Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security: DNS Spoofing, ARP Poisoning

Published byCrystal Harrell Modified over 5 years ago

Similar presentations

Presentation on theme: "Network Security: DNS Spoofing, ARP Poisoning"— Presentation transcript:

1 Network Security: DNS Spoofing, ARP Poisoning
Randy Crews, Stephen Hoffler, Alex Natic

2 DNS Uses: Flexibility and comprehensibility for naming rules and syntax in the Internet domain system Sets concrete implementation for mapping addresses for hierarchy structure Vulnerabilities: Flooding of DNS server Response interception Easy to read from to sift for names or the nature of sites.

3 How it’s done: The Setup
Attacker needs to gain position between the communicators. When a user requests the IP for a web page the attacker can modify the cached IP to their own fake webpage and gather personal information. Because the cache table is edited, if it is referenced or copied for another server the poisoning can spread through to other networks.

4 How it works Discover - DHCPDISCOVER from malicious client (initially genuine) Request - ARP or ICMP requests from malicious client Reply - ARP or ICMP fake reply Offer - DHCP offers IP address to malicious client Pack - malicious client takes hold of DHCP’s IP as its own Parameter config - host receives malicious pack and reconfigures itself Query - resolves domain name Response - malicious client redirects “victim client” to fake address

5 DNS Spoofing

6 The uses of the attack Can be used to gather login information for a wide range of accounts such as bank accounts, personal profile accounts (social media), and admin information as well. This attack can also be used to trick victims into downloading trojans, spyware and other various malware.

7 Example DNS spoofing is China’s way of blocking unwanted outside sites to be accessible to the public (ex. twitter.com, facebook.com) but it’s spoofing spread out of country because an ISP outside of China configured it’s servers to fetch DNS info from China’s servers and spread the spoof causing the users of the ISP to lose access of many common sites.

8 Prevention : Disabling Open Relays
It can be quite difficult to identify if an attack is being attempted, thats why prevention holds a great importance. A very advisable and simplistic approach is to limit to whom and to what their DNS server will respond to. DNS servers should only respond to internal computers and authorized server queries. We may also insert packet filtering into our network. As these packets are transmitted through a network, these filters can detect and block packets with conflicting IP addresses. By filtering and limiting these access points we can reduce or eliminate the chance of a DNS attack. In order to prevent our DNS servers from issuing critical information to attackers, TCP port 53 is typically blocked.

9 Prevention : DNSSEC As attacks become more popular, prevention will become more important. A newer alternative to DNS attack prevention is DNS Security Extensions (DNSSEC) managed by ICANN. This software uses digitally signs DNS records to ensure that query responses from the internet are legitimate. As users and hosts sign their validation keys, a root zone is managed to hold and secure data of validated records. ICANN is an International not-for-profit Corporation under contract from United States Department of Commerce

10 ARP Poisoning What is ARP? Why is it needed?
What is targeted in poisoning? How do we prevent it?

11 ARP ARP consists of 4 messages:
ARP request where the computer ‘A’ asks on a network for an IP. ARP reply from the computer ‘B’ on the network with said IP gives ‘A’ it’s MAC address. RARP request where computer ‘A’ then asks for the MAC address on a network RARP reply where computer ‘B’ replies and gives ‘A’ it’s IP address. All devices that are connected to the network have an ARP cache where all of the MAC and IP addresses are mapped. ARP poisoning can happen because these is no authentication when it comes to these messages.

12 ARP Poisoning: The Setup
The attacker uses tools to set their IP address to match the IP subnet of the victim. They scan for the IP and MAC addresses of the hosts on the subnetwork. They attack the LAN by changing the target’s ARP cache with a fake ARP request and reply packets using their IP address. The fake request is done by replacing the target’s MAC address with the attacker’s. This causes the packets, meant for the target, to be sent to the attacker because the ARP cache is updated for all computers in the network. There are many things that can be done with access to these packets such as, stealing sensitive data, eavesdropping and denial of service.

13 ARP Poisoning: How it works
Update existing entries Create new spurious entries Fake reply - success if target accepts without checking if sent request Fake request - success if target updates ARP cache with IP-MAC map Hardware Type (x/2 bytes) Protocol Type (x/2 bytes) Hardware Address Length (2 bytes) Protocol Address Length (2 bytes) Operation [OP Code Number] (2 bytes) Sender Hardware (MAC) Address (n bytes) Sender Protocol (IP) Address (m bytes) Target Hardware (MAC) Address (n bytes) Target Protocol (IP) Address (m bytes)

14 The uses of the attack Stealing personal info: Like DNS spoofing, ARP spoofing can give access to user info such as login information and personal information. Man in the Middle attack: The attacker listens in on conversation between two users. The attacker makes independent connections with the victims and relays the messages between them making it look like they’re communicating on a private connection. The whole conversation is controlled by the attacker so they also can inject and modify messages as well.

15 The uses of the attack (cont.)
Denial of Service attack: An attacker sends an ARP reply mapping an IP address of the network to a bad/non-existent MAC address causing all of the packets meant for the router to go to a bad/non-existent device.

16 Prevention : Static ARP
Not all protection needs to be complicated, sometimes all it takes is a static ARP entry. This works by supplying two host with a permanent entry in their ARP cache. With this layer of protection, poisoning becomes a lot more difficult due to an unchangeable protocol of communication. With today's technology, these ARP protections are becoming integrated into routers within their switches. This concept is known as Dynamic ARP Inspection (DAI). These routers form a table of IP addresses, MAC addresses with corresponding ports, commonly referred as a DHCP Snooping Binding Table. When your device attempts to send packets over the network, your router will verify its legitimacy within the binding table. DHCP Snooping binding table is automatically updated when any device connects to the network and asks for an ip from the DHCP server. This entry not only enables protection but can decrease network overhead due to reduced ARP communications.

17 For example, the command line arp -a will show your current ARP table with the listed caches.
The command line arp -s [target IP] [target MAC] and the system will set this ARP cache as static so that it cannot be changed.

18 Prevention : Virtual Private Network
A very multi-beneficial approach to your protection is a Virtual Private Network (VPN). Typically when you access the internet you first must connect to an Internet Service Provider (ISP), but with a VPN you can manipulate your access through an encrypted tunnel. Your VPN provider will take your initial IP address and replace it with an anonymous one. The locations of these supplied IP addresses are endless and this is why it guarantees such a protection. VPNs are a very important piece to your security when accessing a public or unfamiliar network. Unfortunately VPNs typically come with a monthly or annual subscription. There are some free VPNs but you will sacrifice some encryption protection. Sometimes it's best to place it safe to ensure a secure environment.

19 Look Similar? Both DNS and ARP attacks use similar methods of storing IP mappings in caches that update when modified so DNS and ARP spoofing are the almost the same type of attack but with different addresses being modified. This is why the same information can be obtained whether you got a person’s login information via a fake website or by receiving packets meant for said person.

20 Sources https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
"DNS Spoofing in Local Networks Made Easy." 2017 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), Advanced Networks and Telecommunications Systems (ANTS), 2017 IEEE International Conference on, 2017, p. 1. EBSCOhost, doi: /ANTS "Detection and Prevention of ARP Poisoning in Dynamic IP Configuration." 2016 IEEE International Conference on Recent Trends in Electronics, Information & Communication Technology (RTEICT), Recent Trends in Electronics, Information & Communication Technology (RTEICT), IEEE International Conference on, 2016, p EBSCOhost, doi: /RTEICT

Download ppt "Network Security: DNS Spoofing, ARP Poisoning"

Similar presentations

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Subnetting.

Subnetting.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Man in the Middle attacks and ARP poisoning explained

Man in the Middle attacks and ARP poisoning explained
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.

DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.

DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Birgit Bonham: Prospect High School ARP….or What’s your MAC address?

Birgit Bonham: Prospect High School ARP….or What’s your MAC address?
A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13.

A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13.
TCP/IP (Transmission Control Protocol / Internet Protocol)

TCP/IP (Transmission Control Protocol / Internet Protocol)

Similar presentations

Ads by Google