VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Transcription

1 VIDEO Intypedia013en LESSON 13: DNS SECURITY AUTHOR: Javier Osuna García-Malo de Molina GMV Head of Security and Process Consulting Division Welcome to Intypedia. In this lesson we will study the DNS domain name system that is widely used on the Internet. We will analyse its usefulness, weaknesses and the measures that can be taken to minimize attacks. Join us! SCENE1. THE DNS SYSTEM. BASIC CONCEPTS Hi Bob, this morning the travel agency where a friend of mine works had a problem with their website and how their customers accessed it. I have checked their website and it looks like an attacker has taken advantage of the DNS system to simulate the agency's website. Their intention was to impersonate the agency and steal its customer's data. Given that I haven't studied in depth how DNS works internally, could you give me some advice to guide my friend? Of course, Alice, let's get into it. As you know, Internet is a network of millions of interconnected computers. Usually, addressing schemes are used to locate each specific computer. In an analogue world, this would equal the postal addresses that allow us to send letters to each household. On the Internet, however, it is common to use schemes based on numbers: depending on the amount and size of these numbers, you can "access" more or less computers. Script Intypedia013en 1

2 Right. For the Internet, the addressing scheme based on IP addresses is widely used. For example, I read that if the protocol is IPv4, then the addresses will have four numbers separated by periods, like: Indeed. This system is great for machines to exchange information, but people find it much easier to memorize descriptive names instead of multi-digit numbers. For example, to call someone on the phone, first you look their name up on your contact list. It is much easier to associate a name or a nickname to a person than a telephone number. The same thing goes for a computer or an electronic device. This is precisely where domain name systems like the DNS are useful. They allow the translation of more or less descriptive "human" addresses into "machine" addresses, in this case IP addresses. For example, it is easier to memorize or even guess the address of the UPM University " than to work with its IP address " ". And not only that, it also allows other functions like sending s. The DNS system has its origins in the early 80's. Before that, a more rudimentary system was used: the contents of an OS file named "hosts" associated the domain name with an IP. Like a sort of local contact list. Nowadays, the DNS is a hierarchical and distributed database system, where the initial element of this system is known as a root server. To simplify this system, we generally refer to DNS clients and DNS servers. The former is software run by a computer to generate DNS requests to resolve domain names, while the later will attempt to answer the request. If they don't know the answer to a client's request they can forward the request to another server. On the Internet you can delve into the architecture and communication of this system and the importance of DNS records for a correct domain name resolution of websites, s, etc. It is important to highlight that due to the fact that the number of IP addresses, the number of DNS requests and user demands increased considerably, the DNS system had to implement measures to improve response time and performance. To do this, the DNS to which we connect from our home or office, usually stores the association between a domain name, which has already been consulted, and one or more IP's in a temporary memory. The access to this memory, which is called cache, is much faster. So every time I enter a URL in my browser I'm performing a DNS request? Well, strictly speaking, not every domain name resolution has to be a request to a DNS. In fact, Web browsers and operating systems often have a cache too. It is also possible to introduce the association between a domain name and an IP in the "hosts" file as was done before the existence of the DNS. Script Intypedia013en 2

3 For example, in the Windows operating system this can be done in C:\windows\System32\drivers\etc\hosts. How interesting! And by what you are saying, it seems that this system is more critical than I first thought. That's right. Companies and public organisations are aware of the importance and the impact that their unavailability may cause. For this reason, security is extremely high in the most important elements of the system, such as root servers that often face DoS attacks, for example. In any case, we will discuss some of the most famous attacks to the system in order to see the scale of this and also analyse what happened to your friend's server. SCENE2. ATTACKS TO THE DNS. PURPOSES Let's cut to the chase, Bob. What can you tell me about the most famous attacks to this system and, most importantly, what are the real purposes of these attacks? Let's see. Nowadays, without the DNS architecture, Internet communications would be rather complicated: accessing websites, sending s, etc. In practice, attackers use DNS to their advantage for identity theft, spying or stealing information. I'll summarize some of the typical attacks, although, possibly in future lessons, we'll take a closer look at each one of them. 1. Pharming Most attacks related to domain resolution have the purpose of stealing user's access credentials from banks, shops, social networks, online gaming, etc. To achieve this, they redirect a legitimate website's traffic to a false website specially designed to replace the first one. It can also be done with . Locally, one of the most common forms of pharming is to change the "hosts" file in the attacked operating system. This can be done using a Trojan. Similarly, it would be possible to modify the request to the DNS commands of the OS and to change the Internet connection settings related to the DNS. The modification of the DNS, whether changing its local settings or the DNS servers to which users connect over the Internet or by a man-in-the-middle attack, will normally cause the redirection of traffic. In addition to the problems of impersonation and theft, we should pay attention to this issue because it would allow the monitoring of communications, i.e., spying. In fact, there are currently proposals to eliminate dependence on traditional DNS architecture that could be controlled by only a few countries. Solutions like DNS over p2p, OpenDNS, OpenNIC and others, are mentioned more and more often. Script Intypedia013en 3

4 2. DNS cache poisoning In a "DNS cache poisoning" the attacker requests the attacked DNS for a domain that is hosted on another DNS controlled by the attacker, which we will call "malicious DNS". Since the attacked DNS doesn't have that domain in its cache, it will end up sending a request to the malicious DNS. The malicious DNS will not only answer with the IP associated to the requested domain, but also with fraudulent IP s joined with domains, such as banks. The attacked DNS will reply to the attacker's initial request with the domain IP he asked for and will save in the cache the rest of malicious domain/ip associations. The attacked DNS, from that moment until it clears its cache, will return the fraudulent IP s when it receives requests associated with the additional domains the malicious DNS answered with. In the summer of 2008, researcher Dan Kaminsky released a series of new findings that proved the seriousness of the poisoning problem and how it can even be applied on a global scale over the Internet. For example, it could be used to compromise application upgrades, which is known as "evilgrade", so that an attacker could impersonate the site from where we download the OS updates. 3. DNS ID Spoofing with Sniffing DNS ID Spoofing is basically impersonating an identity in a DNS. To use this attack we must be able to listen or to "sniff" the traffic generated by the target user's machine. To begin with, the user will send a request to a DNS this must have an ID between 1 and that the attacker can discover just by sniffing. Before the DNS replies, the attacker has to reply using the same identifier as the request sent to the original port, which has also been discovered. This reply will associate the accessed domain with a fraudulent IP. Then the deceived user's machine will receive a non malicious reply that it will discard, since it has already received another with the same identifier. As you can see, in most cases the problem comes because the DNS traffic requests and responses isn't authenticated, allowing attackers to impersonate and tamper easily. This attack is an example of a man-in-the-middle attack to the DNS protocol. There certainly are quite a few attacks. Are there any more? Okay, this one is exceptional: do you think there is a way of knowing if a DNS has resolved a domain before we ask for it? Script Intypedia013en 4

5 Mmm... Well I don't know. The answer is yes. That is called "DNS cache snooping". For example, from a DNS used by a company's employees we could obtain information like the banks the company works with, the banks its employees work with, its customers, suppliers, political profiles of its employees, the software they have installed and so on. In fact, other attacks based on zone transfer were very common in the past. These would exploit the misconfiguration of a DNS server to dump the data of the domains it managed. In the particular case of an organization's DNS server, with this attack you could obtain a complete map of the organization's internal network: hosts, internal IP addresses, and so on. But that doesn't seem that bad... Well, sure, it's less dangerous than other attacks, but besides having legal implications, that information could also be used to perform attacks such as phishing, social engineering or to effectively exploit software vulnerabilities. There are also other uses that take advantage of the DNS architecture, but we will have time to talk about steganography with DNS, malware distribution via DNS, fast flux, and so on in the future. SCENE 3. RECOMMENDATIONS AND SECURITY. Bob, what can be done to minimize those attacks? I have to give my friend some advice at least... On one hand we have traditional measures. From a user's perspective, we have to take the appropriate steps to ensure that our computers and routers are properly protected. As we already discussed in previous lessons, this entails: upgrading our software, configuring the antivirus properly, using a firewall, a proper password policy... In most cases the attacks will come this way. On the other hand, if your mission is to protect an infrastructure, then you should have a strong access control and an effective monitoring system; you should raise awareness among employees about social engineering techniques; only allow access to the DNS cache from machines hosted within the internal network; have the updated versions of software implemented in the DNS; configure services correctly... In addition, if in the worst case scenario you suffer an attack, it is essential to have the DNS trace of whom, what and Script Intypedia013en 5

6 when changes are made to the DNS information. This way you will be able to detect what happened and how. Without doubt, the biggest problem of the DNS is that its design didn't consider security aspects. Today there are standards such as DNSSEC (Domain Name System Security Extensions) from the IETF (Internet Engineering Task Force), which provide authentication and integrity of data exchanged via DNS using public key cryptography, thus hindering spoofing attacks. We need to be aware of these proposals to improve global security. You have clarified many things, Bob. Thanks. I think with this information I can guide my friend so she can advise her customers the safest way to connect to her agency. I think that is enough for today. On the Intypedia website you can find additional information for this lesson, especially on the DNS system architecture. See you later. See you soon! Script adapted to the Intypedia format from the document sent by Javier Osuna García-Malo de Molina Madrid, Spain. March Script Intypedia013en 6