Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name...

37
Using the Domain Name System for System Break-ins Steven M. Bellovin Presented by: Thomas Repantis [email protected] CS255-Computer Security, Winter 2004 – p.1/37

Transcript of Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name...

Page 1: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Using the Domain Name Systemfor System Break-ins

Steven M. Bellovin

Presented by:

Thomas Repantis

[email protected]

CS255-Computer Security, Winter 2004 – p.1/37

Page 2: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Overview

Using DNS to spoof a host’s name and accessnetwork services that rely on the host name forauthentication.

1. Introduction to the Domain Name System

2. Description of the Attack

3. Proposed Defenses

4. Current Status

CS255-Computer Security, Winter 2004 – p.2/37

Page 3: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Domain Name System (DNS)

A distributed database, used to map hostnames to IP addresses, and vice-versa.

www.cs.ucr.edu138.23.169.15

Paul MockapetrisRFCs 882, 883 (1983)RFCs 1034, 1035 (1987)

CS255-Computer Security, Winter 2004 – p.3/37

Page 4: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

DNS Basics 1/2

Periods in domain names define zones(www.example.com).

Servers contain the authoritatitive data foreach zone.

Secondary authoritative servers poll theprimary servers.

If the data has changed, they initiate zonetransfers.

CS255-Computer Security, Winter 2004 – p.4/37

Page 5: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

DNS Basics 2/2

The resource records returned are cachedlocally for some time.

The authority for a subdomain may bedelegated to a subsidiary server (hierarchicalnamespace).

CS255-Computer Security, Winter 2004 – p.5/37

Page 6: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Zone Example 1/5

CS255-Computer Security, Winter 2004 – p.6/37

Page 7: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Zone Example 2/5

Start Of Authority (SOA):

Specifies the source of the zone information.

CS255-Computer Security, Winter 2004 – p.7/37

Page 8: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Zone Example 3/5

Name Server (NS):

Specifies the authoritative name servers for the domain.

CS255-Computer Security, Winter 2004 – p.8/37

Page 9: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Zone Example 4/5

Address (A): Specifies the address of a host.

CS255-Computer Security, Winter 2004 – p.9/37

Page 10: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Zone Example 5/5

Host Info (HINFO): Specifies host informa-

tion, like computer and operating system.

CS255-Computer Security, Winter 2004 – p.10/37

Page 11: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Forward queries

Forward queries (asking for the IP address,providing a machine name) can be answeredusing the records from the zone.

An item may also contain AdditionalInformation, (e.g. providing NS and Arecords, when asked for the IP of an unknownhost).

CS255-Computer Security, Winter 2004 – p.11/37

Page 12: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Inverse queries

Inverse queries (asking for the machinename, providing an IP address) are answeredusing a separate, parallel tree, keyed by IPaddress.

CS255-Computer Security, Winter 2004 – p.12/37

Page 13: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Attack!

Assumption: Attacker controlling a primaryserver for a DNS zone, including the inversemapping tree, as well as all TCP portnumbers.

Attacker’s goal: To find hosts that trust otherhosts by name.

Common examples:Clusters of time-sharing machines.File servers and their clients.

CS255-Computer Security, Winter 2004 – p.13/37

Page 14: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Starring:

Softy, the victim:

bullseye.softy.org 192.193.194.1

ringer.softy.org 192.193.194.64

groundzero.softy.org 192.193.194.65

Cuckoo, the attacker:

cracker.ritts.org 150.151.152.153

CS255-Computer Security, Winter 2004 – p.14/37

Page 15: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Guest star:

The vulnerability in the address-to-namemapping!

Attacker changes the inverse mapping recordfor 150.151.152.153 from the correctcracker.ritts.org to ringer.softy.org

Attacker attempts rlogin to bullseye.

CS255-Computer Security, Winter 2004 – p.15/37

Page 16: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

.̇..

bullseye, the victim, validates the name of thecalling machine:

It calls gethostbyaddr(), passing150.151.152.153.This generates a DNS inverse queryfor the PTR record for153.152.151.150.in-addr.arpaThis retrieves ringer.softy.org

Call accepted, attack succeeded.

CS255-Computer Security, Winter 2004 – p.16/37

Page 17: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Why?

Because there is no forced linkage between the

two DNS trees owned by Cuckoo, ritts.org and

152.151.150.in-addr.arpa, allowing the latter’s en-

tries to point to softy’s hosts.

CS255-Computer Security, Winter 2004 – p.17/37

Page 18: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

The rest are details...

Finding a target host name.

Finding a user name to impersonate.

Finding a machine trusted by the target host.

CS255-Computer Security, Winter 2004 – p.18/37

Page 19: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

SNMP abuse

Cuckoo finds the target host name from mailmessage or news article.

He examines its TCP connection tables usingSNMP.

CS255-Computer Security, Winter 2004 – p.19/37

Page 20: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

finger abuse

He examines current users using finger.

He concludes: In bullseye, .rhosts file forbingo, authorizing user1 when coming frombullseye.

CS255-Computer Security, Winter 2004 – p.20/37

Page 21: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Done

He modifies the appropriate PTR record.

He creates local login names.

He attacks.

CS255-Computer Security, Winter 2004 – p.21/37

Page 22: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Giving away information

Apart from SNMP and finger...

e-mail,

DNS (SOA records, zone transfers, HINFO records)

SMTP

FTP

rpcinfo

...can also provide information about the victim.

CS255-Computer Security, Winter 2004 – p.22/37

Page 23: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

The Berkeley fix

Validate the inverse mapping tree by looking atthe corresponding node on the forward mappingtree.

If gethostbyaddr() returns bullseye.softy.orgfor 150.151.152.153, then gethostbyname()should return the same IP for the same name.

Otherwise we have an impersonation.

CS255-Computer Security, Winter 2004 – p.23/37

Page 24: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

How the fix is circumvented...

The PTR record to answer gethostbyaddr()’srequest is in Cuckoo’s server.

The A record to answer gethostbyname()’srequest is in Softy’s server.

However the query might be answered by thelocal machine’s name server cache.

That DNS cache can be poisoned by theattacker...

CS255-Computer Security, Winter 2004 – p.24/37

Page 25: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Danger: Poison!

The DNS message with the PTR record maycontain a bogus A record in the AdditionalInformation field (with short TTL).

Or the bogus A record can be included in theNS records of a response to a lookup for ahostname. CS255-Computer Security, Winter 2004 – p.25/37

Page 26: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Therefore...

Caching-only name servers are vulnerable!

Authoritative name servers for a domain willreject updates for their zones.

Hence they cannot be poisoned.

But they are vulnerable for requests outsidetheir zone.

CS255-Computer Security, Winter 2004 – p.26/37

Page 27: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Extra measures

The target can act as a secondary server forthe inverse mapping.

The target can use a local mapping table likeNIS before consulting DNS.

CS255-Computer Security, Winter 2004 – p.27/37

Page 28: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Hardening DNS Servers

Bogus A records could be tracked back, ifDNS server cache entries were tagged withtheir source.

Additional Information could be used only inthe specific context in which it was returned,and then discarded. (At a performance cost.)

CS255-Computer Security, Winter 2004 – p.28/37

Page 29: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Defenses

Use cryptographic instead of name- oraddress-based authentication (e.g.Kerberos).

Apart from Berkeley’s fix:Limit the trusted hosts to those for which the localmachine has authoritative name information.

Have the local name server act as a secondaryserver for important neighboring zones, and thuspossess authoritative forward-mapping data.

Have all machines possess definitive mappinginformation for the hosts within an organization.

CS255-Computer Security, Winter 2004 – p.29/37

Page 30: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Logging and Audtiing

Attempts to impersonate hosts.

Attempts to update authoritative zones.

Attempts to connect to rlogind or rshd.

Compare forward- and inverse-mapping datafor a zone.

CS255-Computer Security, Winter 2004 – p.30/37

Page 31: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Abandon DNS?

Return to static host tables?no (1990) NO! (2004)

Problem lies not in DNS, but in inadequatehost authentication methods.

The information for host-to-address mappingis distributed, hence contamination fromuntrustworthy sources is always possible.

The host table is huge and cannot be updatedstatically in a frequent and timely manner.

CS255-Computer Security, Winter 2004 – p.31/37

Page 32: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Is the attack still relevant?

Paper written in 1990, published in 1995.

2004:Name-based authentication is not thatwidely used anymore (ssh instead of rsh).Firewalls disallow remote connections.Too many BIND fixes since then.Cryptographic authentication of DNS isused in experimental testbeds.

Main idea still relevant, with new misuses.

CS255-Computer Security, Winter 2004 – p.32/37

Page 33: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

DNS Threats in 2004

Threat Analysis Of The Domain NameSystem. D. Atkins. IETF Draft (2003).

Packet InterceptionID Guessing and Query PredictionName GamesBetrayal By Trusted ServerDenial of ServiceAuthenticated Denial of Domain NamesWildcards

CS255-Computer Security, Winter 2004 – p.33/37

Page 34: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

DNSSEC

DNS Security Extensions to provideend-to-end authenticity and integrity.

All answers in DNSSEC are digitally signed.

By checking the signature, a resolver is ableto check if the info is identical (correct andcomplete) to the info on the authoritativeserver.

D. Eastlake. RFC 2535 (1987).

CS255-Computer Security, Winter 2004 – p.34/37

Page 35: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Conclusions

Inserting bogus resource records in a victim’sDNS cache.

Still possible.

Luckily, name-based authentication is not thatwidely used anymore.

However, other misuses like serverredirection are equally grave.

DNSSEC

CS255-Computer Security, Winter 2004 – p.35/37

Page 36: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

References

1. P. Mockapetris. RFC 1034: Domain Concepts and Facilities. IETF, 1987.

2. P. Mockapetris. RFC 1035: Domain Implementation and Specification. IETF, 1987.

3. S. Bellovin. Using the Domain Name System for System Break-ins. USENIX,1995.

4. P. Vixie. DNS and BIND security issues. USENIX, 1995.

5. C. Schuba and E. Spafford. Addressing weaknesses in the domain name systemprotocol. Master’s thesis, 1993.

6. D. Eastlake. RFC 2535: Domain Name System Security Extensions. IETF, 1999.

7. D. Atkins. Internet Draft: Threat Analysis Of The Domain Name System. IETF,2003.

CS255-Computer Security, Winter 2004 – p.36/37

Page 37: Using the Domain Name System for System Break-insravi/265/repantis.pdf · Using the Domain Name System for System Break-ins ... like computer and operating system. CS255-Computer

Thank you!

Questions/comments?

CS255-Computer Security, Winter 2004 – p.37/37