Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Slides:



Advertisements
Similar presentations
DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
Foundations of Network and Computer Security J J ohn Black Lecture #37 Dec 14 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #22 Oct 21 st 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
For more notes and topics visit:
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi
By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
DNS security. How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
REVIEW On Friday we explored Client-Server Applications with Sockets. Servers must create a ServerSocket object on a specific Port #. They then can wait.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Written by Keith C. Ivey Presentation by Jonathan Tang.
CS2910 Week 5, Class 2 Today DNS Muddy Points More HTTP Headers Review for Midterm Exam This coming Monday: Midterm Exam SE-2811 Slide design: Dr. Mark.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Online Job Applications Workshop Coordinators Sharon Feeney – Andrea Reynolds –
© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Issues with Domain Name Systems
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
LAN Vulnerabilities.
Unit 5: Providing Network Services
DNS Cache Poisoning Attack
DNS security.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007

Announcements Remainder of the semester: Today we’ll finish talking about DNS cache poisoning and then do Quiz 3 solns Friday will be a Final Review Final Exam on Tuesday –12/18, 7:30am, this room

Unsolicited Replies Not Accepted Can’t just send a DNS record to a client who did not request it But we CAN send a reply to a client who DID request it –Problems: we have to know the request was made Not too hard if we control origin of the request (eg, a web page) Not too hard if we can sniff local network –Problems: we have to throttle legitimate replier

Remote Attacks You visit which has a legitimate link to –evil.com then throttles your DNS server and spoofs –evil.com knows you’re waiting for a resolution for amazon.com Doesn’t always work: –Sequence numbers are used, and they are sniffable on a LAN, but not remotely They used to be sequential (thus easy to guess) but now they are randomized Makes remote attacks much harder

Remote DNS Poisoning Attack a local nameserver –Send hundreds of requests to a victim nameserver for the same (bogus) name, bogus.com nameserver must ask someone else, since he won’t have this cached –Send hundreds of replies for bogus.com Problem: sequence numbers of nameserver’s help requests much be matched Answer: birthday phenomenon –Random numbers aren’t that random, which helps –Chance of a collision very high –Now users of this local nameserver will get the IP of your choice when asking for bogus.com

Remote DNS Poisoning

DNSSEC DNSSEC is a project to have a central company, Network Solutions, sign all the.com DNS records. Here's the idea, proposed in 1993: Network Solutions creates and publishes a verification key. (They are the CA) Each *.com creates a key and signs its own DNS records. Yahoo, for example, creates a key and signs the yahoo.com DNS records under that key. Network Solutions signs each *.com key. Yahoo, for example, gives its cert to Network Solutions, and Network Solutions signs a document identifying that key as the yahoo.com key. Computers around the Internet are given the Network Solutions key, and begin rejecting DNS records that aren't accompanied by the appropriate signatures. As of November 2005, Network Solutions simply isn't doing this. There is no Network Solutions key. There are no Network Solutions *.com signatures.

DNSSEC On the table for over 10 years now; written in 2002: We are still doing basic research on what kind of data model will work for DNS security. After three or four times of saying "NOW we've got it, THIS TIME for sure" there's finally some humility in the picture... "wonder if THIS'll work?"... It's impossible to know how many more flag days we'll have before it's safe to burn ROMs that marshall and unmarshall the DNSSEC related RR's, or follow chains trying to validate signatures. It sure isn't plain old SIG+KEY, and it sure isn't DS as currently specified. When will it be? We don't know. What has to happen before we will know? We don't know that either is already dead and buried. There is no installed base. We're starting from scratch. BIND 9 was released earlier this year with DNSSEC disabled…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.