Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System



Similar documents
Computer Networks: Domain Name System

Wireless Networks. Welcome to Wireless

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

Securing DNS Infrastructure Using DNSSEC

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Security of IPv6 and DNSSEC for penetration testers

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

DNS security: poisoning, attacks and mitigation

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Domain Name System Security

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Domain Name System (DNS) RFC 1034 RFC

Topics in Network Security

Wireless Security: Secure and Public Networks Kory Kirk

Communications and Networking

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Link Layer and Network Layer Security for Wireless Networks

3. The Domain Name Service

Remote DNS Cache Poisoning Attack Lab

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

DNS Root NameServers

Linux Network Security

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Security Awareness. Wireless Network Security

Internet-Praktikum I Lab 3: DNS

Technical Support Information Belkin internal use only

DOMAIN NAME SECURITY EXTENSIONS

Digicom Remote Control for the SRT

MN-700 Base Station Configuration Guide

Connecting to and Setting Up a Network

CSE 127: Computer Security. Network Security. Kirill Levchenko

Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Chapter 1 Configuring Internet Connectivity

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

DV230 Web Based Configuration Troubleshooting Guide

Chapter 2 Configuring Your Wireless Network and Security Settings

Network Access Security. Lesson 10

DNS Pharming Attack Lab

architecture: what the pieces are and how they fit together names and addresses: what's your name and number?

Chapter 3 Safeguarding Your Network

Developing Network Security Strategies

CSC574: Computer and Network Security Module: Network Security

CS5008: Internet Computing

Link Layer and Network Layer Security for Wireless Networks

Own your LAN with Arp Poison Routing

Lab Organizing CCENT Objectives by OSI Layer

Security vulnerabilities in the Internet and possible solutions

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Chapter 8 Security Pt 2

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

DSL-2600U. User Manual V 1.0

Wireless VPN White Paper. WIALAN Technologies, Inc.

Movie Cube. User s Guide to Wireless Function

Securing end devices

9 Simple steps to secure your Wi-Fi Network.

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

Internet Security [1] VU Engin Kirda

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

An Intrusion Detection System for Kaminsky DNS Cache poisoning

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Static Business Class HSI Basic Installation NETGEAR 7550

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Chapter 15: Advanced Networks

The Trivial Cisco IP Phones Compromise

Networking Technology Online Course Outline

Security in Wireless Local Area Network

White Paper How to Remotely Access Ethernet I/O Over the Internet

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Use Domain Name System and IP Version 6

The Domain Name System from a security point of view

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

VLANs. Application Note

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

1. LAB SNIFFING LAB ID: 10

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

Network Security Fundamentals

Cisco AnyConnect Secure Mobility Solution Guide

The Application Layer: DNS

Glossary of Technical Terms Related to IPv6

m-trilogix White Paper on Security in Wireless Networks

Network Attacks. Common Network Attacks and Exploits

FAQ (Frequently Asked Questions)

Computer Networks. Secure Systems

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Recommended IP Telephony Architecture

Securing your Linksys WRT54G

Wireless Encryption Protection

DNS Basics. DNS Basics

Transcription:

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol for mapping domain names to IP addresses The mapping is many to one Example: www.cs.brown.edu and cs.brown.edu map to 128.148.32.110 DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(mx) record: mail server of a domain Name server (NS) record: authorita>ve server for a domain 18/02/15 Networks: DNS attacks 2 1

Name Servers Domain names Two or more labels, separated by dots (e.g., brown.edu) Rightmost label is the top- level domain (TLD) ICANN: Internet Corpora>on for Assigned Names and Numbers Controls the root domain Governing body for all general TLDs (e.g.,.com,.org,.net) Country TLDs, controlled by government organiza>ons Hierarchy of authorita>ve name servers IP addresses of subdomains (A records) or References to other name servers (NS records) Root servers point to DNS servers for TLDs, etc. 18/02/15 Networks: DNS attacks 3 google.com A google.com 66.249.91.104 com microso[.com Amicroso[.com 207.46.232.182 DNS Tree stanford.edu brown.edu...... A stanford.edu 171.67.216.18 resource records edu A brown.edu 128.148.128.180... cs.brown.edu A cs.brown.edu 128.148.32.110 18/02/15 Networks: DNS attacks 4 2

Name Resolu>on Program that finds DNS informa>on E.g., u>lity dig in Linux distribu>ons and nslookup command in Windows Resolu>on methods Recursive: the server queries another server and forwards the final (A record) to client Itera>ve: the server refers to client to another server (e.g., a root server) via an NS record Op>on +trace in dig and [no]recurse in nslookup Glue record Addi>onal record included in the response to a DNS to prevent circular references E.g., A record for name server referred to by NS record 18/02/15 Networks: DNS attacks 5 Recursive Name Resolu>on Local Machine Applica>on google.com Local name server google.com Other name server A 74.125.226.176 A 74.125.226.176 18/02/15 Networks: DNS attacks 6 3

Itera>ve Name Resolu>on www.google.com (root) f.root-servers.net com NS d.gtld-servers.net com cs.brown.edu 1 d.gtld-servers.net 2 google.com NS ns2.google.com dns-int.cs.brown.edu 3 google.com www.google.com A 74.125.226.116 ns2.google.com 18/02/15 Networks: DNS attacks 7 DNS Caching There would be too much network traffic if a path in the DNS tree would be traversed for each Root zone would be rapidly overloaded DNS servers cache records that are results of queries for a specified amount of >me Time- to- live field Opera>ng systems and browsers also maintain resolvers and DNS caches View in Windows with command ipconfig /displaydns Associated privacy issues Addi>onal administrator- defined sta>c cache in hosts file 18/02/15 Networks: DNS attacks 8 4

Recursive Name Resolu>on with Caching Each resolver checks first its cache New issued only for a cache miss Closest cashed name server queried Newly acquired records stored in cache brown.edu math.brown.edu cs.brown.edu Applica>on cslab1a.cs.brown.edu cache brown.edu NS bru- ns2.brown.edu math.brown.edu A 128.148.194.49 bru- ns2.brown.edu dns-int.cs.brown.edu 18/02/15 Networks: DNS attacks 9 Itera>ve Name Resolu>on with Caching Each resolver checks first its cache New issued only for a cache miss Closest cashed name server queried Newly acquired records stored in cache www.google.com com cs.brown.edu 1 d.gtld-servers.net google.com NS ns2.google.com com NS d.gtld- servers.net dns-int.cs.brown.edu www.google.com A 74.125.226.116 2 google.com 18/02/15 Networks: DNS attacks 10 ns2.google.com 5

DNS Cache Poisoning Basic idea Give a DNS server a false address record and get it cached DNS mechanism Queries issued over UDP on port 53 16- bit request iden>fier in payload to match s with queries No authen>ca>on Cache may be poisoned when a name server Disregards iden>fiers Has predictable iden>fiers and return ports Accepts unsolicited DNS records Early versions of BIND (popular DNS so[ware) vulnerable to cache poisoning 18/02/15 Networks: DNS attacks 11 DNS Cache Poisoning Defenses Check iden>fiers Query randomiza>on Request iden>fiers Return ports The probability of guessing a single ID or return port is: 1 / 2 16 = 0.0015% Use signed records DNSSEC 18/02/15 Networks: DNS attacks 12 6

Kaminsky s Birthday A2ack Goal: poison the cache of a vic>m name server to redirect traffic for an en>re target domain Assume that the vic>m name server uses request ID randomiza>on A2acker sends n DNS requests to server for nonexistent subdomains of the target domain, e.g., 001.brown.edu, 002.brown.edu, A2acker sends n forged DNS responses with random IDs, each including Correct NS record, e.g., ns.brown.edu Spoofed address glue record poin>ng to the a2acker s name server A2ack succeeds if the IDs of a requests and a forged response match Probability that one forged response fails to match any request ID 1 - n / 2 16 Probability that all n forged responses fail to match any request ID (1 - n / 2 16 ) n 50% a2ack failure/success probability for n = 213 18/02/15 Networks: DNS attacks 13 Goals Authen>city of DNS origin Integrity of reply Authen>city of denial of existence Implementa>on Signed DNS replies at each step Public- key cryptography Cer>ficates in the OS Slow deployment Root servers support since 2010 DNSSEC 1.1.1.1 example.com book.example.com public key known to client.com example.com book.example.com 18/02/15 Networks: DNS attacks 14 7

Radio waves Welcome to Wireless No need to be physically plugged into the network Remote access Applications of wireless technology Mobile phones Wireless data communications Wireless energy transfer Coverage Personal Area Network (PAN) Local Area Network (LAN) Metropolitan Area Network (MAN) 18/02/15 Networks: DNS attacks 15 Security concerns Radio signals leaking outside buildings Detection of unauthorized devices Intercepting wireless communications Man-in-the-middle attacks Authentication of users Restricting access 18/02/15 Networks: DNS attacks 16 8

Types of Wireless Networks Infrastructure Client machines establish a radio connection to a special network device, called access point Access points connected to a wired network, which provides a gateway to the internet Most common type of wireless network Clients Clients Clients Access Point Wired LAN Peer-to-peer Multiple peer machines connect to each other Typically used in ad-hoc networks and internet connection sharing Peer Peer Peer Peer 18/02/15 Networks: DNS attacks 17 IEEE 802.11 family of standards Set of standards for implementing wireless local area network (WLAN) computer communication over predefined radio frequency ranges. Defines structure of wireless frames that encapsulate the higher layers of the IP stack. TCP/IP implementations perform reframing of packets depending on their intended recipient in order to allow greater flexibility in handling both wired and wireless data. Ethernet frames IEEE 802.11 frames 18/02/15 Networks: DNS attacks 18 9

SSID spoofing Multiple wireless networks can coexist Each network is identified by a 32-character service set ID (SSID) Typical default SSID of access point is manufacturer s name SSIDs often broadcasted to enable discovery of the network by prospective clients SSIDs are not signed, thus enabling a simple spoofing attack Place a rogue access point in a public location (e.g., cafe, airport) Use the SSID of an ISP Set up a login page similar to the one of the ISP Wait for clients to connect to rogue access point and authenticate Possibly forward session to ISP network Facilitated by automatic connection defaults 18/02/15 Networks: DNS attacks 19 Eavesdropping Data sent over wired networks is unencrypted and available to eavesdroppers physically tap the wire. All wireless network traffic can be easily eavesdropped Defenses End-to-end application-level encryption (e.g., SSL, SSH) Link layer encryption (e.g., WEP, WPA) 18/02/15 Networks: DNS attacks 20 10

MAC Spoofing MAC-based authentication typically used to identify approved machines in wireless network MAC spoofing attack Sessions kept active after brief disconnects If ISP client does not explicitly end a session, MAC spoofing allows to take over that session 18/02/15 Networks: DNS attacks 21 Protocol DHCP provides IP address Cap>ve Portal Name server maps everything to authentication server Firewall blocks all other traffic Any URL is redirected to authentication page After authentication, regular network services reinstated Client identified by MAC address Used by wireless ISPs Security issues A MAC spoofing and session stealing attack may be performed if client does not actively disconnect A tunneling attack can bypass captive portal if DNS traffic beyond firewall is not blocked before authentication 18/02/15 Networks: DNS attacks 22 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information