DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor...
-
Upload
audrey-clarke -
Category
Documents
-
view
213 -
download
0
Transcript of DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor...
DNS as a Gatekeeper: Creating Lightweight
Capabilities for Server DefenseCurtis Taylor
Craig Shue
Outline
• Automated Attacking• Costs to Organizations• Some Observations• Our Approach
– Lightweight Capabilities– Fast Flux Defense
• Future Directions
2
Automated Attacking
• Attackers use others in attacks– Compromised machines form botnets
• “Attacks” vary in goal, methodology– Reconnaissance– Footholds– Exfiltration– Exploitation
• But most attacks are automated– Success rates may be low, but they make up
for it in volume3
Example Attacks
• SQL Injection• Harvesting email addresses for spam• Phishing
– The use of deception in electronic communication to obtain unauthorized access
– A symptom of system and network security improvements
4
Organization Costs
• Decreased credibility• Information exposure• Financial consequences
– Billions lost a year– Identity theft
• Business failure– Example: HBGary Federal
5
Some Observations
• Automated clients do not need host names– Mnemonic names for human convenience
• Automated clients can skip DNS queries– Directly scan IP address space– Cache records beyond what is allowed– Share with other machines in a botnet
• Humans likely play by the rules– Their browsers are standards compliant– “Illegal” caching does not really help them
6
Associating Clients and Resolvers is Non-Trivial
7
ORNL DNS
Server
ORNL Web
Server
ISP DNS Resolver
End User
System
ISP Network
DNS Query
DNS Reply
Web Query
What does this motivate?
• Some attackers are clearly skipping DNS, but a few still use it
• Good users are unlikely to skip DNS steps• Can we use this knowledge to protect
servers?– Make DNS a gatekeeper to the network– Failures to use DNS prevents access
• But it still looks successful
– Allow network providers know there is something awry with malicious clients
8
Fast Flux Defense
9
End User
System
ISP DNS Resolver
DNS Server
Real Web
Server
DNS Query
DNS Reply
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Web Query
Fast Flux Defense
10
End User
System
ISP DNS Resolver
DNS Server
Real Web
Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Honey Pot Web Server
Web Query
Future Directions
• We are ready to test– Works with BIND9, Linux’s iptables, and uses
libpcap to intercept DNS requests
• Limited deployment on ORNL’s network
11