DNS Cache Poisoning Attack

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi
IIT Indore © Neminath Hubballi
CS526Topic 19: DNS Security1 Information Security CS 526 Topic 19: DNS Security.
By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
High performance recursive DNS solution
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
A longitudinal, End-to-End View of the DNSSEC Ecosystem
SaudiNIC Riyadh, Saudi Arabia May 2017
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Principles of Computer Security
DNS Session 5 Additional Topics
CIT 480: Securing Computer Systems
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNSSEC Iván González Montemayor A
DNS security.
Information Security CS 526 Omar Chowdhury
Chapter 19 Domain Name System (DNS)
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
IIT Indore © Neminath Hubballi
Attacks on DHCP and DNS Most slides (used with permission) from
COMPUTER NETWORKS PRESENTATION
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS and Attacks Based on slides accompanying the book
Presentation transcript:

DNS Cache Poisoning Attack Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi Outline DNS Cache Poisoning Kaminsky’s DNS Cache Poisoning Defense mechanisms DNSSEC IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNS Name Resolution What is IP of www.google.com Root DNS Try at .com its IP is 1.1.1.1 What is IP of www.google.com What is IP of www.google.com TLD DNS Try at google.com authoritative DNS it IP is 2.2.2.2 Its IP is 3.3.3.3 1.1.1.1 What is IP of www.google.com Its IP is 3.3.3.3 Authoritative DNS 2.2.2.2 IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNS Vulnerability Getting a wrong answer from the server Root DNS What is IP of www.google.com TLD DNS Its IP is 4.4.4.4 Authoritative DNS IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNS Vulnerability Someone else answers to a DNS query before the one supposed to answer What is IP of www.google.com Root DNS DNS Server Its IP is 3.3.3.3 TLD DNS Its IP is 4.4.4.4 Malicious guy Authoritative DNS IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNS Packet Structure IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNS Packet Structure IIT Indore © Neminath Hubballi

DNS Spoofing in Reality DNS Replies are verified for Coming from same IP address Coming to the same port from which request was sent Reply is for the same query as was asked in the previous question Transaction ID match IIT Indore © Neminath Hubballi

How these Verifications are Overcome Coming from same IP address Because authorative DNS server IP address can be discovered by offline queries Coming on the same port from which request was sent Many DNS servers used static port numbers Answer is to the same question that was asked This is easy if attacker herself initiates a request Transaction ID match Guess it

Dan Kamnisky Attack Kamnisky Attack Flood the recursive name server with many answers One of them have to be right and it works ! The identifier is not fully random so one can predict

IIT Indore © Neminath Hubballi Dan Kaminsky Attack Ask a recursive DNS server a question which is most likely not in its cache Pick a non existing domain like rnd.india.microsoft.com With high probability name sever will contact the authorative name server of microsoft.com domain Attacker send a reply with canonical name rnd.india.microsoft.com CNAME IN www.microsoft.com www.microsoft.com A IN 68.177.102.22 IIT Indore © Neminath Hubballi

Defending DNS Spoofing Many solutions focus on increasing the entropy of DNS query component Transaction ID Port number IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi DNSSEC Security extension to DNS protocol It uses public key infrastructure to give a guarantee on who is sending the reply Use private key to digitally sign the message Use public key to verify the message Works fine as long as recipient believes in public- private key pair of sender What stops from someone generating her own key pair and replying Chain of trust relationship IIT Indore © Neminath Hubballi

How DNSSEC Works Each DNSSEC zone creates one or more pairs of public/private key(s) Public portion put in DNSSEC record type DNSKEY Zones sign all RRsets with private key(s) and resolvers use DNSKEY(s) to verify RRsets Each RRset has a signature attached to it: RRSIG So, if a resolver has a zone’s DNSKEY(s) it can verify that RRsets are intact by verifying their RRSIGs

Chain of Trust in DNSSEC Introduces 3 new resource records RRSIG Signature over RR set using private key DNSKEY Public key, needed for verifying a RRSIG DS Delegation Signer; ‘Pointer’ for building chains of authentication Authoritative DNS server sends the following with reply RR containing IP URL mapping RRSIG DNSKEY and DS Verification can proceed one level higher the hierarchy At no point a DNS server gives a DS which is bellow it Problem is effectively addressed if Root Server becomes the highest signature verifier As of July 2010 there is one signed root server up and running (http://www.root- dnssec.org/) IIT Indore © Neminath Hubballi

Key References for DNSSEC http://www.internetsociety.org/deploy360/d nssec/basics/ http://www.root-dnssec.org/ http://en.wikipedia.org/wiki/Domain_Name _System_Security_Extensions IIT Indore © Neminath Hubballi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.