a centralized monitoring infrastructure for improving dns
play

A Centralized Monitoring Infrastructure For Improving DNS Security - PowerPoint PPT Presentation

Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon Luo Daniel Xiapu Roberto Perdisci


  1. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Centralized Monitoring Infrastructure For Improving DNS Security Manos Antonakakis David Dagon Luo “Daniel” Xiapu Roberto Perdisci Wenke Lee Justin Bellmor Georgia Institute of Technology Information Security Center Atlanta, Georgia RAID, Ottawa, 2010 1 / 41

  2. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Outline and Credits Challenges in DNS Robert Edmonds and Paul Royal poisoning detection for their useful comments Previous work Chis Lee and the GT-OIT stuff for Describing the attack the abuse handling vector SIE@ISC : Paul and Eric scan Methodology point (SJ) and pDNS DNS poisoning CIRA : Norm and Matthew scan detection point in Canada Summary 2 / 41

  3. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 3 / 41

  4. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 4 / 41

  5. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 5 / 41

  6. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 6 / 41

  7. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 7 / 41

  8. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 8 / 41

  9. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 9 / 41

  10. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Challenges in DNS poisoning detection DNS poisoning is a successful attack vector (thanks Dan!) Detection requires “on path” with the recursive and/or DNS cache observation DNS poisoning is hard to observe (sporadic and short) ... or you can do so at the authority: Counts patterns of ICMP(3,3) and qr/rd ratios So, what we need? Technology that creates its own path with the RDNS Sophisticated DNS cache inspection techniques 10/ 41

  11. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Monitoring Infrastructure For DNS Security What “Anax” does : requests, records and analyzes DNS records from a large set of open-RDNS around the globe, looking for DNS cache abnormalities Since Anax can detect poisonous RRs in Internet scale measurements, the system can do the same in a less diverse set of RDNSs, e.g., those in a single organization 11/ 41

  12. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions A Monitoring Infrastructure For DNS Security What “Anax” does : requests, records and analyzes DNS records from a large set of open-RDNS around the globe, looking for DNS cache abnormalities Since Anax can detect poisonous RRs in Internet scale measurements, the system can do the same in a less diverse set of RDNSs, e.g., those in a single organization 12/ 41

  13. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Some of the previous work ... DNS Recursive Resolution plane : Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy : Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities : Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009 13/ 41

  14. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Some of the previous work ... DNS Recursive Resolution plane : Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy : Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities : Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009 14/ 41

  15. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Some of the previous work ... DNS Recursive Resolution plane : Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy : Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities : Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009 15/ 41

  16. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Some of the previous work ... DNS Recursive Resolution plane : Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy : Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities : Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009 16/ 41

  17. Challenges in DNS poisoning detection The attack vector Methodology Poisoning Detection Conclusions Some of the previous work ... DNS Recursive Resolution plane : Dagon et al. “Corrupted DNS Resolution Paths” NDSS 2007 DNS Entropy : Dagon et al. “Increased DNS Forgery Resistance Through 0x20-Bit Encoding” CCS 2008 DNS Software Vulnerabilities : Dagon et al. “Recursive DNS Architectures and Vulnerability Implications”, NDSS 2009 Poisoning Prevention DNSSEC RFC 4033 and 4034, DNSCurve. Perdisci et al. “WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks”, DSN-DCCS 2009 17/ 41

Recommend


More recommend