assessing dns vulnerability
play

Assessing DNS Vulnerability to Record Injection Kyle Schomp , Tom - PowerPoint PPT Presentation

Sep 21, 2023 •646 likes •1.29k views

Assessing DNS Vulnerability to Record Injection Kyle Schomp , Tom Callahan, Michael Rabinovich , Mark Allman Case Western Reserve University International Computer Science Institute Passive and Active Measurement Conference

  1. Assessing DNS Vulnerability to Record Injection Kyle Schomp †, Tom Callahan†, Michael Rabinovich †, Mark Allman†‡ †Case Western Reserve University ‡International Computer Science Institute Passive and Active Measurement Conference 2014 3/11/2014 PAM 2014 1

  2. 3/11/2014 PAM 2014 2

  3. DNS Recording Injection • Subverting the DNS name to address bindings can result in: • Redirection to a malicious webserver • Privacy issues • Denial of service • Phishing attacks • Malware installation 3/11/2014 PAM 2014 3

  4. Our Contribution • Assess vulnerability to extraneous record injection • Bailiwick violations • Examine the incidence rate of intentional response rewriting by resolvers • Negative response rewriting • Search engine hijacking (Paxfire) • Survey use of established mitigations to the Kaminsky vulnerability • Demonstrate a new record injection attack (the Preplay vulnerability) 3/11/2014 PAM 2014 4

  5. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain Open Egress Resolver Resolver ADNS for dnsresearch.us Scanner • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  6. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain Open Resolver “RDNS”, Recursive Resolver ADNS for dnsresearch.us Scanner • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  7. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain “RDNS”, Recursive Resolver ADNS for dnsresearch.us Scanner “FDNS”, Forwarding Resolver • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  8. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain “RDNS”, Recursive Resolver ADNS for dnsresearch.us Client “FDNS”, Forwarding Resolver • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  9. Bailiwick Violations • Over 10 years old • Mitigated via the bailiwick rules www.x.com ? • 749 violations found in 1.09M open resolvers tested • Some resolvers still vulnerable to this very old attack! RDNS ADNS for x.com Query www.x.com ? Answer 1.2.3.4 Additional www.hsbc.com A 2.3.4.5 3/11/2014 PAM 2014 6

  10. Negative Response Rewriting anazon.com ? anazon.com ? Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  11. Negative Response Rewriting anazon.com ? anazon.com ? does not exist Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  12. Negative Response Rewriting anazon.com ? anazon.com ? anazon.com = A does not exist Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  13. Negative Response Rewriting anazon.com ? anazon.com ? anazon.com = A does not exist Client RDNS ADNS for x.com • Why? DNS provider profits from advertising at A • Happens to 24% of open resolvers 3/11/2014 PAM 2014 7

  14. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  15. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = G RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  16. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  17. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com A G 3/11/2014 PAM 2014 8

  18. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G 3/11/2014 PAM 2014 8

  19. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G 3/11/2014 PAM 2014 8

  20. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G • Again, the primary reason is to monetize user’s search traffic • While once common, this is no longer a widespread practice 3/11/2014 PAM 2014 8

  21. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response 3/11/2014 PAM 2014 9

  22. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request Resolver 3/11/2014 PAM 2014 9

  23. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request malicious response Resolver 3/11/2014 PAM 2014 9

  24. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request malicious response real response Resolver 3/11/2014 PAM 2014 9

  25. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response • Fields to match: real request • IP addresses: source and destination malicious response • Port numbers: source and destination real response • Query string and transaction ID Resolver 3/11/2014 PAM 2014 9

  26. Kaminsky Vulnerability • In 2008, Dan Kaminsky discovered a new vulnerability • 2 keys to Kaminsky • Transaction ID is the only field the attacker needs to guess • Simple way to attempt multiple guesses • Kaminsky showed that a cache could be poisoned in under 10 minutes! 3/11/2014 PAM 2014 10

  27. Kaminsky Vulnerability (cont.) RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  28. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  29. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  30. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  31. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Query x1.victim.com ? Answer doesn’t matter Authority victim.com NS ns1.victim.com Attacker Additional ns1.victim.com A attacker 3/11/2014 PAM 2014 11

  32. Kaminsky Vulnerability (cont.) www.victim.com ? RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  33. Kaminsky Vulnerability (cont.) www.victim.com ? RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  34. Kaminsky Vulnerability (cont.) • 65K possible transaction IDs • First attempt likely unsuccessful, so repeat with: • x2.victim.com • x3.victim.com • e tc… • Since none of these names will be in the resolver’s cache, can retry immediately • Eventually, the attacker will guess correctly 3/11/2014 PAM 2014 12

  35. Mitigating the Kaminsky Vulnerability • Add entropy to response beyond just a random transaction ID • Randomized ephemeral port • 0x20 encoding • Random capitalization of query string, i.e. X1.VicTIm.Com • ADNS echoes the capitalization back • Attacker must guess capitalization • 1 bit of entropy per letter in query string • DNSSEC and ingress filtering defeat the Kaminsky Attack • Slow progress means mitigation is needed 3/11/2014 PAM 2014 13

  36. Survey of Mitigations to Kaminsky • Send multiple DNS requests through each RDNS • Classify RDNS where 10 or more DNS requests arrive at our ADNS • Nearly all classified resolvers appear to use random transaction IDs • 16% of classified resolvers use static ephemeral ports! • 0x20 encoding rare Observation RDNS • (lower bound) Number Percentage Total Classified 57K 100% Complex Transaction ID Sequence 57K 100% Variable Ephemeral Port 48K 84% 0x20 Encoding 195 0.3% 3/11/2014 PAM 2014 14

  37. Preplay Vulnerability • If RDNS are vulnerable, what about FDNS? • FDNS: • Residential locations • Most likely home wifi routers • Little attention paid to security • We found that FDNS have a vulnerablility that is much easier to exploit than the Kaminsky vulnerability 3/11/2014 PAM 2014 15

  38. Preplay Vulnerability (cont.) www.victim.com = V www.victim.com ? www.victim.com ? FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  39. Preplay Vulnerability (cont.) www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  40. Preplay Vulnerability (cont.) www.victim.com = A www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  41. Preplay Vulnerability (cont.) www.victim.com = A www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A www.victim.com = V www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

Recommend

Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health

Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health

Monitoring for Ocean Acidification near coastal villages and communities in south-central Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health Wiley Evans, Burke Hales, Jacqueline Ramsay, Jeff Hetrick,

484 views • 21 slides
Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce

Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce

Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce M. Cruz, MD, CMD Associate Professor Division of Geriatrics Saint Louis University Robert E. Roush, EdD, MPH Director, Texas Consortium GEC Baylor

954 views • 38 slides
Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty Glick Senior Climate Adaptation Specialist National Wildlife Federation Overview of Sea-Level Rise Subsidence, tectonic Ocean circulation

518 views • 21 slides
Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013

Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013

Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013 Local Government Planners Forum Greg Johnson National Environmental Sustainability Manager Stockland Sustainable Communities Property Portfolio

334 views • 19 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia Weidman BYOD Is Not New Contractor Laptop Rogue Access Point Gaming Console Tradi>onal Vulnerability Scanning

1.28k views • 95 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your practices hidden vulnerability for the COVID Era If you havent already, register at VirtualPractices.org Inoculate your patient and

330 views • 22 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
The impact of future climate change on the water level of Lake Lesser Prespa: assessing the

The impact of future climate change on the water level of Lake Lesser Prespa: assessing the

The impact of future climate change on the water level of Lake Lesser Prespa: assessing the vulnerability of fjsh spawning grounds, and bird nesting- / foraging sites LIFE Prespa Waterbirds ( LIFE15/NAT/GR/000936 ): Sep 2016-Sep 2021

229 views • 20 slides
On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective

On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective

Unclassified Unclassified On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective Formulating a descriptive mathematical model for assessing casualty rates in an Infantry attack 2 Unclassified Scope

578 views • 23 slides
The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators (excluding Male') Highest elevation 1.5m Population: 298,968 above sea level less than 1000 97% of all inhabited 59 % Total number of

357 views • 4 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life Cycle CSU Cybersecurity Center Computer Science Dept 1 1 Topics Vulnerability Life Cycle Vulnerability Discovery models 2 Vulnerability

805 views • 46 slides
Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to

Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to

Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to Climate Change Patrick GUILLAUMONT and Catherine SIMONET FERDI and CERDI, CNRS- Universit dAuvergne September, 2012 Introduction A growing

247 views • 23 slides
VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER

VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER

VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER 11, 2019 I want to start a global conversation about vulnerability, shame and courage. Bren Brown VULNERABILITY Comes from the Latin word

156 views • 13 slides
Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem

Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem

FCA unrestricted Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem raised Industry Consumer organisations Lots being done Numerous good practice guides & systems may be in place

524 views • 13 slides
Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 24-1 Overview What is a vulnerability? Penetration studies Flaw Hypothesis Methodology Other methodologies Vulnerability

1.76k views • 148 slides
Vulnerability THE WEAKNESS NEEDED TO STAY IN COMMUNION Vulnerability as a Place of Divine Encounter

Vulnerability THE WEAKNESS NEEDED TO STAY IN COMMUNION Vulnerability as a Place of Divine Encounter

Vulnerability THE WEAKNESS NEEDED TO STAY IN COMMUNION Vulnerability as a Place of Divine Encounter God acts only for the good. God acts only to share Himself as Love, namely Jesus Christ. The human person is invited to respond to this revelation of

526 views • 14 slides

More recommend