Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Computer  Networks:  

DNS  a2acks  

CS  1951e  -­‐  Computer  Systems  Security:  

Principles  and  Prac>ce  

18/02/15

Networks: DNS attacks

1

Domain  Name  System  

• 

The  

domain  name  system

 (DNS)  is  an  applica>on-­‐layer  protocol    for  

mapping  domain  names  to  IP  addresses  

• 

The  mapping  is  many  to  one  

• 

Example:  

www.cs.brown.edu  

and

 cs.brown.edu

 map  to  

128.148.32.110  

• 

DNS  provides  a  distributed  database  over  the  internet  that  stores  various  

resource  records

,  including:  

–

Address

 (A)  record:  IP  address  associated  with  a  host  name  

–

Mail  exchange

(MX)  record:  mail  server  of  a  domain  

–

Name  server

 (NS)  record:  authorita>ve  server  for  a  domain  

Name  Servers  

• 

Domain  names  

• 

Two  or  more  labels,  separated  by  dots  (e.g.,  brown.edu)  

• 

Rightmost  label  is  the  top-­‐level  domain  (TLD)  

• 

ICANN:  Internet  Corpora>on  for  Assigned  Names  and  Numbers  

• 

Controls  the  root  domain  

• 

Governing  body  for  all  general  TLDs  (e.g.,  .com,  .org,  .net)  

• 

Country  TLDs,  controlled  by  government  organiza>ons  

• 

Hierarchy  of  authorita>ve  name  servers  

• 

IP  addresses  of  subdomains  (A  records)  or    

• 

References  to  other  name  servers  (NS  records)  

• 

Root  servers  point  to  DNS  servers  for  TLDs,  etc.  

Name  Resolu>on  

• 

Resolver  

• 

Program  that  finds  DNS  informa>on  

• 

E.g.,  u>lity  

dig

 in  Linux  distribu>ons  and  

nslookup  

command  in  Windows  

• 

Resolu>on  methods  

• 

Recursive

:  the  server  queries  another  server  and  forwards  the  final  

answer  (A  record)  to  client  

• 

Itera>ve

:  the  server  refers  to  client  to  another  server  (e.g.,  a  root  server)  

via  an  NS  record  

• 

Op>on  

+trace

 in  

dig

 and  

[no]recurse

 in  

nslookup  

• 

Glue  record  

• 

Addi>onal  record  included  in  the  response  to  a  DNS  to  prevent  circular  

references  

• 

E.g.,  A  record  for  name  server  referred  to  by  NS  record      

18/02/15

Networks: DNS attacks

5

 Recursive  Name  Resolu>on  

Itera>ve  Name  

Resolu>on  

cs.brown.edu

dns-int.cs.brown.edu

Resolver  

google.com

ns2.google.com

Resolver  

com

d.gtld-servers.net

Resolver

query

answer

answer

query

(root)

f.root-servers.net

Resolver  

1

2

3

query

answer

www.google.com

com NS d.gtld-servers.net

google.com NS ns2.google.com

www.google.com A 74.125.226.116

18/02/15

Networks: DNS attacks

7

DNS  Caching  

• 

There  would  be  too  much  network  traffic  if  a  path  in  the  DNS  tree  would  

be  traversed  for  each  query  

– 

Root  zone  would  be  rapidly  overloaded  

• 

DNS  servers  

cache

 records  that  are  results  of  queries  for  a  specified  

amount  of  >me  

– 

Time-­‐to-­‐live  field  

• 

Opera>ng  systems  and  browsers  also  maintain  resolvers  and  DNS  caches  

– 

View  in  Windows  with  command  

ipconfig  /displaydns    

– 

Associated  privacy  issues  

 Recursive  Name  Resolu>on  with  Caching  

• 

Each  resolver  checks  first  its  cache  

• 

New  query  issued  only  for  a  cache  miss  

• 

Closest  cashed  name  server  queried  

• 

Newly  acquired  records  stored  in  cache  

cslab1a.cs.brown.edu

Applica>on  

Resolver  

cache  

cs.brown.edu

dns-int.cs.brown.edu

Resolver  

brown.edu  NS  

bru-­‐ns2.brown.edu  

brown.edu

bru-­‐ns2.brown.edu

Resolver  

math.brown.edu  A  

128.148.194.49  

query

answer

answer

query

math.brown.edu

18/02/15

Networks: DNS attacks

9

Itera>ve  Name  Resolu>on  with  Caching  

• 

Each  resolver  checks  first  its  cache  

• 

New  query  issued  only  for  a  cache  miss  

• 

Closest  cashed  name  server  queried  

• 

Newly  acquired  records  stored  in  cache  

DNS  Cache  Poisoning  

• 

Basic  idea  

• 

Give  a  DNS  server  a  false  address  record  and  get  it  cached  

• 

DNS  query  mechanism  

• 

Queries  issued  over  UDP  on  port  53  

• 

16-­‐bit  

request  iden>fier

   in  payload  to  match  answers  with  queries  

• 

No  authen>ca>on  

• 

Cache  may  be  poisoned  when  a  name  server  

• 

Disregards  iden>fiers  

• 

Has  predictable  iden>fiers  and  return  ports  

• 

Accepts  unsolicited  DNS  records  

• 

Early  versions  of  BIND  (popular  DNS  so[ware)  vulnerable  to  cache  

poisoning  

18/02/15

Networks: DNS attacks

11

DNS  Cache  Poisoning  Defenses  

• 

Check  iden>fiers  

• 

Query  randomiza>on  

• 

Request  iden>fiers  

• 

Return  ports  

– 

The  probability  of  guessing  a  single  ID  or  return  port  

is:    1  /  2

16

 _{=  0.0015%}  

• 

Use  signed  records  

Kaminsky’s  Birthday  A2ack  

• 

Goal:  poison  the  cache  of  a  vic>m  name  server  to  redirect  traffic  for  an  en>re  target  domain  

• 

Assume  that  the  vic>m  name  server  uses  request  ID  randomiza>on  

• 

A2acker  sends  n  DNS  requests  to  server  for  nonexistent  subdomains  of  the  target  domain,  

e.g.,  001.brown.edu,  002.brown.edu,  …  

• 

A2acker  sends  n  forged  DNS  responses  with  random  IDs,  each  including  

– 

Correct  NS  record,  e.g.,  ns.brown.edu  

– 

Spoofed  address  glue  record  poin>ng  to  the  a2acker’s  name  server  

• 

A2ack  succeeds  if  the  IDs  of  a  requests  and  a  forged  response  match  

• 

Probability  that  one  forged  response  fails  to  match  any  request  ID  

1  - n  /  2

16  

• 

Probability  that  all  n  forged  responses  fail  to  match  any  request  ID    

(1  -  n  /  2

16

₎

n  

• 

50%  a2ack  failure/success  probability  for  n  =  213  

18/02/15

Networks: DNS attacks

13

DNSSEC  

Goals  

• 

Authen>city  of  DNS  answer  origin  

• 

Integrity  of  reply  

• 

Authen>city  of  denial  of  existence  

Implementa>on  

• 

Signed  DNS  replies  at  each  step  

• 

Public-­‐key  cryptography  

• 

Cer>ficates  in  the  OS  

Slow  deployment  

• 

Root  servers  support  since  2010    

book.example.com  

example.com  

1.1.1.1

book.example

.com

public  key  known  to  client  

example.com

.com  

Welcome  to  Wireless

• 

Radio waves

• 

No need to be physically plugged into the network

• 

Remote access

• 

Applications of wireless technology

• 

Mobile phones

• 

Wireless data communications

• 

Wireless energy transfer

• 

Coverage

• 

Personal Area Network (PAN)

• 

Local Area Network (LAN)

• 

Metropolitan Area Network (MAN)

15

18/02/15

Networks: DNS attacks

15

Security  concerns

• Radio signals leaking outside buildings

• Detection of unauthorized devices

• Intercepting wireless communications

• Man-in-the-middle attacks

Types  of  Wireless  Networks

•

I

nfrastructure

– Client machines establish a radio connection to a

special network device, called access point

– Access points connected to a wired network, which

provides a gateway to the internet

– 

Most common type of wireless network

•

Peer-to-peer

– 

Multiple peer machines connect to each other

– Typically used in ad-hoc networks and internet

connection sharing

17

Peer

Peer

Peer

Peer

Clients

Clients

Clients

Access Point

Wired LAN

18/02/15

Networks: DNS attacks

17

IEEE  802.11  family  of  standards

18

Ethernet frames

IEEE 802.11 frames

Set of standards for implementing wireless local area network (WLAN)

computer communication over predefined radio frequency ranges.

Defines structure of wireless frames that encapsulate the higher layers of

the IP stack.

TCP/IP implementations perform reframing of packets depending on

their intended recipient in order to allow greater

flexibility in handling both wired and wireless data.

SSID  spoofing

• 

Multiple wireless networks can coexist

– 

Each network is identified by a 32-character

service set ID

(

SSID

)

– 

Typical default SSID of access point is manufacturer’s name

– 

SSIDs often broadcasted to enable discovery of the network by

prospective clients

• 

SSIDs are not signed, thus enabling a simple

spoofing attack

– 

Place a rogue access point in a public location (e.g., cafe, airport)

– 

Use the SSID of an ISP

– 

Set up a login page similar to the one of the ISP

– 

Wait for clients to connect to rogue access point and authenticate

– 

Possibly forward session to ISP network

– 

Facilitated by automatic connection defaults

19

18/02/15

_{Networks: DNS attacks}

₁₉

Eavesdropping  

Data sent over wired networks is unencrypted and

available to eavesdroppers → physically tap the wire.

All wireless network traffic can be easily eavesdropped

• 

Defenses

– 

End-to-end application-level encryption (e.g., SSL, SSH)

MAC  Spoofing

• 

MAC-based authentication typically used to

identify approved machines in wireless network

• 

MAC spoofing attack

– 

Sessions kept active after brief disconnects

– 

If ISP client does not explicitly end a session,

MAC spoofing allows to take over that session

21

18/02/15

Networks: DNS attacks

21

Cap>ve  Portal

• 

Protocol

– DHCP provides IP address

– 

Name server maps everything to authentication server

– Firewall blocks all other traffic

– Any URL is redirected to authentication page

– After authentication, regular network services reinstated

– 

Client identified by MAC address

– 

Used by wireless ISPs

• 

Security issues

– A MAC spoofing and session stealing attack may be performed if client

does not actively disconnect

– 

A tunneling attack can bypass captive portal if DNS traffic beyond firewall

is not blocked before authentication

22