By Chris Racki. Outline Introduction How DNS works A typical DNS lookup Caching for later ...
-
Upload
samson-garrison -
Category
Documents
-
view
227 -
download
0
Transcript of By Chris Racki. Outline Introduction How DNS works A typical DNS lookup Caching for later ...
By Chris Racki
Outline Introduction How DNS works A typical DNS lookup Caching for later Vulnerabilities of DNS Anatomy of a cache poisoning Why isn’t the security community panicked Ok, now they’re panicked! Mitigation Conclusion
Introduction
Computers navigate the internet using DNS
Common requests are cached Caching makes DNS vulnerable When a DNS is poisoned any IP can be
set to any internet address The fix is in the chaos
How DNS Works
Root Servers . . .
Top Level Domain Servers.com .org .net .com .gov .edu .net
google.com montclair.edu
A Typical DNS Lookup
ISP DNS
User
1. what’s the IP for www.google.com?
Root Server
.com Server
google.com Server
2. what’s the IP for www.google.com?
3. Server Referral
4. what’s the IP for www.google.com?
5. Server Referral
6. what’s the IP for www.google.com?
7. The IP is XXX.XXX.XXX
9. The IP is XXX.XXX.XXX
10. Go to www.google.com
8. Cache result
Vulnerabilities
ISP DNS
User
1. what’s the IP for www.google.com?
Root Server
.com Server
google.com Server
2. what’s the IP for www.google.com?
3. Server Referral
4. what’s the IP for www.google.com?
5. Server Referral
6. what’s the IP for www.google.com?
7. The IP is XXX.XXX.XXX
8. The IP is XXX.XXX.XXX
10. Go to www.google.com
Cached result
Go to www.BADPLACE.com
Anatomy of a Cache Poisoning
What’s the IP for www.google.com? It’s not in my cache, I have to look it up. Now that he’s waiting for a response, it’s my
chance! Unsolicited reply… ignore. Forged reply is accepted and cached.
?. . .
Query ID 10021
Lookup RequestForged Lookup Reply
Query ID 10018Query ID 10019Query ID 10020Query ID 10021 forged reply
Why isn’t the security community panicked? Attack only works when entry is not in
cache Hard to predict exactly when Time To
Live will expire Limited chances for attack
Ok, now they’re panicked! In 2008 Dan Kaminsky improved the attack. Attack is only possible when target is not in
cache. www.google.com is almost always in the cache. fake01.google.com is never in cache so it always
triggers a lookup. Instead of forging a single page, forge the
google.com DNS server. Now all requests for google.com domain can be
redirected to attacker’s DNS server.
A More Toxic Poison
ISP DNS
Root Server
.com Server
google.com Server
what’s the IP for fake01.google.com?
Server Referral
what’s the IP for fake01.google.com?
Server Referral
Forge the IP of the google.com domain DNS server Response is too slow
What’s the fix?
Make the query ID more random Older DNS software use sequential
query IDs or easily predicted random query IDs
Randomize the port and change it often Older DNS software always uses one
port
Conclusion
DNS cache poisoning is not new There are new ways to use it A successful DNS poisoning could be
very damaging Be alert of new threats
Thank you