Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Transcription

1 Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol for mapping domain names to IP addresses The mapping is many to one Example: and cs.brown.edu map to DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(mx) record: mail server of a domain Name server (NS) record: authorita>ve server for a domain 18/02/15 Networks: DNS attacks 2 1

2 Name Servers Domain names Two or more labels, separated by dots (e.g., brown.edu) Rightmost label is the top- level domain (TLD) ICANN: Internet Corpora>on for Assigned Names and Numbers Controls the root domain Governing body for all general TLDs (e.g.,.com,.org,.net) Country TLDs, controlled by government organiza>ons Hierarchy of authorita>ve name servers IP addresses of subdomains (A records) or References to other name servers (NS records) Root servers point to DNS servers for TLDs, etc. 18/02/15 Networks: DNS attacks 3 google.com A google.com com microso[.com Amicroso[.com DNS Tree stanford.edu brown.edu A stanford.edu resource records edu A brown.edu cs.brown.edu A cs.brown.edu /02/15 Networks: DNS attacks 4 2

3 Name Resolu>on Program that finds DNS informa>on E.g., u>lity dig in Linux distribu>ons and nslookup command in Windows Resolu>on methods Recursive: the server queries another server and forwards the final (A record) to client Itera>ve: the server refers to client to another server (e.g., a root server) via an NS record Op>on +trace in dig and [no]recurse in nslookup Glue record Addi>onal record included in the response to a DNS to prevent circular references E.g., A record for name server referred to by NS record 18/02/15 Networks: DNS attacks 5 Recursive Name Resolu>on Local Machine Applica>on google.com Local name server google.com Other name server A A /02/15 Networks: DNS attacks 6 3

4 Itera>ve Name Resolu>on (root) f.root-servers.net com NS d.gtld-servers.net com cs.brown.edu 1 d.gtld-servers.net 2 google.com NS ns2.google.com dns-int.cs.brown.edu 3 google.com A ns2.google.com 18/02/15 Networks: DNS attacks 7 DNS Caching There would be too much network traffic if a path in the DNS tree would be traversed for each Root zone would be rapidly overloaded DNS servers cache records that are results of queries for a specified amount of >me Time- to- live field Opera>ng systems and browsers also maintain resolvers and DNS caches View in Windows with command ipconfig /displaydns Associated privacy issues Addi>onal administrator- defined sta>c cache in hosts file 18/02/15 Networks: DNS attacks 8 4

5 Recursive Name Resolu>on with Caching Each resolver checks first its cache New issued only for a cache miss Closest cashed name server queried Newly acquired records stored in cache brown.edu math.brown.edu cs.brown.edu Applica>on cslab1a.cs.brown.edu cache brown.edu NS bru- ns2.brown.edu math.brown.edu A bru- ns2.brown.edu dns-int.cs.brown.edu 18/02/15 Networks: DNS attacks 9 Itera>ve Name Resolu>on with Caching Each resolver checks first its cache New issued only for a cache miss Closest cashed name server queried Newly acquired records stored in cache com cs.brown.edu 1 d.gtld-servers.net google.com NS ns2.google.com com NS d.gtld- servers.net dns-int.cs.brown.edu A google.com 18/02/15 Networks: DNS attacks 10 ns2.google.com 5

6 DNS Cache Poisoning Basic idea Give a DNS server a false address record and get it cached DNS mechanism Queries issued over UDP on port bit request iden>fier in payload to match s with queries No authen>ca>on Cache may be poisoned when a name server Disregards iden>fiers Has predictable iden>fiers and return ports Accepts unsolicited DNS records Early versions of BIND (popular DNS so[ware) vulnerable to cache poisoning 18/02/15 Networks: DNS attacks 11 DNS Cache Poisoning Defenses Check iden>fiers Query randomiza>on Request iden>fiers Return ports The probability of guessing a single ID or return port is: 1 / 2 16 = % Use signed records DNSSEC 18/02/15 Networks: DNS attacks 12 6

7 Kaminsky s Birthday A2ack Goal: poison the cache of a vic>m name server to redirect traffic for an en>re target domain Assume that the vic>m name server uses request ID randomiza>on A2acker sends n DNS requests to server for nonexistent subdomains of the target domain, e.g., 001.brown.edu, 002.brown.edu, A2acker sends n forged DNS responses with random IDs, each including Correct NS record, e.g., ns.brown.edu Spoofed address glue record poin>ng to the a2acker s name server A2ack succeeds if the IDs of a requests and a forged response match Probability that one forged response fails to match any request ID 1 - n / 2 16 Probability that all n forged responses fail to match any request ID (1 - n / 2 16 ) n 50% a2ack failure/success probability for n = /02/15 Networks: DNS attacks 13 Goals Authen>city of DNS origin Integrity of reply Authen>city of denial of existence Implementa>on Signed DNS replies at each step Public- key cryptography Cer>ficates in the OS Slow deployment Root servers support since 2010 DNSSEC example.com book.example.com public key known to client.com example.com book.example.com 18/02/15 Networks: DNS attacks 14 7

8 Radio waves Welcome to Wireless No need to be physically plugged into the network Remote access Applications of wireless technology Mobile phones Wireless data communications Wireless energy transfer Coverage Personal Area Network (PAN) Local Area Network (LAN) Metropolitan Area Network (MAN) 18/02/15 Networks: DNS attacks 15 Security concerns Radio signals leaking outside buildings Detection of unauthorized devices Intercepting wireless communications Man-in-the-middle attacks Authentication of users Restricting access 18/02/15 Networks: DNS attacks 16 8

9 Types of Wireless Networks Infrastructure Client machines establish a radio connection to a special network device, called access point Access points connected to a wired network, which provides a gateway to the internet Most common type of wireless network Clients Clients Clients Access Point Wired LAN Peer-to-peer Multiple peer machines connect to each other Typically used in ad-hoc networks and internet connection sharing Peer Peer Peer Peer 18/02/15 Networks: DNS attacks 17 IEEE family of standards Set of standards for implementing wireless local area network (WLAN) computer communication over predefined radio frequency ranges. Defines structure of wireless frames that encapsulate the higher layers of the IP stack. TCP/IP implementations perform reframing of packets depending on their intended recipient in order to allow greater flexibility in handling both wired and wireless data. Ethernet frames IEEE frames 18/02/15 Networks: DNS attacks 18 9

10 SSID spoofing Multiple wireless networks can coexist Each network is identified by a 32-character service set ID (SSID) Typical default SSID of access point is manufacturer s name SSIDs often broadcasted to enable discovery of the network by prospective clients SSIDs are not signed, thus enabling a simple spoofing attack Place a rogue access point in a public location (e.g., cafe, airport) Use the SSID of an ISP Set up a login page similar to the one of the ISP Wait for clients to connect to rogue access point and authenticate Possibly forward session to ISP network Facilitated by automatic connection defaults 18/02/15 Networks: DNS attacks 19 Eavesdropping Data sent over wired networks is unencrypted and available to eavesdroppers physically tap the wire. All wireless network traffic can be easily eavesdropped Defenses End-to-end application-level encryption (e.g., SSL, SSH) Link layer encryption (e.g., WEP, WPA) 18/02/15 Networks: DNS attacks 20 10

11 MAC Spoofing MAC-based authentication typically used to identify approved machines in wireless network MAC spoofing attack Sessions kept active after brief disconnects If ISP client does not explicitly end a session, MAC spoofing allows to take over that session 18/02/15 Networks: DNS attacks 21 Protocol DHCP provides IP address Cap>ve Portal Name server maps everything to authentication server Firewall blocks all other traffic Any URL is redirected to authentication page After authentication, regular network services reinstated Client identified by MAC address Used by wireless ISPs Security issues A MAC spoofing and session stealing attack may be performed if client does not actively disconnect A tunneling attack can bypass captive portal if DNS traffic beyond firewall is not blocked before authentication 18/02/15 Networks: DNS attacks 22 11