DNS security. How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers.

Slides:



Advertisements
Similar presentations
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
CSE390 – Advanced Computer Networks
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Internet Routing (COS 598A) Today: Routing Protocol Security Jennifer Rexford Tuesdays/Thursdays.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Interdomain Routing Security COS 461: Computer Networks Spring 2008 (MW 1:30-2:50 in COS 105) Jennifer Rexford Teaching Assistants: Sunghwan Ihm and.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
IIT Indore © Neminath Hubballi
IIT Indore © Neminath Hubballi
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Routing protocols. Static Routing Routes to destinations are set up manually Route may be up or down but static routes will remain in the routing tables.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Interdomain Routing Security Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
BGP security some slides borrowed from Jen Rexford (Princeton U)
Lecture 18 Page 1 CS 236 Online Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems.
Interdomain Routing Security COS 461: Computer Networks Jennifer Rexford.
Introduction to Information Security
Security Issues with Domain Name Systems
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Outline Basics of network security Definitions Sample attacks
DNS Cache Poisoning Attack
DNS security.
The Issue We all depend on the Internet
COS 561: Advanced Computer Networks
Interdomain Routing Security
Interdomain Routing Security
COS 561: Advanced Computer Networks
COMP/ELEC 429/556 Introduction to Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

DNS security

How DNS works Ask local resolver first about name->IP mapping – It returns info from cache if any If info not in cache, resolver asks servers in DNS hierarchy that are authoritative for a given domain – Start from root, root sends it to the next point in hierarchy – End at authoritative server for the domain you are asking about (auth) – Resolver caches the replies

DNS hijacking Wait for resolver (target) to ask about a name from the victim’s domain – Provide your own reply faster than auth server – Provide some extra information (IP of auth server) This poisons the cache at that resolver, not globally – But if the resolver is at the important/large network the victim can lose a lot of traffic to the attacker Attacker’s goal: impersonate the victim (phishing)

Shortcircuiting waiting Ask the target resolver about some name from the victim’s domain – Doesn’t have to be the name you intend to hijack since DNS will take extra info in the reply – Asking about non-existing names guarantees they are not in resolver’s cache already Can ask about different domains too

Cache poisoning 2 IP for (attacker asks target, target asks attackNS) Don’t know, ns.victim.com is auth for victim.com, its IP is (attackNS’s reply) Target stores ns.victim.com-> in cache Victim attacker attackN S target Hijack entire domain

Defenses Only accept auth if its domain is same about the domain you asked for Don’t accept extra info in the reply if you did not ask for it

Cache poisoning 3 IP for (attacker asks target, target asks victimNS).victim.com Attacker replies faster than the victimNS – … -> (attacker’s reply) Target stores in cache Victim attacker attackN S target Hijack one name

Cache poisoning 4 IP for madeup.victim.com (attacker asks target, target asks victimNS)madeup.victim.com Attacker replies faster than the victimNS – … ns.victim.com is auth for victim.com, its IP is (attacker’s reply) Target stores ns.victim.com-> in cache Hijack entire domain Victim attacker attackN S target

Being faster is not enough Target will only accept replies that – Come to the specific port from which requests are sent – Come with the replyID same as the requestID – Attacker doesn’t get the requests directly Can try to sniff the info Can try to guess the info If the resolver accepts the reply it will accept extra info in reply too even if it has a different version in cache

Hijacking with sniffing If on the same network as the target, attacker can try to ARP spoof the next hop – Position itself on the path of target’s requests – DNS traffic uses UDP and is not encrypted, easy to see port and request ID and provide appropriate reply

Hijacking with guessing If target uses predictable numbers for source port and request ID attacker can perform many attacks, each time trying to guess the right port/replyID combination – Having randomness in one is not enough (2 16 tries) – Kaminsky attack (cache poisoning 4 + no randomness in source port)

Defenses Randomize source port – Makes guessing harder but not impossible Use DNSSEC – Replies must be signed by auth – Everyone can check signatures – Auth servers for zones sign certificates when they delegate a sub-zone (e.g..com for example.com) – Requires clients to implement DNSSEC to verify replies

DNSSEC Auth stores two more record types – RRSIG – signature for each A record – DNSKEY – public key to verify the signature Auth inserts one record into parent in DNS hierarchy – DS – says who is authoritative for a given subdomain and gives a hash of the public key (DNSKEY of auth) Resolver sets a bit asking for DNSSEC replies – Verifies each DNSKEY using DS from the level higher in hierarchy – Verifies RRSIG of the record

DNSSEC If no record exists auth returns a long reply to prove this fact – Intent was to just provide “does not exist” reply that is specific to a given query (otherwise it could be replayed to deny existence of real names) –.. and to provide it without online signing – Thus DNSSEC provides a list of all records (in a range) that would house such record if it existed This can be misused for reflector DDoS attacks – Large amplification factor This can be misused to map a network

BGP security some slides borrowed from Jen Rexford (Princeton U)

How does BGP work AS-level (autonomous system, collection of networks under single administrative org) Relationships (usually private info) – Customer/provider (customers pay to providers) – Peer-to-peer (peers do not pay each other) Each AS announces routes it knows including entire AS path to the destination – All routes announced to customers and providers – Customer routes announced to peers Each AS can choose which routes to adopt – Preference given to customer routes, then peer, then provider – Preference given to short routes

How does BGP work Routers from neighbor ASes exchange periodic updates using TCP sessions – If TCP session dies (e.g., RST) or HELLO messages are absent assume all routes announced by neighbor are not valid anymore Withdraw your announcements of those routes Creates a rippling effect in the Internet

BGP prefix hijacking An AS announces itself – As origin of a prefix it doesn’t own – As being close to the origin of a prefix Attracts the prefix’s traffic – Can drop it (blackholing) – Can reroute it to prefix (interception)

19 Prefix Hijacking /16 Originating someone else’s prefix –What fraction of the Internet believes it?

Sub-Prefix Hijacking Originating a more-specific prefix –Every AS picks the bogus route for that prefix –Traffic follows the longest matching prefix / /24

Why is BGP hijacking hard to handle Malicious routes do not propagate to source –Source cannot observe the problem easily Even if source can observe the problem it is hard to fix –No automatic fix – source’s announcements count as much as anyone else’s once they leave the source –Must go through human channels Interception attacks are very hard to detect Source of attacks is not just maliciousness – often it is misconfiguration 21

February 24, 2008, YouTube Outage YouTube (AS 36561) –Web site –Address block /22 Pakistan Telecom (AS 17557) –Receives government order to block access to YouTube –Starts announcing /24 to provider (AS 3491) –All packets directed to YouTube get dropped on the floor Mistakes were made –AS 17557: announcing to everyone, not just customers –AS 3491: not filtering routes announced by AS (will come back to this later) Lasted 100 minutes for some, 2 hours for others 22

23 Timeline (UTC Time) 18:47:45 – First evidence of hijacked /24 route propagating in Asia 18:48:00 –Several big trans-Pacific providers carrying the route 18:49:30 –Bogus route fully propagated 20:07:25 –YouTube starts advertising the /24 to attract traffic back 20:08:30 –Many (but not all) providers are using the valid route

24 Timeline (UTC Time) 20:18:43 –YouTube starts announcing two more-specific /25 routes 20:19:37 –Some more providers start using the /25 routes 20:50:59 –AS starts prepending (“ ”) –Prepending makes routes longer, less desirable 20:59:39 –AS 3491 disconnects AS :00:00 –All is well, videos of cats flushing toilets are available

25 Lessons From the Example BGP is incredibly vulnerable –Local actions have serious global consequences –Propagating misinformation is surprisingly easy Fixing the problem required vigilance –Monitoring to detect and diagnose the problem –Immediate action to (try to) attract the traffic back –Longer-term cooperation to block/disable the attack Preventing these problems is even harder –Require all ASes to perform defensive filtering? –Automatically detect and stop bogus route? –Require proof of ownership of the address block?

Solution Techniques Protective filtering –Know your neighbors Anomaly detection –Suspect the unexpected Checking against registries –Establish ground truth for prefix origination –May not be up to date Signing and verifying –Prevent bogus AS PATHs Data-plane verification –Ensure the path is actually followed 26

27 Defensive Filtering Filter announcements from customers that are not for customer prefixes Filter announcements from customers that have a large AS on the path Keep history of prefix origins and prefer bindings that are long-lived –Could do the same for adjacencies in AS paths –This violates the basic idea of routing – resiliency –Doesn’t work on closeness attacks Not everyone does this

28 BGP session runs over TCP – TCP connection between neighboring routers – BGP messages sent over TCP connection – Makes BGP vulnerable to attacks on TCP Main kinds of attacks – Against confidentiality: eavesdropping – Against integrity: tampering – Against performance: denial-of-service Main defenses – Message authentication or encryption – Limiting access to physical path between routers – Defensive filtering to block unexpected packets Attacking BGP Sessions

29 Denial-of-Service Attacks, Part 1 Overload the link between the routers – To cause packet loss and delay – … disrupting the performance of the BGP session Relatively easy to do – Can send traffic between end hosts – As long as the packets traverse the link – (which you can figure out from traceroute) Easy to defend – Give higher priority to BGP packets – E.g., by putting packets in separate queue BGP session physical link

30 Denial-of-Service Attacks, Part 2 Third party sends bogus TCP packets – FIN/RST to close the session – SYN flooding to overload the router Leads to disruptions in BGP – Session reset, causing transient routing changes – Route-flapping, changing routes back and forth Reasons why it may be hard – Spoofing TCP packets the right way is hard Difficult to send FIN/RST with the right TCP header – Packet filters may block the SYN flooding Filter packets to BGP port from unexpected source … or destined to router from unexpected source Turn on SYN cookies

31 Exploiting the IP TTL Field BGP speakers are usually one hop apart – To thwart an attacker, can check that the packets carrying the BGP message have not traveled far IP Time-to-Live (TTL) field – Decremented once per hop – Avoids packets staying in network forever Generalized TTL Security Mechanism (RFC 3682) – Send BGP packets with initial TTL of 255 – Receiving BGP speaker checks that TTL is 254 – … and flags and/or discards the packet others Hard for third-party to inject packets remotely

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.