Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.

Published byKevin Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005."— Presentation transcript:

1 DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005

2 Domain Name System: a Quick Review URL  IP mapping Hierarchical in nature, subdivided by domains and sub-domains. Distributed database of servers manage domain subsets (too large to centralize). We don’t want to work down the tree every time as root servers have a heavy load. So local name-server may often have cached hit. This is called a non-authoritative answer.

3 DNS Protocol Refresher

4 Cache Poisoning - Motivation Corrupt cache mapping: URL  ??? Why? Redirect web traffic (DOS): www.google.comwww.google.com  www.myPopUps.comwww.myPopUps.com www.whitehouse.gov  www.Playboy.com www.whitehouse.govwww.Playboy.com Man-in-the-Middle Attack www.USBankLogin.comwww.USBankLogin.com   www.USBankLogin.comwww.USBankLogin.com www.MyPhishingSite.com

5 Brief History 1993: First paper outlining several vulnerabilities in DNS, including the technique of cache poisoning. 1997: CERT releases advisory on BIND (used by virtually every name-server) vulnerability revolving around sequential transaction ID #’s. Newer versions now randomize. 2002: Discovered that BIND will send multiple recursive queries for same IP address, opening up 16-bit transaction ID#’s to Birthday attack or more savvy Phase-Space Analysis Spoofing attack.

6 The BIND Birthday Attack

7 The Birthday Attack Send n queries to vulnerable nameserver (for URL to hijack) while sending equal number of phony replies at the same time. Each spoofed reply packet has randomly generated transaction ID#. Attacker needs to win race between the 1 st successful collision of his spoofed transactions and the legitimate answer from the Authoritative NS.* 100% success probability @ n=700. * Can further slant race in attacker’s favor by flooding ANS with bogus packets to slow it down.

8 Birthday Attack (n queries) vs. Conventional Spoofing (1 query)

9 Successful Packet must match: Transaction ID (guessed) Source and destination IP addresses (easy) Destination port (always 53) Source port: BIND often reuses same source port for replies to the same client. tcpdump of DNS request to target ANS before attack should reveal this. An example: 10:54:12.423228 192.168.1.2.33748 > 66.218.71.63.53: 21345 [1au] A? www.yahoo.com. (42) (DF) 10:54:21.313293 192.168.1.2.33748 > 216.239.38.10.53: 53735 [1au] A? www.google.com. (43) (DF) 10:54:27.182852 192.168.1.2.33748 > 149.174.213.7.53: 19315 [1au] A? www.netscape.com. (45) (DF) 10:54:43.252461 192.168.1.2.33748 > 66.35.250.11.53: 43129 [1au] A? www.linux.com. (42) (DF)

10 Phase Space Analysis Spoofing Michael Zalewski's paper "Strange Attractors and TCP/IP Sequence Number Analysis" describes a method for analyzing the predictability of transaction IDs. Tools plot random number dumps into 3-D space, revealing clustering and exposing predictability. Geometric patterns are “attractors”. An ideal random number generator appears as an evenly dispersed cloud.

11 Phase Space of BIND 8.3.4

12 Attacking BIND 8.3.4 Limit spoofing set to attractors and greatly increase odds in Birthday attack. With phase space data, Zalewski’s second tool predicts next transaction ID# with 100% probability by looking at the 3 previous ID#s. So even if birthday attack patched, BIND 8 still vulnerable (no attack specifics in paper).

13 Phase Space of BIND 9

14 BIND 9 Uses completely new random number generating engine – /dev/random Trans. ID# predictable 20% of the time w/spoofing set of n=5000. Very high bandwidth required to win race with Authoritative NS unless combined with successful DOS attack on ANS.

15 Phase Space for djbdns

16 D.J. Bernstein DNS Despite nice looking “cloud”, randomness is actually slightly worse than BIND 9 (30% @ 5000). However, djbdns randomizes source ports of each query: 22:42:41.790753 192.168.1.2.16075 > 64.58.77.85.53: 36904 A? www.yahoo.com. (31) (DF) 22:42:53.876719 192.168.1.2.53928 > 216.239.38.10.53: 1776 A? www.google.com. (32) (DF) 22:43:07.996666 192.168.1.2.59368 > 207.200.73.80.53: 16261 A? www.netscape.com. (34) (DF) 22:43:18.290976 192.168.1.2.9183 > 66.35.250.10.53: 5110 A? www.linux.com. (31) (DF) Forces attacker to guess trans. ID# and source port of spoofed reply – approx. 1 billion possible id-port pairs.

17 Recommended Defenses Users Conform SSL certificates when making secure online transactions (man-in-the-middle) Use http://www.arin.net/whois/ if suspect site is being spoofed. Run own resolver and bypass ISP altogether! Web-Servers Can use SSL to authenticate self with browsers. Be on lookout for short DOS attacks (wipe cache?)

18 ISP Nameserver Defenses Upgrade BIND to 9.x series, rewritten from scratch with security in mind. Not vulnerable to this attack. Djbdns also more resilient to Birthday attacks. Divides NS responsibilities between two separate servers (resolver/advertiser). Public server disallows recursive queries, and recursive (caching) server firewalled. Drawback: expensive, more hardware and overhead. If can’t use split-split, use “listen-on” option to bind nameserver daemon to interface protected from outside world.

19 DNSSec DNS Security Extensions IETF working group Designed to counter Cache Poisoning dynamic DNS updates KEY/SIG records using RSA public keys zone authority may sign all DNS records http://www.dnssec.net/

20 Questions?

Download ppt "DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.

Similar presentations

Ads by Google