Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Similar documents
Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

DNS security: poisoning, attacks and mitigation

Use Domain Name System and IP Version 6

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

An Intrusion Detection System for Kaminsky DNS Cache poisoning

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Security of IPv6 and DNSSEC for penetration testers

DNS at NLnet Labs. Matthijs Mekking

Securing DNS Infrastructure Using DNSSEC

Using the Domain Name System for System Break-ins

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Domain Name System Security

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

DNSSEC Applying cryptography to the Domain Name System

Developing Network Security Strategies

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

DOMAIN NAME SECURITY EXTENSIONS

The Domain Name System from a security point of view

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

DNS amplification attacks

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Application Firewalls

DNS and BIND. David White

Computer Networks: Domain Name System

Chapter 11 Cloud Application Development

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Chapter 8 Security Pt 2

True False questions (25 points + 5 points extra credit)

Securing an Internet Name Server

JPNIC Public Forum. Paul Vixie. Chairman, Internet Software Consortium. January 21, 2003

Identifying Patterns in DNS Traffic

Security of Patched DNS. Bar Ilan University, Department of Computer Science, Network Security Group Technical Report TR12-04

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Reliable DNS and DHCP for Microsoft Active Directory

Attack and Defense Techniques

Firewalls. Pehr Söderman KTH-CSC

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

Remote DNS Cache Poisoning Attack Lab

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Firewalls 1 / 43. Firewalls

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

DNS Best Practices. Mike Jager Network Startup Resource Center

Perimeter Firewalls. Brandon Napier Rick Archibald Pete Jamison HAL PC & HLUG 09/22/2007. brought to you by: in association with

Internet Security [1] VU Engin Kirda

F-Root's DNSSEC Signing Plans. Keith Mitchell Internet Systems Consortium DNS-OARC NANOG48, Austin, 24 th Feb 2010

Reverse DNS considerations for IPv6

The story of dnsdist - or - Do we need a DNS Delivery Controller?

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

The story of dnsdist - or - Do we need a DNS Delivery Controller?

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Harness Your Internet Activity!

Network Infrastructure Under Siege

Network Security in Practice

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

FAQ (Frequently Asked Questions)

A Sampling of Internetwork Security Issues Involving IPv6

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Locking down a Hitachi ID Suite server

The Hitchhiker s Guide to DNS Cache Poisoning

Top 5 Essential Log Reports

Firewalls and Intrusion Detection

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Client Server Registration Protocol

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Web-Application Security

Public-Root Name Server Operational Requirements

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Denial of Service Attacks

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

DNS Update API November 15, 2006 Version 2.0.3

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

IPV6 SERVICES DEPLOYMENT

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Internet infrastructure. Prof. dr. ir. André Mariën

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Operating System Security

DNS for Internet Firewalls

CSE 127: Computer Security. Network Security. Kirill Levchenko

Transcription:

Defending your DNS in a post-kaminsky world Paul Wouters <paul@xelerance.com>

Overview History of DNS and the Kaminsky attack Various DNS problems explained Where to address the DNS problem Nameservers, Network, Client and Data Bad ideas and why we won't do them Proposed and implemented ideas The future of DNS(SEC?)

Vendor and NGO's involved

Two phase deployment First release a generic fix for the Kaminsky attack that does not leak information to the bad guys (source port randomization) Then release the bug and patches specifically against the Kaminsky attack

DNS query packet

DNS query example

DNS Answer packet

TXID is not enough anymore Bellowin's (theoretical) attack (1995)

Losing the race

Winning the race

Random source ports Bernstein:Use random src ports as entropy

DJB's hack is still just a hack

NAT and DNS rebinding

NAT and DNS rebinding (2)

Birthday Attack on src ports

Kasphureff's attack (1997) caused Bailywick restrictions

What protects our DNS? Transaction ID (TXID) Time To Live (TTL) Bailywick

The Kaminsky Attack Without source port randomization, this only takes about 65535 packets

DNS related issues: Double Fast Flux Botnets use domains with NS and A records with low (eg 3 minute) TTL's Change NS records via Registrar very quickly too (hours) This makes them next to impossible to shutdown.

DNS related issues: The Wifi hotspot Captive portals using DNS with mini DNS server This is so they can serve fake DNS This can cause client to cache wrong DNS Bad implementations break on EDNS and DNSSEC (hardcoded bits checking) Use transparent IP proxy instead

DNS related issues: Double Fast Flux Botnets use domains with NS and A records with low (eg 3 minute) TTL's Change NS records via Registrar very quickly too (hours) This makes them next to impossible to shutdown.

Where to fix the DNS? Authorative nameservers Recursive nameservers Network firewalls and IDS Applications Protect the data or transport?

DNS is critical infrastructure Backwards compatible (opt-in) Non-invasive or intrusive (drop-in) Non-disruptive (no CPU/Bandwidth hog) No Protocol changes(we have DNSSEC) Preferably no TYPE overloading No magic such as untested crypto Patent / Royalty free

Authorative nameservers Upgrade server to allow DNSSEC Diversify your infrastructure

Network IDS / Firewall It's patch work (pun intended) Does not address the problems Cannot make a decision when an attack is detected. What to do? Blocking is bad (denial of service to yourself) Monitor, log and warn. Do not interfere Be very careful with DNS load balancers

Monitor Unix based DNS

Monitoring using Cisco

Application fixes So many different applications to fix DNS API for applications is poor Easy to fool: DNS Rebinding or Fast Flux But let's not build DNS recursive nameservers in every application (however a good recursive dns server on each host is a good solution)

The inevitable: Fix recursive nameservers Port randomization Sanitize TTL's Use more IP addresses per DNS server Harden against bogus size packets Harden glue Additional queries for infrastructure data 0x20

Birthday Attack protection Do not allow multiple queries for the same question to be outstanding (AKA query chaining) (Unbound and PowerDNS support this)

Rebinding protection Allow to specify IP addresses that may never appear in external domain names This way you can ensure 10.1.1.0/24 would never come in through DNS rebinding. (supported in Unbound and PowerDNS)

The inevitable: Fix recursive nameservers RFC 5452 Measures for Making DNS More Resilient against Forged Answers draft-wijngaards-dnsext-resolver-sidemitigation draft-vixie-dnsext-0x20

Attacks can be detected

Attack response #1 At a spoof detection threshold, ignore all answers for that query Prevents accepting the right forged answer Also prevents accepting the real answer spoofmax=? Small value : easy DOS Large value: might be too late (PowerDNS has spoofmax=20)

Attack response #2 At a spoof detection threshold throw away the entire cache and start from scratch Prevents using an accepted forged answer Small value : easy DOS on the cache Large value: might be too late (Unbound has spoofmax=10m)

Add more NS records? If you already have at least two or three, this does not buy you much Only makes an attack marginally harder Excessive NS records cause other problems (and adds more potentially outdated / vulnerable nameservers)

Chain your caches (esp. the ones behind NAT)

Blacklist IP ranges Do not allow certain IP ranges (used internally) to be part of an answer from a public DNS zone not under our control This prevents DNS rebinding attacks Example: only allow 10.0.0.0/8 in ourdomain.com, nowhere else.

Hardening infrastructure queries Before accepting NS records or A records of nameservers, ask at least two different nameservers. Before accepting glue records or additional data, indepedantly verify these with new queries. (extra work is only needed once, then we use caching minimum impact)

Double Fast Flux protection Draft-bambenek-doubleflux suggests: Replacing the TTL's of NS and A records of NS records with TTL=72 hours. Llimit Registrar changes to once per 72h Recursors and clients should drop NS or A of NS with TTL < 12

The 0x20 defense (Paul Vixie) You don't need Td-CaNAdaTRuSt.cOm when you can get.com Fails completely for the root (. )

The 0x20 defense (Paul Vixie)

The 0x20 defense (Paul Vixie)

The 0x20 defense (Paul Vixie)

DNSSEC in a nutshell Show DNSSEC signed zone

DNSSEC Lookaside Verification

DNSSEC Bonus Offline secure authenticated wireless communication with rendezvous / zeroconf / bluetooth

www.xelerance.com/dnssec/

ccnso survey Nov 2007 If you have not implemented DNSSEC, are you planning to implement it?

ccnso survey Nov 2007 If you have not implemented DNSSEC, when are you planning to implement it?

.gov is signed! well, when I made these slides, it was not, but now you read it, it should be

[ Feb 2 2009 meeting information here ]

[ Feb 3-4 meeting information here]

www.govsecinfo.com

Conclusions (1) Update your nameservers, or place them behind new nameservers. Look into more software then just Bind Unbound, PowerDNS recursor Take a fresh look at your deployment, even when using firewalls and NAT. DNS will go through those. Ditch DNS captive portals and broken DSL routers

Conclusions (2) Prepare for DNSSEC Tell your vendor you require DNSSEC on the endnode that uses a dhcp obtained DNS forwarder.

Questions??

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information