Presentation is loading. Please wait.

Presentation is loading. Please wait.

© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP.

Similar presentations


Presentation on theme: "© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP."— Presentation transcript:

1 © AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP

2 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 2 Overview DNS - Protocol and Applications Vulnerabilities and common attacks Monitoring, Detection, Protection

3 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 3 Protocol Overview DNS is the white pages of the Internet allowing to map hostnames/domains to IP addresses (and vice versa) Facilitates the communication of devices over the Internet Based on Standards (RFCs 1034, 1035-> STD13, Updated by a number of RFCs) A Distributed and hierarchical database IP at Layer 3, uses UDP or TCP for Layer 4. Managed by different organizations coordinated by the Internet Consortium of Assigned Names and Numbers (ICANN)

4 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 4 Applications Overview Network Infrastructure Service: Used by almost all applications where two devices need to be connected remotely: Web FTP P2P Streaming …many others Its use has been expanded to create overlay networks (Content Distribution Networks) that are used to distribute load and improve latency. Emerging Applications: VoIP (ENUM Protocol), Spam Control (SPF Protocol), RFID

5 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 5 Example use of DNS: The user types the following URL to his/her browser: The browser process generates a DNS request to a configured local DNS server (usually throught DHCP) in which it asks the IP address of the server able to serve the webpage. If the local server does not know the answer, it makes the same request to an upstream server. When the IP address is found it is returned to the local server and the browser process. The browser then makes the request for the page directly to the IP address that was returned A user prepares and send to The mail application sends the first to a local repository ( relay). The repository then has to figure where to send the to reach yahoo.com. The relay server makes a DNS query to find the Mail Exchange record for yahoo.com. When it gets the answer from DNS with the IP address of yahoos mail server, it proceeds to sending the to the recipients server.

6 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 6 DNS Hierarchy DNS is organized in domains which are subdivided to subdomains etc. Top domain is the Root (.) and the domains below are called Top Level Domains (TLDs). Top level domains are (com, gov, edu, net, biz, info, us, etc.)

7 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 7 Distributed Architecture Various domains and subdomains contain partial DNS information. If the information is not available the database contains pointers (delegation) to other servers that may contain the requested information. Different parts of the domain space are managed by different entities. The set of domains/subdomains that are managed by a single entity are called zones

8 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 8 Example of domains and zones The US domain has NJ, DC, MD, MA and VA as its subdomains. Since the information in all these subdomains is usually unmanageable the DNS information is usually spit in the different subdomains. The US zone contains delegation points for the subdomains that it does not manage.

9 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 9 Example of Name Resolution using the hierarchical and distributed nature of DNS

10 © AT&T Inc Security Vulnerabilities

11 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 11 DNS Protocol Security vulnerabilities DNS is an open protocol. ASCII protocol with no encryption DNS is widely implemented and deployed using BIND which is open source and has many known security holes Uses a very rudimentary authentication mechanism which is based only on the SIP, port and transaction ID, therefore easily trusts source of information Caching allows to bypass authoritative records and to store unreliable information in many locations in the internet Heavy reliance on the network makes it vulnerable to network outages

12 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 12 DNS Vulnerabilities due to Poor Planning Single point of failure issues Running registered authoritative DNS servers on a single subnet can cause severe application outages if the gateway/router connecting this subnet goes down Running the DNS servers in a single geographical area Running DNS servers on a single OS Poor capacity planning or lack of load balancing Poor disaster recovery planning, e.g. during power outages, earthquakes etc. Failure to upgrade or patch DNS implementation Misconfiguration

13 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 13 Common DNS Attacks (D)DoS Cache poisoning Tunneling Buffer overflows Zone transfer hijacking Dynamic update corruption Unauthorized registry changes

14 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 14 DoS attacks One or more attackers controlling one or more devices launch an avalanche of messages to one or more DNS servers If the sources are distributed, such an attack is difficult to control and trace DNS responses are larger than requests and can be used to magnify attacks using spoofed source IP addresses. The attackers use source IP address the address of the target and send multiple DNS requests to a DNS server

15 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 15 Wide-scale DoS attack to Root Servers On Oct 21, 2002 a wide scale attack was launched to the 13 IP addresses of the Root servers using ICMP echo reply messages According to Keynote Systems 7 of the 13 Root servers were severely slowed down during the attack.

16 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 16 Examples of anomalies: Large volumes from a single source Number of requests/replies to/from MIS DNS server per address (10/21, 14hr) IP Addresses Number of Request/Replies Unusually large number of requests

17 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 17 Cache poisoning Alteration of the contents of the DNS cache Query sent to a local DNS server. Local starts a recursive search. Fake response is sent from the attacker before the valid server responds. Local DNS returns the fake response to the resolver and caches the forged mapping Can lead to a denial of service or to redirection to an evil site (that collects for example private information)

18 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 18 DNS spoofing/cache poisoning Client resolver Local DNS server Attacker 1. DNS request 2.Spoofed reply 3. True reply 4. ICMP port unreachable

19 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 19 Cache Poisoning- another variation Attacker directs local dns server to a controlled DNS server, which returns bogus info. Local DNS server does not properly check and caches bogus info

20 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 20 Detection of brute force cache poisoning attacks For each DNS flow, identify if the packets in the flow are requests or responses (based on port numbers). If the packets in the flow record are requests, combine the flow with a thread (a group of objects such as flows with similar characteristics) of request flows that have the same destination IP (DIP) and the same bytes-per- packet ratio (BPR), if the flow arrives within a small time interval (e.g., 1sec) after the last flow in the thread. If the thread exceeds a certain number of flows (e.g., 50), summarize the information in the flow records and provide an alert that repeated requests took place.

21 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 21 Detection of brute force cache poisoning attacks (contd) If the flow record contains response packets, combine the incoming flow with similar flows by DIP, BPR, DPORT and SIP in the event that the flow arrives within a small time interval (e.g., 1 sec) since the arrival of the last flow in the same thread. Examine if the number of such flows exceeds a threshold (e.g., 50). If the threshold is exceeded, examine all the request threads for the same DIP and see if they have a BPR such that BPR_{response} > BPR_{request}+BPR_{THR}, where BPR_{THR} the minimum number of additional bytes (set at 16) required to construct a response for a given request Also, examine if the response thread starts within the time limits of the request thread. If all the above conditions are true, summarize the flows and generate an alarm for cache-poisoning attack. If the number of responses in the thread is larger than a threshold, but it is not within the time frame of a request thread or it cannot be matched to a request thread because the BPR condition (see above) is not met, then the algorithm produces an alarm for repeated responses. Empty and restart request and response threads when flows come much later (e.g., more than 1 sec later) or earlier than the last flow in the thread. Periodically (e.g., every 500,000 input flows) clean up threads to free up memory

22 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 22 Cache Poisoning Example TypeSrc IP Dest IP PktsBytesStimeEtimeSportDportProt

23 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 23 Alerting for Cache Poisoning Attacks Repeated Requests:dip= , number=307,bpr=70,link=SiteA, sip=var,sport=var, start_time=Wed Oct 22 13:57: , end_time=Wed Oct 22 14:00: Suspicious Responses:dip= , number=811,bpr=90,link=SiteA, sip= ,dport:51453, start_time=Wed Oct 22 13:57: , end_time=Wed Oct 22 14:05: Repeated Responses:dip= , number=811,bpr=90,link=SiteA, sip= ,dport:51453, start_time=Wed Oct 22 13:57: , end_time=Wed Oct 22 14:05:

24 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 24 Tunneling Anomaly Detection DNS is used to tunnel traffic in and out of firewalls and IDSs Viruses Botnet control Streaming audio Protocol specification should be taken into account

25 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 25 Tunneling Anomaly detection- Abnormal packet sizes Requests typically should not exceed 312 bytes (including TCP and IP headers) UDP responses typically do not exceed 512 bytes Calculate histograms of request/response packet sizes. Track and detect changes in the frequencies of non-conforming packets sizes

26 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 26 Example of anomalies: Large DNS Requests Large requests appeared interestingly among other normal size requests In one case they were sent periodically between a single pair of hosts

27 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 27 Example anomalies: Large DNS responses

28 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 28 Example anomalies: Increase in large request packet size frequencies

29 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 29 Track and detect packet size anomalies Built a baseline histogram of packet sizes Calculate current histogram Calculate difference between current and baseline histograms. KL distance (also known as Relative Entropy) is one example: pi are the current frequencies and qi are the baseline frequencies

30 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 30 Track and detect packet size anomalies (contd) Baseline should be adaptive to variations in traffic It should be updated when there are small changes that are benign It should not include data that generate alarms

31 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 31 Example of detection of tunneling Sinit virus propagated using port 53 traffic Sophisticated p2p-type of propagation using custom protocol

32 © AT&T Inc Detection of DNS Traffic Anomalies 4/25/2006 Page 32 Summary DNS is ubiquitus and expanding to new applications and technologies Many vulnerabilities exist due to poor design, configuration or software holes Monitoring revealed wide-scale events before public reports DNSSEC is an attempt to address some of security issues


Download ppt "© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP."

Similar presentations


Ads by Google