Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection of DNS Traffic Anomalies

Published byMary West Modified over 10 years ago

Similar presentations

Presentation on theme: "Detection of DNS Traffic Anomalies"— Presentation transcript:

1 Detection of DNS Traffic Anomalies
Anestis Karasaridis, PhD,CISSP This is a typical Title slide, without image. If a picture needs to be inserted, go to….

2 Overview DNS - Protocol and Applications
Vulnerabilities and common attacks Monitoring, Detection, Protection 4/25/2006 Detection of DNS Traffic Anomalies

3 Protocol Overview DNS is the white pages of the Internet allowing to map hostnames/domains to IP addresses (and vice versa) Facilitates the communication of devices over the Internet Based on Standards (RFCs 1034, 1035-> STD13, Updated by a number of RFCs) A Distributed and hierarchical database IP at Layer 3, uses UDP or TCP for Layer 4. Managed by different organizations coordinated by the Internet Consortium of Assigned Names and Numbers (ICANN) 4/25/2006 Detection of DNS Traffic Anomalies

4 Applications Overview
Network Infrastructure Service: Used by almost all applications where two devices need to be connected remotely: Web FTP P2P Streaming …many others Its use has been expanded to create overlay networks (Content Distribution Networks) that are used to distribute load and improve latency. Emerging Applications: VoIP (ENUM Protocol), Spam Control (SPF Protocol), RFID 4/25/2006 Detection of DNS Traffic Anomalies

5 Example use of DNS: The user types the following URL to his/her browser: The browser process generates a DNS request to a configured local DNS server (usually throught DHCP) in which it asks the IP address of the server able to serve the webpage. If the local server does not know the answer, it makes the same request to an upstream server. When the IP address is found it is returned to the local server and the browser process. The browser then makes the request for the page directly to the IP address that was returned A user prepares and send to The mail application sends the first to a local repository ( relay). The repository then has to figure where to send the to reach yahoo.com. The relay server makes a DNS query to find the Mail Exchange record for yahoo.com. When it gets the answer from DNS with the IP address of yahoo’s mail server, it proceeds to sending the to the recipient’s server. 4/25/2006 Detection of DNS Traffic Anomalies

6 DNS Hierarchy DNS is organized in domains which are subdivided to subdomains etc. Top domain is the “Root” (.) and the domains below are called Top Level Domains (TLDs). Top level domains are (com, gov, edu, net, biz, info, us, etc.) 4/25/2006 Detection of DNS Traffic Anomalies

7 Distributed Architecture
Various domains and subdomains contain partial DNS information. If the information is not available the database contains pointers (delegation) to other servers that may contain the requested information. Different parts of the domain space are managed by different entities. The set of domains/subdomains that are managed by a single entity are called zones 4/25/2006 Detection of DNS Traffic Anomalies

8 Example of domains and zones
The US domain has NJ, DC, MD, MA and VA as its subdomains. Since the information in all these subdomains is usually unmanageable the DNS information is usually spit in the different subdomains. The US zone contains delegation points for the subdomains that it does not manage. 4/25/2006 Detection of DNS Traffic Anomalies

9 Example of Name Resolution using the hierarchical and distributed nature of DNS
4/25/2006 Detection of DNS Traffic Anomalies

10 Security Vulnerabilities
This is a divider slide. Rotate between green, blue and orange. [note: this text should be white]

11 DNS Protocol Security vulnerabilities
DNS is an open protocol. ASCII protocol with no encryption DNS is widely implemented and deployed using BIND which is open source and has many known security holes Uses a very rudimentary authentication mechanism which is based only on the SIP, port and transaction ID, therefore easily trusts source of information Caching allows to bypass authoritative records and to store unreliable information in many locations in the internet Heavy reliance on the network makes it vulnerable to network outages 4/25/2006 Detection of DNS Traffic Anomalies

12 DNS Vulnerabilities due to Poor Planning
Single point of failure issues Running registered authoritative DNS servers on a single subnet can cause severe application outages if the gateway/router connecting this subnet goes down Running the DNS servers in a single geographical area Running DNS servers on a single OS Poor capacity planning or lack of load balancing Poor disaster recovery planning, e.g. during power outages, earthquakes etc. Failure to upgrade or patch DNS implementation Misconfiguration 4/25/2006 Detection of DNS Traffic Anomalies

13 Common DNS Attacks (D)DoS Cache poisoning Tunneling Buffer overflows
Zone transfer hijacking Dynamic update corruption Unauthorized registry changes 4/25/2006 Detection of DNS Traffic Anomalies

14 DoS attacks One or more attackers controlling one or more devices launch an avalanche of messages to one or more DNS servers If the sources are distributed, such an attack is difficult to control and trace DNS responses are larger than requests and can be used to magnify attacks using spoofed source IP addresses. The attackers use source IP address the address of the target and send multiple DNS requests to a DNS server 4/25/2006 Detection of DNS Traffic Anomalies

15 Wide-scale DoS attack to Root Servers
On Oct 21, 2002 a wide scale attack was launched to the 13 IP addresses of the Root servers using ICMP echo reply messages According to Keynote Systems 7 of the 13 Root servers were severely slowed down during the attack. 4/25/2006 Detection of DNS Traffic Anomalies

16 Examples of anomalies: Large volumes from a single source
Number of requests/replies to/from MIS DNS server per address (10/21, 14hr) 3000 2500 Unusually large number 2000 of requests Request/Replies Number of 1500 1000 500 IP Addresses 4/25/2006 Detection of DNS Traffic Anomalies

17 Cache poisoning Alteration of the contents of the DNS cache
Query sent to a local DNS server. Local starts a recursive search. Fake response is sent from the attacker before the valid server responds. Local DNS returns the fake response to the resolver and caches the forged mapping Can lead to a denial of service or to redirection to an evil site (that collects for example private information) 4/25/2006 Detection of DNS Traffic Anomalies

18 DNS spoofing/cache poisoning
1. DNS request Client resolver Local DNS server 3. True reply 4. ICMP port unreachable 2.Spoofed reply Attacker 4/25/2006 Detection of DNS Traffic Anomalies

19 Cache Poisoning- another variation
Attacker directs local dns server to a controlled DNS server, which returns bogus info. Local DNS server does not properly check and caches bogus info 4/25/2006 Detection of DNS Traffic Anomalies

20 Detection of brute force cache poisoning attacks
For each DNS flow, identify if the packets in the flow are requests or responses (based on port numbers). If the packets in the flow record are requests, combine the flow with a thread (a group of objects such as flows with similar characteristics) of request flows that have the same destination IP (DIP) and the same bytes-per-packet ratio (BPR), if the flow arrives within a small time interval (e.g., 1sec) after the last flow in the thread. If the thread exceeds a certain number of flows (e.g., 50), summarize the information in the flow records and provide an alert that repeated requests took place. 4/25/2006 Detection of DNS Traffic Anomalies

21 Detection of brute force cache poisoning attacks (cont’d)
If the flow record contains response packets, combine the incoming flow with similar flows by DIP, BPR, DPORT and SIP in the event that the flow arrives within a small time interval (e.g., 1 sec) since the arrival of the last flow in the same thread. Examine if the number of such flows exceeds a threshold (e.g., 50). If the threshold is exceeded, examine all the request threads for the same DIP and see if they have a BPR such that BPR_{response} > BPR_{request}+BPR_{THR}, where BPR_{THR} the minimum number of additional bytes (set at 16) required to construct a response for a given request Also, examine if the response thread starts within the time limits of the request thread. If all the above conditions are true, summarize the flows and generate an alarm for cache-poisoning attack. If the number of responses in the thread is larger than a threshold, but it is not within the time frame of a request thread or it cannot be matched to a request thread because the BPR condition (see above) is not met, then the algorithm produces an alarm for repeated responses. Empty and restart request and response threads when flows come much later (e.g., more than 1 sec later) or earlier than the last flow in the thread. Periodically (e.g., every 500,000 input flows) clean up threads to free up memory 4/25/2006 Detection of DNS Traffic Anomalies

22 Cache Poisoning Example
Type Src IP Dest IP Pkts Bytes Stime Etime Sport Dport Prot 2 1 90 77 53 51453 17 70 78 14414 79 50235 65164 61480 10105 4/25/2006 Detection of DNS Traffic Anomalies

23 Alerting for Cache Poisoning Attacks
Repeated Requests:dip= , number=307,bpr=70,link=SiteA, sip=var,sport=var, start_time=Wed Oct 22 13:57: , end_time=Wed Oct 22 14:00: Suspicious Responses:dip= , number=811,bpr=90,link=SiteA, sip= ,dport:51453, start_time=Wed Oct 22 13:57: , end_time=Wed Oct 22 14:05: Repeated Responses:dip= , 4/25/2006 Detection of DNS Traffic Anomalies

24 Tunneling Anomaly Detection
DNS is used to tunnel traffic in and out of firewalls and IDSs Viruses Botnet control Streaming audio Protocol specification should be taken into account 4/25/2006 Detection of DNS Traffic Anomalies

25 Tunneling Anomaly detection- Abnormal packet sizes
Requests typically should not exceed 312 bytes (including TCP and IP headers) UDP responses typically do not exceed 512 bytes Calculate histograms of request/response packet sizes. Track and detect changes in the frequencies of non-conforming packets sizes 4/25/2006 Detection of DNS Traffic Anomalies

26 Example of anomalies: Large DNS Requests
Large requests appeared interestingly among other normal size requests In one case they were sent periodically between a single pair of hosts 4/25/2006 Detection of DNS Traffic Anomalies

27 Example anomalies: Large DNS responses
4/25/2006 Detection of DNS Traffic Anomalies

28 Example anomalies: Increase in large request packet size frequencies
4/25/2006 Detection of DNS Traffic Anomalies

29 Track and detect packet size anomalies
Built a baseline histogram of packet sizes Calculate current histogram Calculate difference between current and baseline histograms. KL distance (also known as Relative Entropy) is one example: pi are the current frequencies and qi are the baseline frequencies 4/25/2006 Detection of DNS Traffic Anomalies

30 Track and detect packet size anomalies (cont’d)
Baseline should be adaptive to variations in traffic It should be updated when there are small changes that are benign It should not include data that generate alarms 4/25/2006 Detection of DNS Traffic Anomalies

31 Example of detection of tunneling
Sinit virus propagated using port 53 traffic Sophisticated p2p-type of propagation using custom protocol 4/25/2006 Detection of DNS Traffic Anomalies

32 Summary DNS is ubiquitus and expanding to new applications and technologies Many vulnerabilities exist due to poor design, configuration or software holes Monitoring revealed wide-scale events before public reports DNSSEC is an attempt to address some of security issues 4/25/2006 Detection of DNS Traffic Anomalies

Download ppt "Detection of DNS Traffic Anomalies"

Similar presentations

MCT620 – Distributed Systems

MCT620 – Distributed Systems
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Communicating over the Network

Communicating over the Network
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Everything.

Everything.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Application Layer: functionality and Protocols

Application Layer: functionality and Protocols
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 The OSI Model and the TCP/IP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 2 The OSI Model and the TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.
Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI

Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI
Executional Architecture

Executional Architecture
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

Similar presentations

Ads by Google