establish connections between two (address, port) pairs

5 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Domain Name System (DNS) How to map DNS name like to IP addresses in the Internet? –“Back in the days”: HOSTS.TXT file FTP’ed among hosts Now a distributed name service –Hierarchical name space –Each level separated by ‘.’ Analogous to ‘/’ separator in file systems –One global root Replicated across 13 root servers There have been Denial of Service (DoS) attacks on these root servers, none real successful Because of caching, queries to root servers relatively rare DNS is the true backbone of the Internet

6 DNS is simple but powerful Three major components –Domain Name Space and Resource Records Specification for a tree-structured name space and small databases associated with nodes (both internal nodes and leaf nodes) –Name Servers Servers which hold the databases associated with some nodes and references to other name servers –Resolvers Client programs that extract information from name servers Name servers can be resolvers –Will be so in so-called recursive lookup Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved

7 Resource Records (1/3) Each name server holds a set of resource records which for each path specifies, e.g., what is the name server for the path and what is the address of the machine at the path path type data cs.au.dk.MX mx.nfit.au.dk means that mx.nfit.au.dk is mail server for the domain cs.au.dk

8 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Resource Records (2/3) path type data Some types of records –NS:Name server for the path –A:IP address for the path, if any Not all partial paths, like dk, correspond to machines –MX:Name of the mail server for path, if any (Mail eXchange) –AAAA:IPv6 address

9 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Resource Records (3/3) Examples of resource records: pathtype data dk.NSa.nic.dk. a.nic.dk.A au.dk. NS ns.au.dk ns.au.dkA cs.au.dkA cs.au.dkA cs.au.dkMXmx.nfit.au.dk. mx.nfit.au.dkA

10 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Glue If a name server holds a record like pathtype data au.dk. NS ns.au.dk then it also holds a record like pathtype data ns.au.dkA And it sends it along with the NS record

11 DiG Let us ask the NS for “dk.” what the NS for “au.dk.” is?

12 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Implementation of Name Resolution Figure The principle of iterative name resolution.

13 Path name resolved:  dk, au  Name server: ns.au.dk Knows: “cs.au.dk.” A  Knows: “cs.au.dk.” NS  au Looking up cs.au.dk Path name resolved:   Name server: a.root-servers.net Knows: “dk.” NS  Path name resolved:  dk  Name server: a.nic.dk Knows: “au.dk.” NS  dk com org aau Path name resolved:  dk, au, cs  DNS name: cs.au.dk. IP: cs science

14 Caching DNS resolvers are allowed to cache entries –This speeds up lookup immensely The name server sending the entry can tell how long it is safe to cache it

15 Cache Poisoning There is a very serious attack on the DNS system called cache poisoning –[http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html]http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html The goal for some naughty hacker is to make a resolver, preferably a resolver for a lot of clients, think that the name server for, e.g. handelsbanken.dk, is at an IP address owned by the hacker

16 Attacking via DNS Providers name resolver hacker in kûrruptyztan root name server handelsbanken.dk? dk. name server handelsbanken.dk? handelsbanken.dk. name server NS dk = handelsbanken.? NS handelsbanken.dk = NS handelsbanken.dk = Cache for long time! Handelsbanken kunde under provider handelsbanken.dk? NS handelsbanken.dk = handelsbanken.dk? A handelsbanken.dk =

17 DNSSEC A secure version of DNS, called DNSSEC, is being deployed DNSSEC uses digital signature schemes to authenticate the provided resource records Each DNS server has its own key pair Public key of the root servers known by all resolvers Each DNS server authenticates the public keys of the DNS servers in its sub-domains Not yet widely used


Download ppt "Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed 17-02-2012 Jesper Buus Nielsen."

Similar presentations


Ads by Google