DNS Attacks

Haythem EL MIR, CISSP

CTO, NACS

Why worry about DNS?

VeriSign: DoS attack could shut down internetDenial-of-service attacks are growing faster than bandwidth is being added to the internet, according to VeriSign

All Applications Rely on DNS !

3

Distributed denial of service attacks on root nameserve rs1. On October 21, 2002 an attack lasting for approximately one hour was

targeted at all 13 DNS root name servers 2. On February 6, 2007 an attack began at 10 AM and lasted twenty-four

hours. At least two of the root servers (G-ROOT and L-ROOT) reportedlysuffered badly while two others (F-ROOT and M-ROOT) experiencedheavy traffic

Reports of Massive DNS Outages in GermanyToday at around 1:30 p.m. (CEST), DENIC, the manager of the country-code TLD .de, noted that the .de DNS service accidentally sent out “NX”, i.e. “non-existent domain” responses for part of its overall domain inventory, althoughthe relevant domains actually exist. As a result, the pertinent domains couldno longer be accessed.

VeriSign details massive denial-of-service attacksHackers used botnets and DNS servers to swamp networks with torrents of data (March 2006)

Famous DNS Attacks

4

Famous DNS Attacks

After DNS problem, Chinese root server is shut down A China-based root DNS server associated with networkingproblems in Chile and the U.S. has been disconnected from the Internet.March 2010

DDoS Attack on DNS Hits Amazon and Others BrieflyInternet users in Northern California were unable to reach properties includingAmazon.com and Amazon Web Services for a time Wednesday evening, as their DNS provider was targeted by a distributed denial-of-service attack. The attack came as North American consumers rushed to finish online shopping ahead of the end-of-year holiday season. (October 2010)

DNS attack hijacks Twitter / Twitter hack was DNS redire ctA DNS hijacking attack left Twitter temporarily affected for about an hourearly on Friday.The initial attack has left many users scratching their heads while spreadingthe belief that Twitter's servers themselves were commandeered by hackers in the name of the "Iranian Cyber Army". (December 2009)

5

Famous DNS Attacks

Hackers Temporarily Seize Control Of Google MoroccoDomain Name – Mai 2009

the domain name for Google Morocco’s search portal, was taken hostageby hackers earlier today reportedly for several hours before the problemgot fixed

6

Famous DNS Attacks

Facebook "DNS Failure" Outage Takes Over Google Searc h Trends

7

DNS Protocol Security vulnerabilities

• Open protocol.• No encryption• Widely implemented and deployed using BIND (has many known

security holes)• Very rudimentary authentication mechanism• Caching allows to bypass authoritative records and to store

unreliable information in many locations in the internet• Heavy reliance on the network makes it vulnerable to network

outages

8

DNS Vulnerabilities due to Poor Planning

� Single point of failure issues� Running registered authoritative DNS servers on a

single subnet can cause severe application outages if the gateway/router connecting this subnet goes down

� Running the DNS servers in a single geographical area� Running DNS servers on a single OS

� Poor capacity planning or lack of load balancing� Poor disaster recovery planning� Failure to upgrade or patch DNS implementation� Misconfiguration

9

DNS Resolving

Resolver

Question:

www.test.net A

www.test.net A ?Caching

forwarder(recursive)

root-serverwww.test.net A ?

“go ask net server @ X.gtld-servers.net”(+ glue)

gtld-serverwww.test.net A ?

“go ask test server @ ns.test.net”(+ glue)

test-server

www.test.net A ?

“193.0.0.203”

193.0.0.203

1 2

3

4

5

6

7

Add to cache9

8

10 TTL

10

DNS Vulnerabilities

master Caching forwarder

resolver

Zone administrator

Zone file

Dynamicupdates

1

2

slaves

3

Server protection

4

5

Corrupting data Impersonating master

Unauthorized updates

Cache impersonation

Cache pollution byData spoofing

Data protection

Altered zone data

Common DNS Attacks

12

DoS attacks

� One or more attackers controlling one or more devices launch an avalanche of messages to one or more DNS servers

� If the sources are distributed, such an attack is difficult to control and trace

� DNS responses are larger than requests and can be used to magnify attacks using spoofed source IP addresses. The attackers use source IP address the address of the target and send multiple DNS requests to a DNS server

13

D-DoS attack to Root Servers

� On Oct 21, 2002 a wide scale attack was launched to the 13 IP addresses of the Root servers using ICMP echo reply messages

� According to Keynote Systems 7 of the 13 Root servers were severely slowed down during the attack.

14

Cache poisoning

� Alteration of the contents of the DNS cache� Query sent to a local DNS server. Local starts a

recursive search. � Fake response is sent from the attacker before the

valid server responds. � Local DNS returns the fake response to the resolver

and caches the forged mapping� Can lead to a denial of service or to redirection to an

evil site (that collects for example private information)

15

DNS spoofing/cache poisoning

Clientresolver

Local DNS server

Attacker

1. DNS request

2.Spoofed reply

3. True reply

4. ICMP port unreachable

16

Cache Poisoning- another variation

� Attacker directs local dns server to a controlled DNS server, which returns bogus info. Local DNS server does not properly check and caches bogus info

LaptopBad guy's DNS server

Local DNS Server

4. Query www.dod.gov

3. Returns real along withspoof info

2. Query is forwarded to bad guy's DNS server

1. Send a query

that n

eeds to be

resolved to

his DNS serv

er

5. Return spoof address whichpoints to bad guy's server

Bad guy'sterminal

17

Attacks on DNS

� DNS ID Spoofing / man in the middle� Machine X needs to know the IP of machine Y� X assigns a random identification number (16 bits) to the

request it sends to the DNS and expects this number to be present in the DNS reply

� An attacker using a sniffer, intercepts the DNS request and sends the reply to X containing the correct identification number but with an IP of his choice.

18

Attacks on DNS

19

Attacks on DNS

� DNS ID Spoofing without a sniffer (the Birthday Paradox)� The identification number has 65535 possible values.� An attacker sends n queries for www.test.com and the

victim DNS sends n queries to ns.test.com� The attacker sends n spoofed replies from ns.test.com to

the victim DNS� Because of the Birthday Paradox, the probability of one the

n replies containing a correct identification number increases rapidly for small n

20

Attacks on DNS

0.98650.96040.70480.26210.0728Chances

750650400200100Queries

21

Attacks on DNS

� Client Flooding:� Client sends a DNS query.� Attacker send thousands of responses made to

appear as if originating from the DNS server.� Client accepts responses because it lacks the

capability to verify the response origin.

22

Attacks on DNS

� DNS Dynamic Update Vulnerabilities:� It is a weak form of access control.� Protocols such as DHCP use DNS Dynamic

Update protocol to add and delete RRs.� An attacker using IP spoofing of a trusted server

may launch a DoS attack by deleting RRs, or malicious redirection by changing an IP of a RR in an update.

23

Kaminsky Flaw

� Dan Kaminsky DNS Attack

� Vendor Notified in April to May

� Publicly Announced in early July

� Public release of details by Kaminsky (Blackhat US 2008, 2-7 August)

� Old vulnerabilities

� New ways of using the attacks

24

Step 1 : Information Collection (NSdiscovery)Step 2 : Query for random hostnames(sub-domains) at the target domainStep 3 : Spoof a response to the targetserver including an answer for thequery, an authority server record, andan additional record (The target domainname will be inserted as NS) Step 4 : Flood the target with thespoofed response until it hits the jackpot(matching Transaction ID)Step 5 : Try again from step 2 using anew sub-domain

Kaminsky Flaw

25

Attacks on DNS

� Information Leakage:� Zone transfers can leak information concerning internal

networks.� Or an attacker can query one by one every IP address in a

domain space to learn unassigned IP addresses.� If a system trusts an entire IP network, rather than specify

every host that it trusts, then that system may be vulnerable to an attack using an unassigned IP address.

26

Attacks on DNS

� DNS software vulnerabilities:� US-CERT:

� VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning

� VU#252735 - ISC BIND generates cryptographically weak DNS query IDs

� VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers

� Microsoft patches image, DNS flaws : The three flaws in the domain name system (DNS) server and a fourth flaw in the WINS server could allow spoofed network address information to be returned, allowing poisoning and redirection attacks, Microsoft stated in its advisory. All four flaws were rated Important by the firm .

27

Attacks on DNS

� Compromise of DNS server:� DNS server has some vulnerabilities not related to

DNS.� Attacker gets administrative privileges on DNS

Server.� Attacker modifies zone information for which the

DSN server is authoritative.

28

Attacks on DNS

� DNS Amplification Attacks: Because DNS infrastructure isdistributed and openly available, it has been used as a vehicle to initiate massive DDoS attacks.

� One such exploit is the popular DNS amplification attack wherebotnets or other compromised hosts are used to source trafficinitially into the DNS infrastructure, only to have the distributedDNS infrastructure in turn amplify and reflect that traffic to an unsuspecting victim destination.

� This attack is based upon the simple premise that a smallrequest (e.g., 128 bytes) can generate a large response (e.g., 1500 bytes) to an unsuspecting target—the result being a DDoSattack.

According to the Arbor Networks® fifth annual WorldwideInfrastructure Security Report, the largest recorded DDoS attack of 49 Gbps was due to a DNS amplification attack targeting « DNS Made Easy » - August 2010.

29

Tunneling

� DNS is used to tunnel traffic in and out of firewalls and IDSs� Viruses� Botnet control� Streaming audio

� Protocol specification should be taken into account

� Requests typically should not exceed 312 bytes (including TCP and IP headers)

30

Other DNS exploits

� DNS cache-miss attacks are becoming popular as attackers walk a dictionary of random words down the DNS server to increase its workload.

� Multi-vector DDoS attacks use SYN-floods combinedwith fragmented UDP, port 80 and port 22 (ssh), and DNS reflection attacks (25 Gbps and higher!).

� DNS TXT records can also be leveraged by botnetcommand and control (C&C) servers. These records are used to store botnet commands. Bots query predefinedTXT records periodically for instruction. The bots are coded to look up nonsense-sounding domains that have not yet been registered. When the miscreant wants to activate the botnet, he/she registers the domain and sets up a C&C Web server to issue commands.

31

Conficker

� An army that can be directed at will by rendezvous points to support a wide range of malicious, criminal or terrorist activities for as long as the computer remains infected and as long as the bots can remotely communicate with the rendezvous point(s)

32

Infections

Source:

http://www.confickerworkinggroup.org

33

CcTLDs used by conficker

Could DNS still be used as a rendevouz?Yes, however peer-to-peer and other mechanisms are being used for updates.

Thank you for your

attentionhaythem.elmir@ansi.tn