Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Published byShanna Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage."— Presentation transcript:

1 DNS Security Pacific IT Pros Nov. 5, 2013

2 Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage of Internal Information Domain Name Hijacking Typosquatting

3 DNS is Essential Without DNS, no one can use domain names like ccsf.edu Almost every Internet communication begins with a DNS resolution

4 Normal DNS Function

5 Root.com.net.edulocal DNS Delegation Servers cache content

6 Recursive DNS Query

7 Demo Resolving a domain through a Windows DNS server 238 packets, 4.3 sec – dig @192.168.119.191 hills.ccsf.edu

8 Linux DNS Server 10 packets, 1 sec. – Windows client – nslookup hills.ccsf.edu 192.169.119.223

9 Over 3000 packets and 4 minutes for – dig @192.168.119.191 hills.ccsf.edu +trace Linux used 317 packets and 2 seconds

10 DoS Attacks on DNS Servers

11 2007 Attack on DNS Root Six root servers attacked from Asia Volume 1 Gbps per server, bogus DNS requests Only two were affected, because they did not yet have Anycast configured Anycast allows one IP address to be shared by many different servers – Traffic automatically goes to closest working serer via BGP – Link Ch 1e

12 2007 Attack on DNS Root

13 DoS Attacks by DNS Servers

14 DNS Amplification Find a domain name that gives a large response Also called "DRDoS Attack" (Distributed Reflection and Amplification Denial of Service) Attacker Target DNS Server DNS Queries Source IP: Target DNS Responses Destination IP: Target Target is attacking me! DNS Server is attacking me!

15 dig any yahoo.com

16 Request: 69 bytes Reply: 379 bytes Amplification: 5.5 x

17 dig any ietf.org Large DNSSEC signatures

18 dig any ietf.org Request: 28 bytes (+66 header) Reply: 4183 bytes (+ headers) Amplification: 45 x (but via TCP)

19 Extension Mechanisms for DNS (EDNS) Allows transmission of larger packets via UDP Normal max. is 512 bytes This extends it to larger values, such as 4096 Essential for DNSSEC efficiency, but will make DNS amplification much more powerful – Link Ch 1k

20 Failure to Restrict Access Recursive DNS servers should only accept queries from your own clients – Block outside addresses with access control lists

21 Open Resolver Project Link Ch 3b

22 Testing CCSF's DNS Servers dig ns ccsf.edu shows 6 servers – ns5.cenic.org137.164.29.69CLOSED – ns4.cenic.org137.164.29.67CLOSED – rudra3.ccsf.cc.ca.us147.144.3.238CLOSED – ns6.cenic.org198.188.255.193CLOSED – ns1.csu.net130.150.102.100OPEN – ns3.csu.net137.145.204.10OPEN

23 Poisoning DNS Records

24 Changed local DNS server address – Link Ch 1h

25 DNS Cache Poisoning Malicious altering of cache records redirects traffic for users of that server 2005 attack redirected traffic for more than 1000 companies – Link Ch 1g, from 2005

26 DNS Cache Poisoning A false response that tricks the client puts a false entry into its cache

27 DNS Cache Poisoning Attacker 1.2.3.4 DNS Resolver Target Where is www.yahoo.com? www.yahoo.com is at 1.2.3.4 Where is www.yahoo.com? www.yahoo.com is at 1.2.3.4

28 Kaminsky DNS Vulnerability Serious vulnerability in 2008 Allowed poisoning caches on many servers Patched before it was widely exploited – Link Ch 1h

29 Link Ch 3f

30 Link Ch 3g

31 Consequences of the Kaminsky Attack Attack can be placed in a Web page – Many img tags – – etc. If one Comcast customer views that page, all other Comcast customers will be sent to the fake paypal.com Poisoning can take as few as 10 seconds

32 DEMO

33 Source Port Randomization This was patched in Windows Server 2008 Good video Link Ch 3e

34 Randomness of Transaction ID Each DNS query and response has a TXID field – 16 bits long (65,536 possible values) – Should be random Bind 8 & 9 used predictable transaction IDs – So only ten guesses were needed to spoof the reply

35 Randomness of Transaction ID

36 DNS Traffic as a Gauge of Malicious Activity

37 DNS Monitoring Infected machines often make many DNS queries Spam relays make DNS requests to find addresses of mail servers Botnets often make many DNS requests to obscure domains

38 Conficker Worm Domains Algorithm made 50,000 new domains per day Registrars tried to block them all – Links Ch 1u, 1v

39 From Link Ch 1q Bots Normal Traffic Requests per hour

40 Blocking DNS Resolution for Known Malicious Domains

41 OpenDNS Anycast for reliability Reports of DNS activity for management Blocks malicious servers Can enforce other rules like Parental Controls

42 Leakage of Internal Information

43 Exposure of Internal Information Only public Web-facing servers should be in the external DNS zone files Your DNS server is a target of attack and may be compromised

44

45 Leakage of Internal Queries to the Internet Some Windows DHCP clients leak dynamic DNS updates to the Internet – Link Ch 3a

46 Windows Versions These packets were sent from Windows 2000, Windows XP, and Server 2003 – When tested in 2006 To prevent this, configure local DNS servers not to refer internal machines to external name servers – And block DNS requests directly to the Internet

47 Dynamic DNS Registration Stupid Requests

48 AS 112: RFC 6304 Special autonomous system set up just to handle these stupid queries

49 RFC 6305

50 Domain Name Hijacking

51 DNS Registrars Registrar connects your domain name to its authoritative servers (SOA) Changing that data hijacks your domain

52 NY Times Rapid7

53 Defense: Registry Locks "Test of Domain Locking" In "Domain Name Hijacking" section

54 Typosquatting

55 Doppelganger domains are spelled almost identically to legitimate domains – seibm.com – instead of – se.ibm.com (IBM's division in Sweden)

Download ppt "DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
SCADA Security, DNS Phishing

SCADA Security, DNS Phishing
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.

Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.

Similar presentations

Ads by Google