1 / 24

Security Attacks Using DNS Vulnerabilities

Security Attacks Using DNS Vulnerabilities. Talk by Faisal Ahmad Khan BUITEMS Cyber Security Week December 5-7, 2017. People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) - used for addressing datagrams

catrinan
Télécharger la présentation

Security Attacks Using DNS Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Attacks Using DNS Vulnerabilities Talk by Faisal Ahmad Khan BUITEMS Cyber Security Week December 5-7, 2017

  2. People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) - used for addressing datagrams “name”, e.g., www.yahoo.com - used by humans Q: map between IP addresses and name ? Domain Name System: distributed database implemented in hierarchy of many name servers application-layer protocol host, routers, name servers to communicate to resolvenames (address/name translation) note: core Internet function, implemented as application-layer protocol complexity at network’s “edge” DNS: Domain Name System

  3. DNS is Hierarchical Why not centralize DNS? single point of failure traffic volume distant centralized database Maintenance DNS services Hostname to IP address translation Host aliasing Canonical and alias names Mail server aliasing Load distribution Replicated Web servers: set of IP addresses for one canonical name DNS 06a DNS.ppt

  4. Root DNS Servers org DNS servers edu DNS servers com DNS servers poly.edu DNS servers umass.edu DNS servers pbs.org DNS servers yahoo.com DNS servers amazon.com DNS servers Distributed, Hierarchical Database Client wants IP for www.amazon.com; 1st approx: • Client queries a root server to find “com” DNS server • Client queries com DNS server to get “amazon.com” Authoritative DNS server • Client queries amazon.com DNS server to get IP address for “www.amazon.com” 06a DNS.ppt

  5. contacted by local name server that can not resolve Top_Level name (eats in www.macdonalds.eats) Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name, ...) ICANN assigns domain names (www.icann.org) a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) k RIPE London (also Amsterdam, Frankfurt) i Autonomica, Stockholm (plus 3 other locations) m WIDE Tokyo e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA DNS: Root name servers 06a DNS.ppt

  6. TLD and Authoritative Servers • Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. • Network Solutions, Inc. maintains servers for com TLD • Educause maintains servers for edu TLD • Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). • Can be maintained by organization or service provider • Every “Autonomous System” (AS) must have two (backup). • Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it.

  7. Local Name Server • Does not strictly belong to hierarchy • Each ISP (residential ISP, company, university) has one. • Also called “default name server” or “resolver” • When a host makes a DNS query, query is sent to its local DNS server • Acts as a proxy, forwards query into hierarchy. • Today a DNS proxy (resolver) is built into most DSL and cable-modem routers DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv.conf) 06a DNS.ppt

  8. Host at cis.poly.edu wants IP address for gaia.cs.umass.edu Host sends a "recursion-requested" query request to dns.poly.edu. Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. local DNS server dns.poly.edu Example root DNS server 2 3 TLD DNS server 4 5 6 7 1 8 authoritative DNS server dns.cs.umass.edu requesting host cis.poly.edu $ nslookup gaia.cs.umass.edu answer 128.119.245.12 gaia.cs.umass.edu 06a DNS.ppt

  9. local DNS server dns.poly.edu Non-recursive queries root DNS server A3.NSLTD.COM norecurse or "iterated" query: • contacted server replies with name of server to contact • “I don’t know this name, but ask this server” authoritative DNS server NS1.umass.edu 3 4 2 5 1 6 requesting host cis.poly.edu gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM $ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com answer 128.119.245.12 06a DNS.ppt

  10. “dig” with “+trace” will show the entire recursive lookup. copeland$ dig+trace www.google.com. ; <<>> DiG 9.8.3-P1 <<>> +trace www.google.com. ;; global options: +cmd . 495753 IN NS e.root-servers.net. . 495753 IN NS c.root-servers.net. . 495753 IN NS a.root-servers.net. . . . (11 lines deleted) ;; Received 496 bytes from 128.61.244.254#53(128.61.244.254) in 13 ms . . . com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. . . . (11 lines deleted) ; Received 504 bytes from 192.58.128.30#53(192.58.128.30) in 138 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. ;; Received 168 bytes from 192.55.83.30#53(192.55.83.30) in 56 ms www.google.com. 300 IN A 74.125.196.104 www.google.com. 300 IN A 74.125.196.105 . . . (4 lines deleted) ;; Received 128 bytes from 216.239.36.10#53(216.239.36.10) in 64 ms

  11. once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP) cache entries timeout (disappear) after some time (usually 20 minutes) TLD servers typically cached longer in local name servers Thus root name servers not often visited update/notify mechanisms under design by IETF RFC 2136 http://www.ietf.org/html.charters/dnsind-charter.html DNS: caching and updating records DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file. 06a DNS.ppt

  12. DNS: distributed db storing resource records (RR) Type=NS name is domain (e.g. foo.com) value is hostname of authoritative name server for this domain RR format: (name, value, type, ttl) DNS records • Type=A (AAAA for IPv6) • name is hostname • value is IP address • Type=CNAME • name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com • value is canonical name • Type=MX • value is name of mailserver associated with name 06a DNS.ppt

  13. DNS protocol :queryand reply messages, both with same message format DNS protocol, messages msg header • identification: 16 bit # for query, reply to query uses same # • flags: • query or reply • recursion desired • recursion available • reply is authoritative 06a DNS.ppt

  14. DNS protocol, messages * Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used

  15. Inserting records into DNS • Example: just created startup “Network Utopia” • Register name networkuptopia.com at a registrar (e.g., Network Solutions) • Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary) • Registrar inserts two RRs into the .com TLD server: (networkutopia.com, dns1.acme.com, NS) (dns1.acme.com, 212.212.212.1, A) • Put in authoritative server Type A record for www.networkuptopia.com and Type MX record for networkutopia.com into dns1.acme.com (DNS service) DNS Hack #2 Register a domain like “myserver.ru”, have links in email like www.usbank.com.273846.myserver.ru. 06a DNS.ppt

  16. >whois nt.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: NT.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS-GUY2.NORTELNETWORKS.COM Name Server: NS-HAR2.NORTELNETWORKS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-jan-2009 Creation Date: 28-sep-1990 Expiration Date: 27-sep-2010 >>> Last update of whois database: Fri, 20 Feb 2009 13:33:26 UTC <<< 16

  17. local DNS server dns.poly.edu DNS Cache Poisoning root DNS server www.bigbank.com 33.22.11.44 3 TLD DNS server - IP = 87.65.43.21 4 1 Spoofed Request for no.bigbank.com source IP = 12.34.56.78 5 2 Spoofed Response - source IP = 87.65.43.21 Auth. DNS for bigbank.com =66.66.66.66 8 Future requests for all URLs in bigbank.com go to =66.66.66.66 authoritative DNS server dns.bigbank.com requesting host cis.poly.edu IP = 12.34.56.78 www.bigbank.phisher.com 66.66.66.66 17

  18. wireshark Display of DNS Response ID is random nonce used to authenticate Response to Query 18

  19. DNS protocol, spoofed messages <- 32 bits -> * Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used * 16-bit ID is used to match responses to requests. To spoof, • use 1 request and 65,536 responses, or • use 256 requests and 256 responses (Birthday attack). 06a DNS.ppt 19

  20. DNS Cache Poisoning - Anticipated Attack Sends a Request for a URL, and N fake Replies with random IDs Lookup www.cnn.com Time www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Correct guess of <- ID Nonce Probable no. of hits = N / 65,354 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 UDP Connection closed -> 66.66.66.66 cached www.cnn.com -> 64.236.90.21 (not noticed) www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is64.236.90.21 Local DNS NS-CNN.COM Hacker 20

  21. DNS Cache Poisoning – Bellovin Birthday Attack <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup www.cnn.com Time * www.cnn.com is 66.66.66.66 www..cnn.com is 66.66.66.66 <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Local DNS -> caches www.cnn.com = 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 64.236.90.21 * Local DNS sends 260 queries with different IDs. DOS Attack Local DNS NS-CNN.COM Hacker 21 DNS Hack #3: Change DNS IP configured in local cache.

  22. Fast-Flux DNS (Botnet Distributed Phishing) • Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg4589.ru” • Botnet hosts sent out email to lure victims to a Phishing Web site www.bny.com.bg4589.ru (IP 23.45.67.89 ) • Problem: as soon as BNY Network Security person sees one of the emails, they do a DNS lookup (get 23.45.67.89), a “whois”, and shut the 23.45.67.89 host down. • Solution: vary the IP address returned to one of a thousand botnet Web servers. • Problem: BNY NetSec repeatedly does DNS lookups to get a complete list of botnet hosts. • Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDoS) for several days against BNY NetSec. DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown. 22

  23. local DNS server dns.poly.edu Fast Flux DNSURL in Phish -> One of Many bots root DNS server • Host at poly.edu wants IP address for www.urhckd.com • Host sends a "recursion-requested" query request to dns.poly.edu. • [Host is doing a non-recursive search] • Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. 6 7 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. authoritative DNS server dns.urhcked.com requesting host joe.poly.edu $ nslookup www.urhckd.com. answer 78.82.245.12 $ nslookup www.urhckd.com. answer 53.119.24.124 06a DNS.ppt 23 Adapted from“Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

  24. Five DNS Hacks DNS Hack #0 – modify /etc/resolv.conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e.g., http://www.usbank.com.customer.dhs5134.hk DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 24

More Related