Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value100.00 Average84.94 90 - 1009 80 - 8914 70 - 7910 40 - 491.

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
Application Layer At long last we can ask the question - how does the user interface with the network?
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Man in the Middle attacks and ARP poisoning explained
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
Network security BGP and DNS Worms.
Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:
IIT Indore © Neminath Hubballi
Attacks on DHCP and DNS Most slides used with persmission from CS 161: Computer Security Prof. Vern Paxson University of California, Berkeley.
Geoff Huston APNIC Labs
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
DNS security. How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Attacks on DHCP and DNS Most slides used with persmission from CS 161: Computer Security Prof. Vern Paxson University of California, Berkeley.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
What if Everyone Did It? Geoff Huston APNIC Labs.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Introduction to Information Security
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security.
DNS Operation And Security Protection
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
DNS Cache Poisoning Attack
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS security.
CS4622: Computer Networking
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Grades update

Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Midterm Count35 Minimum Value34.00 Maximum Value56.00 Average PercentCount

DNS security

How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers in DNS hierarchy that are authoritative for a given domain – Start from root, root sends it to the next point in hierarchy – End at authoritative server for the domain you are asking about (auth) – Resolver caches the replies

DNS hijacking Wait for resolver (target) to ask about a name from the victim’s domain – Provide your own reply faster than auth server – Provide some extra information (IP of auth server) This poisons the cache at that resolver, not globally – But if the resolver is at the important/large network the victim can lose a lot of traffic to the attacker Attacker’s goal: impersonate the victim (phishing)

Short-circuiting waiting Ask the target resolver about some name from the victim’s domain – Doesn’t have to be the name you intend to hijack since DNS will take extra info in the reply – Asking about non-existing names guarantees they are not in resolver’s cache already Can ask about different domains too

Cache poisoning 2 IP for (attacker asks target, target asks attackNS) Don’t know, ns.victim.com is auth for victim.com, its IP is (attackNS’s reply) Target stores ns.victim.com-> in cache Victim attacker attackN S target Hijack entire domain

Defenses Only accept auth if its domain is same about the domain you asked for Don’t accept extra info in the reply if you did not ask for it

Cache poisoning 3 IP for (attacker asks target, target asks victimNS).victim.com Attacker replies faster than the victimNS – … -> (attacker’s reply) Target stores in cache Victim attacker attackN S target Hijack one name

Cache poisoning 4 IP for madeup.victim.com (attacker asks target, target asks victimNS)madeup.victim.com Attacker replies faster than the victimNS – … ns.victim.com is auth for victim.com, its IP is (attacker’s reply) Target stores ns.victim.com-> in cache Hijack entire domain Victim attacker attackN S target

Being faster is not enough Target will only accept replies that – Come to the specific port from which requests are sent – Come with the replyID same as the requestID – Attacker doesn’t get the requests directly Can try to sniff the info Can try to guess the info If the resolver accepts the reply it will accept extra info in reply too even if it has a different version in cache

Hijacking with sniffing If on the same network as the target, attacker can try to ARP spoof the next hop – Position itself on the path of target’s requests – DNS traffic uses UDP and is not encrypted, easy to see port and request ID and provide appropriate reply

Hijacking with guessing If target uses predictable numbers for source port and request ID attacker can perform many attacks, each time trying to guess the right port/replyID combination – Having randomness in one is not enough (2 16 tries) – Kaminsky attack (cache poisoning 4 + no randomness in source port)

Defenses Randomize source port – Makes guessing harder but not impossible Use DNSSEC – Replies must be signed by auth – Everyone can check signatures – Auth servers for zones sign certificates when they delegate a sub-zone (e.g..com for example.com) – Requires clients to implement DNSSEC to verify replies

DNSSEC Auth stores two more record types – RRSIG – signature for each A record – DNSKEY – public key to verify the signature Auth inserts one record into parent in DNS hierarchy – DS – says who is authoritative for a given subdomain and gives a hash of the public key (DNSKEY of auth) Resolver sets a bit asking for DNSSEC replies – Verifies each DNSKEY using DS from the level higher in hierarchy – Verifies RRSIG of the record

DNSSEC If no record exists auth returns a long reply to prove this fact – Intent was to just provide “does not exist” reply that is specific to a given query (otherwise it could be replayed to deny existence of real names) –.. and to provide it without online signing – Thus DNSSEC provides a list of all records (in a range) that would house such record if it existed This can be misused for reflector DDoS attacks – Large amplification factor This can be misused to map a network

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.