DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

Similar documents
Security of Patched DNS. Bar Ilan University, Department of Computer Science, Network Security Group Technical Report TR12-04

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

A Very Incomplete Diagram of Network Attacks

Security of IPv6 and DNSSEC for penetration testers

DOMAIN NAME SECURITY EXTENSIONS

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

A S B

Towards Forensic Analysis of Attacks with DNSSEC

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

DNS security: poisoning, attacks and mitigation

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

CS5008: Internet Computing

CSE 127: Computer Security. Network Security. Kirill Levchenko

True False questions (25 points + 5 points extra credit)

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Breaking the Myths of Extended Validation SSL Certificates

Securing DNS Infrastructure Using DNSSEC

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

DNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Computer Networks: Domain Name System

Debugging With Netalyzr

How To Secure A Website With A Password Protected Login Process (

DNS-based Sender Authentication Mechanisms: a Critical Review

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

CSCE 465 Computer & Network Security

Blocking DNS Messages is Dangerous

Internet Measurement Research

DNSSEC Applying cryptography to the Domain Name System

DOMAIN NAME SYSTEM (DNS)

DNS at NLnet Labs. Matthijs Mekking

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

Firewalls and Intrusion Detection

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Linux Network Security

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

CS 356 Lecture 16 Denial of Service. Spring 2013

DNSSEC for cyber forensics

Network Security Fundamentals

Attack and Defense Techniques

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Lecture 6: Network Attacks II. Course Admin

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

SSL and Browsers: The Pillars of Broken Security

Course Content: Session 1. Ethics & Hacking

Computer security Lecture 9

Distributed Denial of Service Attack Tools

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

An Intrusion Detection System for Kaminsky DNS Cache poisoning

The Internet. Reminders. Internet Protocol Routing: Simplified. Part 2: Networks of Networks - Internet Workings

Network Security Workshop

DNS Best Practices. Mike Jager Network Startup Resource Center

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

Use Domain Name System and IP Version 6

The Domain Name System from a security point of view

Current Counter-measures and Responses by the Domain Name System Community

SysSec 7 Network Security. Aurélien Francillon

How To Understand A Network Attack

Announcements. No question session this week

Network Security. Mobin Javed. October 5, 2011

Client Server Registration Protocol

Recommendations for dealing with fragmentation in DNS(SEC)

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Internet-Praktikum I Lab 3: DNS

CMPT 471 Networking II

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

How To Protect Your Network From Attack From A Malicious Packet From A Network (Networking) Or From A Trusted Server (Network) (Netware) (Network) (Ipo) (Port 2) (Dns) (Nnet

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

INFORMATION SECURITY REVIEW

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Introduction to Computer Security

Networking for Caribbean Development

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Overview. Firewall Security. Perimeter Security Devices. Routers

BREAKING HTTPS WITH BGP HIJACKING. Artyom Gavrichenkov R&D Team Lead, Qrator Labs

DNS amplification attacks

How do I get to

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Frequent Denial of Service Attacks

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

Guidance Regarding Skype and Other P2P VoIP Solutions

Breaking the Security Myths of Extended Validation SSL Certificates

Detecting peer-to-peer botnets

DNS Record Injection Vulnerabilities in Home Routers

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Steelcape Product Overview and Functional Description

Securing IPv6. What Students Will Learn:

Transcription:

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013

About us Bar Ilan University NetSec group Haya Shulman: Fresh Graduate PhD Thesis: DNS Security (and more...) Amir Herzberg: NetSec/Crypto Researcher Attacks: DNS, TCP/IP, DoS,

2013 DNSSEC, IPSEC:15yrs old Yet: < 6% of traffic encrypted, Insecure against MitM attacker WHY??? False hope: attackers are `off-path` Can send spoofed packets but not intercept Reality: MitM attackers are common Open WiFi, route hijacking, mal-devices, DNS poisoning False belief: DNS, TCP immune to off-path attacks Reality: TCP hijacking, DNS poisoning

Outline Attack model: MitM vs. Off-path DNS poisoning: Background Source-port de-randomization attacks Resolver-behind-NAT, proxy-using-upstream 1 st -fragment piggybacking attacks Implications and defenses Patches: to resolvers, name-servers, registrars Deploy DNSSEC correctly [and fix it, too??]

Attacker Model: MitM or Off-Path? Man-in-the-Middle attacker On path Harder but possible: wifi, route hijack, vulnerable router, Or: give wrong address DNS poisoning Prevent with crypto: overhead, complexity, PKI Why bother? Bob, ILU! Alice Bob, I Leave U! Alice Alice Bob

Attacker Model: MitM or Off-Path? Folklore: most attackers are weak, off-path `Security is often against Off-Path Oscar Do not control devices en-route Cannot intercept/modify/block traffic Prevent: with challenge-response (`cookie`) Bob, ILU! Alice Bob, I Leave U! Alice Alice Bob

Attacker Model: MitM or Off-Path? Folklore: most attackers are weak, off-path `Security is often against Off-Path Oscar Do not control devices en-route Cannot intercept/modify/block traffic Prevent: with challenge-response (`cookie`) (Cookie=challenge) Bob, ILU! Alice Bob, I Leave U! Alice Alice Bob

Challenge-Response: What Can Go Wrong? Attacker has MitM capabilities Insufficient entropy: too short or non-uniform TCP [Zalewski01, Watson04] DNS [Klein03, Kaminsky08] Side-channel: reused field (source port) DNS [HS12, HS13], TCP [GH12, GH13, QM(X)12] Cut-&-paste: use real cookie in spoofed packet DNS [HS13] 8/1/2013

Outline Attack model: MitM vs. Off-path DNS poisoning: Background Source-port de-randomization attacks Resolver-behind-NAT, proxy-using-upstream 1 st -fragment piggybacking attacks Implications and defenses Patches: to resolvers, name-servers, registrars Deploy DNSSEC correctly [and fix it, too??]

DNS Poisoning: the Hacker s Knife Circumvent: Blacklists, SOP, CSP, SPF, DKIM Phishing Cookies theft Malware Distribution DoS Block updates

DNS Cache Poisoning 6.6.6.6 Packet with source IP: 156.4.5.6 www.bob.com A 6.6.6.6 www.bob.com A 6.6.6.6 6.6.6.6

DNS Cache Poisoning 6.6.6.6 But, must match: TX-ID (16b in req.), query, www.bob.com source port. www.bob.com Also: request A 6.6.6.6 not sent if in cache A 6.6.6.6 6.6.6.6

Defenses against DNS Poisoning Currently, mostly Challenge-response defenses: Unilateral (in resolver): `challenges using existing request fields echoed in responses TX-ID (16b), Source port (16b), Query [0x20] Cryptographic defenses (DNSSEC): limited use Root and many TLDs signed Many resolvers request signatures, but few validate Why? Myths (rare MitM, weak Oscar)

Outline Attack model: MitM vs. Off-path DNS poisoning: Background Source-port de-randomization attacks Resolver-behind-NAT, proxy-using-upstream 1 st -fragment piggybacking attacks Implications and defenses Patches: to resolvers, name-servers, registrars Deploy DNSSEC correctly [and fix it, too??]

Source Port De-Randomisation Attacks Learn source-port via side channel Attacks on two common configurations: Resolver-behind-NAT [Esorics 12] Attacks for most types of NATs (only one was secure) Upstream resolver (e.g., OpenDNS) [Esorics 13] Learn resolver s IP address, too [often enough for DoS!]

Resolver-behind-NAT: Attack Example: attack on per-dest incrementing (e.g., Linux) Initial port is random; can attacker predict/trap port? Attack phases: Hole-punch the NAT Exploit assigned mapping to guess port Variations apply to different NAT devices Herzberg and Shulman: DNSSEC, the time has come!

Upstream DNS Resolver Upstream DNS resolvers: Popular: Google s public-dns, OpenDNS, many others Recommended by experts, vendors E.g., Akamai: Customer s primary DNS are not directly exposed to end users, so the risk of cache poisoning and DoS attacks is mitigated Proxy resolvers often has lower bandwidth, weaker security We found (CAIDA): 54% incrementing ports, 30% fixed port And both types are vulnerable! Herzberg and Shulman: DNSSEC, the time has come!

Upstream DNS Resolver - Attack Poisoning attack in three phases Phase 1: find proxy s IP address Many requests with fragmented response `kill` with spoofed frag Suffices for DoS attack on proxy! Phase 2: find fixed/current port # By a more complex frag attack, or by `port overloading Phase 3: `regular (`Kaminsky ) poisoning Herzberg and Shulman: DNSSEC, the time has come!

Outline Attack model: MitM vs. Off-path DNS poisoning: Background Source-port de-randomization attacks Resolver-behind-NAT, proxy-using-upstream 1 st -fragment piggybacking attacks Implications and defenses Patches: to resolvers, name-servers, registrars Deploy DNSSEC correctly [and fix it, too??]

1 st -fragment piggybacking attacks Cut n Paste attack: Poison a long, fragmented DNS response Source fragmentation will do [works even for IPv6] All `challenges are in the first fragment! TXID, src port, even query [e.g., 0x20 defense] Replace 2 nd fragment with a fake one! Few details and quick recap on IP fragmentation

IP Fragmentation Nets have a limit on maximal packet size If the packet is larger than the limit: fragmentation Reassemble at the receiver Net 2.2.2 Net 5.5.5 Net 3.3.3 8/1/2013 From: 2.2.2.5 To : 3.3.3.7 Bob, how much I love you MTU=1500 From: 2.2.2.5 To : 3.3.3.7 Bob, how much I... From: 2.2.2.5 To : 3.3.3.7...love you! MTU=1200 Bob, how much I love you

Fragment Reassembly Bob receives fragments of a packet How to reassemble without introducing mistakes Identify fragments of the same packet By sender/receiver addresses and protocol (TCP/UDP) Not enough, add 16 bit, IP-ID Net 2.2.2 Bob, how much I love you!! 34 I ve decided I don t 8/1/2013 need a fridge 35 Net 5.5.5 Bob, how much I I ve 35 35 decided I don t 34 34 love you Need a fridge Net 3.3.3 Bob how Bob, how much much I need love you a fridge

Off-Path Discarding and Modifying We show off-path can discard and modify fragments!! Exploit fragmentation for poisoning! In reality fragmentation is rare (<1%) But, off-path attacker can cause fragmentation!! Two methods: 1. Trigger requests whose responses fragment E.g., DNSSEC protected 2. Attacker registered domain 8/1/2013

Modify Long DNSSEC Responses 8/1/2013

Poisoning DNSKEY Response

Causing Long, Fragmented Responses Often, attacker doesn t need to find a long response Attacker causes a long, fragmented response From a victim NS of a TLD (.ORG,.CO.UK, ) By registering an `appropriate subdomain To cause fragmentation: Register many name servers With long names Example? One-Domain-to-Rule-them-All. ORG Or see paper [CNS2013] or next foil

Outline Attack model: MitM vs. Off-path DNS poisoning: Background Source-port de-randomization attacks Resolver-behind-NAT, proxy-using-upstream 1 st -fragment piggybacking attacks Implications and defenses Patches: to resolvers, name-servers, registrars Deploy DNSSEC correctly [and fix it, too??]

Still patching after all these years All attacks: real, practical, validated (by others too) Resolvers (Smart) pseudo-random port allocation (see paper) Prepend random-length prefix to referral queries Name servers: Append random RR Or send random value of EDNS buffer size from NS But advanced frag attacks may change checksum field see Esorics 13 paper Either: small (non-frag) limit on EDNS (use TCP) Registrars: Limit length of subdomain responses

Or can we just use SSL/TLS? Tempting: forget DNS, just use secure connection! Using secure connection is a good idea, sure But not complete solution: Is web s PKI secure? Hmm Overhead Unrealistic to expect all web to be fixed Phishing Denial-of-service Non-web applications: SMTP, P2P, Even security: e.g.: blacklists, SPF, DKIM

DNSSEC, the time has come! These patches are too much, too complex, and: Maybe there s another vulnerability/attack? And what about MitM attacker? Like, is BGP secure? And who said they ll suffice?? We say: time to properly use DNSSEC But some improvements may be needed, too Abolish (insecure) NSEC3 OPT-OUT Add crypto-agility, esp. critical to adopt ECDSA! More See our paper on this (and/or talk to us )

Questions? Thank you! Herzberg and Shulman: DNSSEC, the time has come!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information