Presentation is loading. Please wait.

Presentation is loading. Please wait.

By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.

Published bySamson Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning."— Presentation transcript:

1 By Chris Racki

2 Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning  Why isn’t the security community panicked  Ok, now they’re panicked!  Mitigation  Conclusion

3 Introduction  Computers navigate the internet using DNS  Common requests are cached  Caching makes DNS vulnerable  When a DNS is poisoned any IP can be set to any internet address  The fix is in the chaos

4 How DNS Works Root Servers... Top Level Domain Servers.com.org.net.com.gov.edu.net google.com montclair.edu

5 A Typical DNS Lookup ISP DNS User 1. what’s the IP for www.google.com? Root Server.com Server google.com Server 2. what’s the IP for www.google.com? 3. Server Referral 4. what’s the IP for www.google.com? 5. Server Referral 6. what’s the IP for www.google.com? 7. The IP is XXX.XXX.XXX 9. The IP is XXX.XXX.XXX 10. Go to www.google.com 8. Cache result

6 Vulnerabilities ISP DNS User 1. what’s the IP for www.google.com? Root Server.com Server google.com Server 2. what’s the IP for www.google.com? 3. Server Referral 4. what’s the IP for www.google.com? 5. Server Referral 6. what’s the IP for www.google.com? 7. The IP is XXX.XXX.XXX 8. The IP is XXX.XXX.XXX 10. Go to www.google.com Cached result Go to www.BADPLACE.com

7 Anatomy of a Cache Poisoning WWhat’s the IP for www.google.com? IIt’s not in my cache, I have to look it up. NNow that he’s waiting for a response, it’s my chance! UUnsolicited reply… ignore. FForged reply is accepted and cached. ?... Query ID 10021 Lookup Request Forged Lookup Reply Query ID 10018 Query ID 10019 Query ID 10020Query ID 10021 forged reply

8 Why isn’t the security community panicked?  Attack only works when entry is not in cache  Hard to predict exactly when Time To Live will expire  Limited chances for attack

9 Ok, now they’re panicked!  In 2008 Dan Kaminsky improved the attack.  Attack is only possible when target is not in cache.  www.google.com is almost always in the cache.  fake01.google.com is never in cache so it always triggers a lookup.  Instead of forging a single page, forge the google.com DNS server.  Now all requests for google.com domain can be redirected to attacker’s DNS server.

10 A More Toxic Poison ISP DNS Root Server.com Server google.com Server what’s the IP for fake01.google.com? Server Referral what’s the IP for fake01.google.com? Server Referral Forge the IP of the google.com domain DNS server Response is too slow

11 What’s the fix?  Make the query ID more random  Older DNS software use sequential query IDs or easily predicted random query IDs  Randomize the port and change it often  Older DNS software always uses one port

12 Conclusion  DNS cache poisoning is not new  There are new ways to use it  A successful DNS poisoning could be very damaging  Be alert of new threats  Thank you

Download ppt "By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved. Domain Name System (DNS) Network Security Asset or Achilles.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Lee Center Workshop, May 19, 2006 Distributed Objects System with Support for Sequential Consistency.

Lee Center Workshop, May 19, 2006 Distributed Objects System with Support for Sequential Consistency.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ISP – 8 th Recitation 3 rd exercise review Computer networks - Introduction.

ISP – 8 th Recitation 3 rd exercise review Computer networks - Introduction.
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.

CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Viruses, Phishing and Pharming Megan, Matt, Rishi.

Viruses, Phishing and Pharming Megan, Matt, Rishi.
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Similar presentations

Ads by Google