0 evaluări0% au considerat acest document util (0 voturi)
35 vizualizări18 pagini
DNS is the root of trust for the web. Without DNS, how could you get to any websites? DNS wasn't designed with any security concerns in mind. Classical DNS uses plaintext messages - third party can easily read this leaves the service open to several well-known attacks.
DNS is the root of trust for the web. Without DNS, how could you get to any websites? DNS wasn't designed with any security concerns in mind. Classical DNS uses plaintext messages - third party can easily read this leaves the service open to several well-known attacks.
DNS is the root of trust for the web. Without DNS, how could you get to any websites? DNS wasn't designed with any security concerns in mind. Classical DNS uses plaintext messages - third party can easily read this leaves the service open to several well-known attacks.
Team: Surya Abhijith Kumar Devaraju (009179300) Bharadwaj Ananthula (009290489) Sarath Kumar Gupta Sunku (009326213) Anirudh Sri Jayendra Janga (008681907) Understanding DNS How DNS Work ? Vulnerabilities Attacks and Defense Schemes DNSSEC (DNS Security) Attack Demonstration DNSSEC Implementation Outline 2 Domain Name System 3 Developed in 1983 Application Layer Protocol Scalable way to map hostnames to IP addresses Uses a hierarchal tree structure beginning at the root Below the root are generic top level domains (edu., com., net., etc) and country code top level domains (uk., cn., etc) Each TLD further subdivides to produce domains such as colostate.edu. and deterlab.net Every Internet application requires some DNS lookup DNS Queries 4 Two Types
1. Recursive Query Puts the burden of resolution on the contacted name server
2. Iterative Query Contact server replies with the name of the next authority in the hierarchy I dont know this name, but this other server might
This is how DNS works today
The Importance of DNS 5 Without DNS How could you get to any websites?
DNS is the root of trust for the web When a user types www.bankofamerica.com, they expect to be taken to their banks website What if the DNS record is compromised? DNS Hijacking 6 Infecting OS or browser with a virus/trojan E.g. Many Trojans change entries in /etc/hosts *.bankofamerica.com evilbank.com Man-in-the-middle Attack Response Spoofing Eavesdrop on requests Outrace the servers response DNS Vulnerabilities 7 DNS wasn't designed with any security concerns in mind. Classical DNS uses plaintext messages - third party can easily read It also does very little by way of message verification End-user has no way of knowing if the message was altered en-route or if DNS servers supplying the information are acting maliciously. This leaves the service open to several well-known vectors of attack
MITM Man In The Middle Attack Birthday Attack Kaminsky Attack Man In The Middle Attack 8 MITM is common to network services Effective on communications that don't use cryptographic encryption or authentication. Attacker positions between the client and the server on a network Can intercept messages going in either direction Can alter or deny them at will, violating either the integrity or the availability of the service. In the context of DNS, the attacker to position somewhere between the end-user and the relevant DNS server Alter the DNS response to supply a different IP address for the requested internet address, effectively rerouting the user anywhere they want. MITM Attack Defense 9 DNSSEC For preventing the DNS poisoning attack Use Certificates Against public key encryption MitM Trusted Certificate Authority (CA) to verify certificate, digital signature or key DHCP snooping Used against DHCP spoofing Helps in differentiating trusted and non-trusted ports Against ARP poisoning DHCP snooping creates MAC to IP table Monitors ARP packets and checks them against the table
Birthday Attack 10 A type of cryptographic attack Exploits the mathematics behind the birthday problem An attacker will send a query to the caching server quickly followed by a response to that same query If the response appears valid to the caching sever, it will accept it and add the "poison" data into cache ignores subsequent response for same query Birthday Attack Defense 11 Problem: DNS servers cannot restrict the number of simultaneous requests for same IP. This paves way for birthday attack Solution Restrict the multiple DNS requests for the same resource Implement birthday attack protection mechanism in firewall Respond to first DNS Query and ignore others
Store the first request and set the flag to 1 and subsequent requests reset flag, respond to the first request and discard the rest. Kaminsky Attack 12 Transaction IDs prevent from assigning their own IP to any domain But they are ineffective as security measures An attacker could flood a DNS server with multiple, slightly varied requests for a domain, such as "1.foo.com" or "2.foo.com." Transaction IDs can only be a number between 0 and 65535 Attacker can launch multiple requests Eventually the attacker could spoof a domain by matching the ID through chance.
Once this domain is spoofed, the attacker can flood a name server with spoofed replies to poison its cache for the domain being attacked, "foo.com." Requests for foo.com would direct a user to a site of the attacker's choosing. Kaminsky Attack Defense 13 Randomize the UDP used to send the DNS query The attacker has to guess that port correctly as well Increase the space of possible IDs
Real" fix is to notice lot of requests and only communicate using TCP, which can't be spoofed A further fix would be to have carriers communicate using DNSSEC, a form of DNS which is encrypted DNSSEC 14 DNSSEC is an enhancement to the DNS protocol Integrates cryptographic authentication into DNS messages. DNSSEC assures data integrity, mitigating man in the middle and cache- poisoning attacks using a "chain of trust." DNSSEC works by digitally signing records for DNS lookup using public- key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party Requires DNSSEC to be enabled on authoritative and cache machines 15 Attack Demonstration 16 Login to attacker machine Enable ettercap to redirect traffic to attackers machine Now verify that traffic passes through attacker Now edit etter.dns file to spoof the DNS response for google.com Verify that the client now gets a spoofed response
Attack Successful !!! Enabling DNSSEC 17
Login to Authoritative Machine Using zonesigner create signed copies of google.com Now open named.conf.options and make necessary changes In named.conf.local file make a change for signed copy of google.com Now restart bind9 service to make the changes saved Verify DNNSEC is working Copy the public key for signed google.com Repeat same steps in cache machine Login to client machine and use dig with DNSSEC Obtain authoritative answers and this verifies DNSSEC is working
Conclusion 18 DNS is important protocol Current Internet system fails without DNS Its vulnerable and can be easily attacked Implementation of DNSSEC can be helpful to mitigate the vulnerability