DNSSpoofing_2

download DNSSpoofing_2

of 17

Transcript of DNSSpoofing_2

  • 7/30/2019 DNSSpoofing_2

    1/17

    Domain Name System DNS Cache Poisoning Defences

    DNS Spoofing / Poisoning and Relevant Defences(CSE 4482: Computer Security Management)

    Benjamin Klein & Prakanth Thangeswaran

    York University

    Department of Computer Science and Engineering

    December 7, 2010

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 1 / 14

    mailto:[email protected]:[email protected]://www.yorku.ca/http://www.yorku.ca/http://www.yorku.ca/mailto:[email protected]:[email protected]://find/

  • 7/30/2019 DNSSpoofing_2

    2/17

    Domain Name System DNS Cache Poisoning Defences

    Outline

    1 Domain Name System

    2 DNS Cache Poisoning

    3 Defences

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 2 / 14

    http://find/

  • 7/30/2019 DNSSpoofing_2

    3/17

    Domain Name System DNS Cache Poisoning Defences

    Outline

    1 Domain Name SystemOverviewResolverResource Records

    2 DNS Cache Poisoning

    3 Defences

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 3 / 14

    http://find/

  • 7/30/2019 DNSSpoofing_2

    4/17

    Domain Name System DNS Cache Poisoning Defences

    Domain Name System

    Whenever we communicate using IP, we need IP addresses to address thedestination.

    Do you know the IP of the YorkU webserver?

    Its 130.63.236.137. . .

    easy to remember, isnt it?

    designed by Paul Mockapetris in 1983

    specified in RFC1 1034 and 1035

    translates FQDN2

    into IP addresses

    1Request for Comments2Fully Qualified Domain Name, e.g. www.yorku.ca

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14

    D i N S DNS C h P i i D f

    http://find/

  • 7/30/2019 DNSSpoofing_2

    5/17

    Domain Name System DNS Cache Poisoning Defences

    Domain Name System

    Whenever we communicate using IP, we need IP addresses to address thedestination.

    Do you know the IP of the YorkU webserver?

    Its 130.63.236.137. . .

    easy to remember, isnt it?

    designed by Paul Mockapetris in 1983

    specified in RFC1 1034 and 1035

    translates FQDN2

    into IP addresses

    1Request for Comments

    2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14

    D i N S t DNS C h P i i D f

    http://find/

  • 7/30/2019 DNSSpoofing_2

    6/17

    Domain Name System DNS Cache Poisoning Defences

    Domain Name System

    Whenever we communicate using IP, we need IP addresses to address thedestination.

    Do you know the IP of the YorkU webserver?

    Its 130.63.236.137. . .

    easy to remember, isnt it?

    designed by Paul Mockapetris in 1983

    specified in RFC1 1034 and 1035

    translates FQDN2

    into IP addresses

    1Request for Comments

    2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    7/17

    Domain Name System DNS Cache Poisoning Defences

    Domain Name System

    Whenever we communicate using IP, we need IP addresses to address thedestination.

    Do you know the IP of the YorkU webserver?

    Its 130.63.236.137. . .

    easy to remember, isnt it?

    designed by Paul Mockapetris in 1983

    specified in RFC1 1034 and 1035

    translates FQDN

    2

    into IP addresses

    1Request for Comments

    2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/http://goback/

  • 7/30/2019 DNSSpoofing_2

    8/17

    Domain Name System DNS Cache Poisoning Defences

    DNS Resolver

    ExampleYou type http://www.thestar.com to visit the Toronto Star

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 5 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    9/17

    Domain Name System DNS Cache Poisoning Defences

    DNS Resource Records

    fundamental information unit in DNS

    different types of RR

    A (IPv4 address)MX (mail exchange server)

    NS (hostname of authoritative name server). . .

    Example A-RR

    www.yorku.ca. 3600 IN A 130.63.236.137

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 6 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    10/17

    Domain Name System DNS Cache Poisoning Defences

    Outline

    1 Domain Name System

    2 DNS Cache PoisoningOverview

    Packet InterceptionID Guessing and Query Prediction

    3 Defences

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 7 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    11/17

    y g

    DNS Cache Poisoning

    DNS was not designed with security in mind

    classes of transactions: usage vs administrative transactions

    usage transactions (obviously most present in DNS traffic)

    Query: A asks B for the IP of a particular FQDNResponse: B gives A the requested IP

    DNS Cache Poisoning: An attacker replies to A with a faked IP (to

    divert traffic to another computer) and A stores it in its cache

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 8 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    12/17

    y g

    Packet Interception

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 9 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    13/17

    ID Guessing and Query Prediction

    If we cant intercept traffic, we still can guess!

    UDP Port and Transaction ID are 16-bit fields each

    232 possible values suitable for brute-force

    in most cases, the client UDP port can be predicted from previous

    traffic observations 2

    16

    values

    we also have to guess QNAMEs3 and QTYPEs4

    attack is only successful if the resolvers behaviour is predictable

    3query domain name (e.g. www.yorku.ca)

    4query type (A, MX, NS,. . .

    )December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 10 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    14/17

    Outline

    1 Domain Name System

    2 DNS Cache Poisoning

    3 DefencesDNSSEC

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 11 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    15/17

    DNS Security Extension (DNSSEC)

    introduced 1999 in RFC 2535 (updated by RFC 4033 later)

    provides data integrity and authentication

    all replies in DNSSEC are digitally signed using public-keycryptography

    required no change to the DNS protocol beyond the addition of newresource types

    DNSSEC Resource Records

    RRSIG: stores the signatureDNSKEY: stores the public key that was used

    . . .

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 12 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://find/

  • 7/30/2019 DNSSpoofing_2

    16/17

    References

    RFC 1035: DOMAIN NAMES - IMPLEMENTATION ANDSPECIFICATIONhttp://www.ietf.org/rfc/rfc1035.txt

    RFC 4033: DNS Security Introduction and Requirementshttp://www.ietf.org/rfc/rfc4033.txt

    Kim Davies: 2008 DNS Cache Poisoning Vulnerabilityhttp://www.iana.org/about/presentations/

    davies-cairo-vulnerability-081103.pdf

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 13 / 14

    Domain Name System DNS Cache Poisoning Defences

    http://www.ietf.org/rfc/rfc1035.txthttp://www.ietf.org/rfc/rfc4033.txthttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.ietf.org/rfc/rfc4033.txthttp://www.ietf.org/rfc/rfc1035.txthttp://find/http://goback/

  • 7/30/2019 DNSSpoofing_2

    17/17

    Q & A

    Any questions left?

    Benjamin Klein Prakanth Thangeswaran

    December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 14 / 14

    mailto:[email protected]:[email protected]:[email protected]:[email protected]://find/http://goback/

Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Star Wars Trivia!

Star Wars Trivia!

Aesops Fables

Aesops Fables

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Chapter-01

Chapter-01

I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Who Killed God

Who Killed God

Simple Functions in Haskell

Simple Functions in Haskell

The Dutch Republic In International Trade

The Dutch Republic In International Trade

United States Constitution

United States Constitution

Introduction to Six Sigma

Introduction to Six Sigma

Cakes Recipes

Cakes Recipes

Chapter 23

Chapter 23

Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Iron Mills Essay

Iron Mills Essay

Explore The Levels of Creation

Explore The Levels of Creation

Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

How Computer Monitors Work

How Computer Monitors Work

Chapter 24

Chapter 24