a cache poisoning attack targeting dns forwarding devices
play

A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng - PowerPoint PPT Presentation

Jul 14, 2023 •383 likes •593 views

Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian DNS Forwarder Devices

  1. Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian

  2. DNS Forwarder ● Devices standing in between stub and recursive resolvers E.g., home routers, open Wi-Fi networks Can have caching abilities Relies on the integrity of upstream resolvers 2

  3. DNS Cache Poisoning Attacks ● Forging attacks targeting recursive resolvers Crafu a DNS answer which matches the query’s metadata Example: Kaminsky Attack (2008) Mitigation: increase randomness of DNS packet RFC 5452: DNS resolver implementations should use randomized ephemeral port numbers and DNS transaction IDs 3

  4. Threat Model: Overview ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 4

  5. Threat Model: Overview ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 2. Use attacker’s own 1. Attacker & DNS forwarder domain name and locate in the same LAN authoritative server (e.g., in open Wi-Fi networks) 5

  6. Insight on Forwarder Roles ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 2. Use attacker’s own 1. Attacker & DNS forwarder Relies on recursive resolvers domain name and locate in the same LAN authoritative server Target of cache poisoning (e.g., in open Wi-Fi networks) Security checks 6 (e.g., DNSSEC)

  7. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response > 1,500 Bytes (Ethernet MTU) Always produce fragments 7

  8. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response Use CNAME to point attacker’s domain to any victim What the What the recursive DNS resolver forwarder sees sees 8

  9. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response Use CNAME to point attacker’s domain to any victim What the What the recursive DNS resolver forwarder sees sees 9

  10. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 10

  11. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS query 11

  12. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized response (> Ethernet MTU) 12

  13. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized response 4. Defragment (> Ethernet MTU) by forwarder 13

  14. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized Lack response 4. Defragment Security (> Ethernet MTU) by forwarder Checks 14

  15. Conditions of Successful Attacks ● DNS caching by record The tampered record can be cached separately ● EDNS(0) support Allows transfer of DNS messages larger than 512 Bytes ● No active truncation of DNS response Ensures that the entire oversized response is transfered ● No response verification DNS forwarders rely on upstream resolvers 15

  16. Vulnerable DNS Software ● Home routers 16 models are tested (by real attacks in controlled environment) 8 models are vulnerable ● DNS sofuware 2 kinds of popular DNS sofuware are vulnerable 16

  17. Vulnerable DNS Software ● Home routers 16 models are tested (by real attacks in controlled environment) 8 models are vulnerable ● DNS sofuware 2 kinds of popular DNS sofuware are vulnerable ● Responsible Disclosure ASUS and D-Link release firmware patches Linksys accepts issue via BugCrowd 17

  18. Measuring Clients Potentially Under Risk ● Collect vantage points Implement measurement code in a network diagnosis tool 20K clients , mostly located in China ● Check the forwarder conditions Ethical considerations: no real attack 40% do not support EDNS(0) yet Estimated vulnerable clients: 6.6% 18

  19. Discussion ● Mitigation for DNS forwarders Perform response verification (e.g., DNSSEC) DNS caching by response (short-term solution) ● Lack clear guidelines of DNS forwarders What role should they play? What features should be supported? 19

  20. ● An attack targeting DNS forwarders ● Affects forwarder implementations extensively ● Call for more attention on DNS forwarder security Any Questions? zxf19@mails.tsinghua.edu.cn

Recommend

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

934 views • 23 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline Background q What are bandits? q Motivations Data poisoning attacks on stochastic bandits q Offline model q Online model q Simulation results

218 views • 17 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning Attack Scenarios Vulnerability Analysis Remedies DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious Researcher David Dagon 1 1 Georgia Institute of Technology Atlanta, Georgia

327 views • 28 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from AES in 3s + 3min Very weak assumptions No known plaintext needed No special rights needed, only to be able to spawn and control threads

378 views • 16 slides
CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning is the most common exposure poisoning in the United States and the rest of the world. 2. It is an odorless, colorless gas that can cause sudden

198 views • 15 slides
Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b. Forefathers of toxicology c. Famous poisoning cases d. Misconception about poisoning e. Basic principles of poisoning f. Factors influencing toxic

843 views • 16 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS

Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS

Cyber Incident trends in Korea KrCERT/CC Ji-Yong PARK October 21 st , 2015 Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS attack and APT Internet incident occurs targeting enterprises using APT

195 views • 4 slides
Attack vectors on mobile devices Tam Hanna aka @tamhanna About /me Tam HANNA

Attack vectors on mobile devices Tam Hanna aka @tamhanna About /me Tam HANNA

Attack vectors on mobile devices Tam Hanna aka @tamhanna About /me Tam HANNA CEO, Tamoggemon Ltd. Runs web sites about mobile computing Starting thoughts Different user perceptions Mobile phones are always on the

923 views • 74 slides
Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache, and all blocks initially marked as not valid , Given the main memory word addresses 0 1 2 3 4 3 4 15, calculate Cache hit rate. Cache Index

654 views • 9 slides
CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

535 views • 42 slides
Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison

Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison

Overview of Poisoning Incidence and the Pharmacists Role in Prevention & Management of Poisoning Prof. Rahmat Awang National Poison Centre Universiti Sains Malaysia 1st. National Poisoning Symposium 2016: Pharmacists Role in Poisoning

570 views • 33 slides
A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon

A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon Luo Daniel Xiapu Roberto Perdisci

691 views • 41 slides
When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer:

When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer:

When USB devices attack Manchester Grey Hats PRESENTED BY: Tim Wilkes @mcrgreyhats Disclaimer: Please dont be a dick. I accept no responsibility. Ever. For Anything. 1997 was not a good year... Windows 95 OSR 2.5 came out

606 views • 23 slides
WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation

WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation

WAMOS 2018 Common Attack Vectors of IoT Devices 09.08.2018 Alexios Karagiozidis Motivation Botnetworks and Internet attacks increased rapidly Examples of security issues: Mirai-Bot-Network CVE-2018-10967, bufferoverflow via

848 views • 27 slides

More recommend