dns the kaminsky blind spoofing attack
play

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security - PowerPoint PPT Presentation

Sep 25, 2023 •227 likes •768 views

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification,

  1. DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016

  2. 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification, attacker has a 1/65536 chance of guessing it # Questions # Answer RRs correctly. # Authority RRs # Additional RRs Are we pretty much safe? Questions (variable # of resource records) Answers Attacker can send lots of replies, (variable # of resource records) not just one … Authority (variable # of resource records) Additional information However: once reply from legit (variable # of resource records) server arrives (with correct Unless attacker can send Identification), it’s cached and 1000s of replies before legit no more opportunity to poison it. arrives, we’re likely safe – Victim is innoculated! phew! ?

  3. DNS Blind Spoofing (Kaminsky 2008) • Two key ideas: – Attacker can get around caching of legit replies by generating a series of different name lookups: <img src="http://random1.google.com" …> <img src="http://random2.google.com" …> <img src="http://random3.google.com" …> ... <img src="http://randomN.google.com" …> – Trick victim into looking up a domain you don’t care about, use Additional field to spoof the domain you do

  4. Kaminsky Blind Spoofing For each lookup of randomk .google.com , attacker spoofs a bunch of records like this, each with a different Identifier ;; QUESTION SECTION: ;random7.google.com. IN A ;; ANSWER SECTION: random7.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Once they win the race, not only have they poisoned mail.google.com … but also the cached NS record for google.com ’ s name server - so any future X .google.com lookups go through the attacker ’ s machine

  5. Kaminsky Blind Spoofing For each lookup of randomk .google.com , attacker spoofs a bunch of records like this, each with a different Identifier ;; QUESTION SECTION: ;random7.google.com. IN A ;; ANSWER SECTION: random7.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Once they win the race, not only have they poisoned mail.google.com … but also the cached NS record for google.com ’s name server – so any future X .google.com lookups go through the attacker’s machine

  6. Defending Against Blind Spoofing Central problem: all that tells a 16 bits 16 bits client they should accept a SRC=53 DST=53 response is that it matches the checksum length Identification field. Identification Flags With only 16 bits, it lacks # Questions # Answer RRs sufficient entropy: even if truly # Authority RRs # Additional RRs random, the search space an Questions attacker must brute force is too (variable # of resource records) small. Answers (variable # of resource records) Authority Where can we get more (variable # of resource records) entropy? ( Without requiring a Additional information (variable # of resource records) protocol change.)

  7. Defending Against Blind Spoofing Total entropy : 16 bits For requestor to receive DNS 16 bits 16 bits reply, needs both correct SRC=53 DST=53 Identification and correct ports. checksum length On a request, DST port = 53. Identification Flags SRC port usually also 53 – but # Questions # Answer RRs not fundamental, just convenient. # Authority RRs # Additional RRs Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) Additional information (variable # of resource records)

  8. Defending Against Blind Spoofing Total entropy : ? bits “ Fix ” : client uses random 16 bits 16 bits source port ⇒ attacker doesn’t SRC= 53 DST= rnd know correct dest. port to use in reply checksum length Identification Flags # Questions # Answer RRs # Authority RRs # Additional RRs Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) Additional information (variable # of resource records)

  9. Defending Against Blind Spoofing Total entropy : 32 bits “ Fix ” : client uses random 16 bits 16 bits source port ⇒ attacker doesn’t SRC= 53 DST= rnd know correct dest. port to use in reply checksum length Identification Flags 32 bits of entropy makes it orders of magnitude harder for # Questions # Answer RRs attacker to guess all the # Authority RRs # Additional RRs necessary fields and dupe victim Questions (variable # of resource records) into accepting spoof response. Answers (variable # of resource records) This is what primarily “ secures ” Authority (variable # of resource records) DNS against blind spoofing Additional information today. (variable # of resource records)

  10. Lessons learned • Special risks of caching and distributed systems where information is spread across many machines • Security risks: friend (cache) might be malicious • Communication channel to friend (cache) might be insecure • Friend (cache) might be well-intentioned but misinformed

  11. Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner April 1, 2016

  12. Attacks on Availability • Denial-of-Service (DoS): preventing legitimate users from using a computing service • We do though need to consider our threat model … – What might motivate a DoS attack?

  27. Motivations for DoS • Showing off / entertainment / ego • Competitive advantage – Maybe commercial, maybe just to win • Vendetta / denial-of-money • Extortion • Political statements • Impair defenses • Espionage • Warfare

  28. Attacks on Availability • Deny service via a program flaw ( “ *NULL ” ) – E.g., supply an input that crashes a server – E.g., fool a system into shutting down • Deny service via resource exhaustion ( “ while(1); ” ) – E.g., consume CPU, memory, disk, network • Network-level DoS vs application-level DoS

  29. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login?

  30. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login? – char buf[1024]; int f = open("/tmp/junk"); while (1) write(f, buf, sizeof(buf)); o Gobble up all the disk space! – while (1) fork(); o Create a zillion processes! – Create zillions of files, keep opening, reading, writing, deleting o Thrash the disk – … doubtless many more • Defenses?

  31. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login? – char buf[1024]; int f = open("/tmp/junk"); while (1) write(f, buf, sizeof(buf)); o Gobble up all the disk space! – while (1) fork(); o Create a zillion processes! – Create zillions of files, keep opening, reading, writing, deleting o Thrash the disk – … doubtless many more • Defenses? – Isolate users / impose quotas

  32. Network-level DoS • Can exhaust network resources by – Flooding with lots of packets (brute-force) – DDoS: flood with packets from many sources – Amplification: Abuse patsies who will amplify your traffic for you

  33. DoS & Networks • How could you DoS a target’s Internet access? – Send a zillion packets at them – Internet lacks isolation between traffic of different users! • What resources does attacker need to pull this off? – At least as much sending capacity (“bandwidth”) as the bottleneck link of the target’s Internet connection o Attacker sends maximum-sized packets – Or : overwhelm the rate at which the bottleneck router can process packets o Attacker sends minimum-sized packets! • (in order to maximize the packet arrival rate)

  34. Defending Against Network DoS • Suppose an attacker has access to a beefy system with high-speed Internet access (a “ big pipe ” ). • They pump out packets towards the target at a very high rate. • What might the target do to defend against the onslaught? – Install a network filter to discard any packets that arrive with attacker’s IP address as their source o E.g., drop * 66.31.1.37:* -> *:* o Or it can leverage any other pattern in the flooding traffic that’s not in benign traffic – Attacker’s IP address = means of identifying misbehaving user

  35. Filtering Sounds Pretty Easy … • … but DoS filters can be easily evaded: – Make traffic appear as though it’s from many hosts o Spoof the source address so it can’t be used to filter • Just pick a random 32-bit number of each packet sent o How does a defender filter this? • They don’t! • Best they can hope for is that operators around the world implement anti-spoofing mechanisms (today about 75% do) – Use many hosts to send traffic rather than just one o Distributed Denial-of-Service = DDoS (“dee-doss”) o Requires defender to install complex filters o How many hosts is “enough” for the attacker? • Today they are very cheap to acquire … :-(

Recommend

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 ,

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 ,

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs 2 System Security Laboratory, KAIST 10th USENIX Workshop on Offensive

469 views • 33 slides
Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

RECHERCHE N O Y L E D S E E U Q I L P P A S E C N E I C S S E D L A N O Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T I T S N I C elestin Matte -

702 views • 20 slides
Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and

Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and

Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and NGO's involved Two phase deployment First release a generic fix for the Kaminsky attack that does not leak information to the bad guys (source

819 views • 81 slides
This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs ys.park@navercorp.com 2 Korea Advanced Institute of Science and Technology

248 views • 11 slides
VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith rich@immunityinc.com 1 Agenda VNC and it's underlying protocol RFB Why attack automation is needed Why RFB is hard to automate The VAASeline technique

954 views • 56 slides
disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing Denial of Service attack (DoS) Distributed DoS (DoS) Source address validation Link layer security Address resolution protocol (ARP)

1.72k views • 35 slides
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology Agenda SipHash Boolean Satisfiability Problem SAT Solver Attack

621 views • 35 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark Allman, kc claffy IMC 2015, October 28th 2015 1 w w w . cai da. or What is a Blind Attack on TCP? A brute-force attempt by an off-path

335 views • 29 slides
N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind men called to Jesus using the Messianic title Son of David . Matthew implied that these blind men saw more than the Pharisees and other national leaders

639 views • 27 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann, Raphael Hiesgen, Thomas C. Schmidt, Matthias Whlisch t.schmidt@haw-hamburg.de Spoofing Detection in Interdomain Traffic Starting Point: Our

326 views • 8 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann October 9, 2019 iNET RG, Hamburg University of Applied Sciences Overview IP Spoofing Mitigation in General Detection in Inter-Domain Traffic

778 views • 42 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior

CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior

THE IMPACT OF THE COVID-19 PANDEMIC ON CANADIANS WHO ARE BLIND, DEAF-BLIND, AND PARTIALLY- SIGHTED Keith D Gordon Ph.D. Senior Research Officer Canadian Council of the Blind COVID-19 Impact Survey Objective To determine the impact that

822 views • 36 slides
Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually

Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually

Blind/Visually Impaired Silvia Ludena Veronica Sarabia Katie Stoddard Huong Vo Blind/Visually Impaired Any loss of ability to gather information by seeing might be considered a visual impairment Total Blindness - vision Legally blind - is the

1.19k views • 42 slides
Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind

Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind

Visual disability Low vision 2015 Estimated blind people 2020 Visually impaired 285 M Blind 54 M Blind 39 M Global data souce: WHO, IBU See the world through the eyes of a visually impaired person Normal vision Cataract Glaucoma

562 views • 28 slides
Xi He xxh2229@rit.edu Committee: Chair: Prof. Alan Kaminsky Reader:

Xi He xxh2229@rit.edu Committee: Chair: Prof. Alan Kaminsky Reader:

Xi He xxh2229@rit.edu Committee: Chair: Prof. Alan Kaminsky Reader: Prof. Hans-Peter Bischof Observer: Prof. Minseok Kwon Introduction SSH Motivation Design Deploy, user manual and

813 views • 26 slides
MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm Fingerprint of data easy to synthesize (push here), hard to fake (grow this) Known since 1997 it was theoretically not so hard to create

573 views • 35 slides
Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15,

Blind Beamforming using Randomly Distributed Sensors Kung Yao UCLA DARPA CSP Workshop, Jan. 15, 2001 Outline Introduction to blind beamforming array Different usages of blind beamforming arrays Applications 1. Acoustic source

301 views • 19 slides
Breaking Down The 2nd Criminal Spoofing Trial: Part 2 By Clifford Histed, Vincente Martinez and

Breaking Down The 2nd Criminal Spoofing Trial: Part 2 By Clifford Histed, Vincente Martinez and

Portfolio Media. Inc. | 111 West 19 th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com Breaking Down The 2nd Criminal Spoofing Trial: Part 2 By Clifford Histed,

284 views • 6 slides

More recommend