dns victim or attacker
play

DNS: Victim or Attacker Paul Ebersman - PowerPoint PPT Presentation

DNS: Victim or Attacker Paul Ebersman Paul_Ebersman@cable.comcast.com, @paul_ipv6 ICANN49, 24 Mar 2014, Singapore 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive 2) Nonrecursive query recursive for


  1. DNS: Victim or Attacker Paul Ebersman Paul_Ebersman@cable.comcast.com, @paul_ipv6 ICANN49, 24 Mar 2014, Singapore 1

  2. Attacking your cache 2

  3. Recursion DNS queries are either recursive or nonrecursive 2) Nonrecursive query recursive for www.google.com/A servername root name 3) Referral to com server name servers 4) Nonrecursive query for www.google.com/A 1) Recursive query for www.google.com/ 6) Nonrecursive query 5) Referral to A for www.google.com/A google.com 8) A records for name servers www.google.com 7) A records for com name www.google.com server google.com name server resolver

  4. Cache Poisoning • What is it? • Inducing a name server to cache bogus records • Made possible by • Flaws in name server implementations • Short DNS message IDs (only 16 bits, or 0-65535) • Made easier on • Open recursive name servers 4

  5. Cache Poisoning Consequences • A hacker can fool your name server into caching bogus records • Your users might connect to the wrong web site and reveal sensitive information • Your users’ emails might go to the wrong destination • Man in the middle attacks, phishing, credentials theft 5

  6. The Kashpureff Attack Eugene Kashpureff ’ s cache poisoning attack used a flaw in BIND ’ s additional data processing Evil resolver : y r e u Q ? A / t e n . c i n r e t l a . x x x Owns Query: nameserver xxx.alternic.net/A? Reply: Recursive xxx.alternic.net/A name server + www.internic.net/A Cache alternic.net name server

  7. DNS Message IDs • Message ID in a reply must match the message ID in the query • The message ID is a “ random, ” 16-bit quantity Query Reply [Msg ID [Msg ID 38789] 38789] ns1 ns2

  8. How Random - Not! Amit Klein of Trusteer found that flaws in most versions of BIND ’ s message ID generator (PRNG) don ’ t use sufficiently random message IDs • If the current message ID is even, the next one is one of only 10 possible values • Also possible, with 13-15 queries, to reproduce the state of the PRNG entirely, and guess all successive message IDs

  9. Birthday Attacks • Brute-force guessing Msg ID is a birthday attack: • 365 (or 366) possible birthdays, 65536 possible message IDs • Chances of two people chosen at random having different birthdays: • Chances of n people (n > 1) chosen at random all having different birthdays: 364 365 ≈ 99.7% ( ) = 364 365 × 363 365 × ... × 366 − n ( ) ( ) p n p ( n ) = 1 − p n 365

  10. Birthday Attacks (continued) People Chances of two or more people having the same Number of reply Chances of birthday messages guessing the right message ID 10 12% 200 ~20% 20 41% 300 ~40% 23 50.7% 500 ~80% 30 70% 600 ~90% 50 97% 100 99.99996%

  11. The Kaminsky Vulnerability How do you get that many guesses at the right message ID? Hacker q00001.paypal.com/A? NXDOMAIN! Recursive name server paypal.com name servers

  12. 
 The Kaminsky Vulnerability (continued) How does a response about q00001.paypal.com poison www.paypal.com ’ s A record? Response: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61718 
 � ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, � ADDITIONAL: 1 � � ;;; QUESTION SECTION: 
 � ;q00001.paypal.com. � IN � A 
 � ;;; AUTHORITY SECTION 
 � q00001.paypal.com. � 86400 � IN � NS � www.paypal.com. 
 � ;;; ADDITIONAL SECTION 
 � www.paypal.com. � � 86400 � IN � A � 10.0.0.1 
 �� �

  13. Initial Kaminsky fixes • To make it more difficult for a hacker to spoof a response, we use a random query port in addition to a random message ID • If we use 8K or 16K source ports, we increase entropy by 13 or 14 bits • This increases the average time it would take to spoof a response substantially • However, this is not a complete solution • Spoofing is harder, but still possible • Evgeniy Polyakov demonstrated that he could successfully spoof a patched BIND name server over high-speed LAN in about 10 hours

  14. Defending your cache 14

  15. Defenses • More randomness in DNS msg IDs, source ports, etc. • Better checks on glue • DNSSEC 15

  16. Overwhelming your authoritative servers 16

  17. Sheer volume and persistence • 10s of thousands of bots • 10s of millions of open resolvers • (see http://openresolverproject.org/) • Gbps of traffic generated • 45% of ISPs experience 1-10 DDoS/month, 47% experience 10-500 DDoS/month 17

  18. High yield results • Small queries, large responses (DNSSEC records) • Using NSEC3 against you 18

  19. Make sure they’re your servers… • Vet your registry/registrar • Think about NS TTLs 19

  20. How to defend your servers 20

  21. Harden your server • Perimeter ACLs • Higher capacity servers • Clusters or load balanced servers • Response Rate limiting (RRL) • http://www.iana.org/about/presentations/20130512- knight-rrl.pdf • https://www.isc.org/blogs/cache-poisoning-gets-a- second-wind-from-rrl-probably-not/ 21

  22. Spread yourself out • Fatter internet pipes (but makes you more dangerous to others) • More authoritative servers (up to a point) • Anycast • High availability 22

  23. Being a good internet citizen 23

  24. It’s not just you being attacked • If you allow spoofed packets out from your network, you are part of the problem… • Use BCP38/RFC3704 Ingress filtering • Implement RFC5358 • http://openresolverproject.org/ 24

  25. Revise DNS Standards? 25

  26. Changing RFCs? • Glaciers start to look speedy • Source Address Validation • TCP vs UDP • DNS Cookies • http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-04 26

  27. DNS use by the bad guys 27

  28. DNS use by bad guys • Command and control • DNS Amplification • Fastflux • single flux • double flux • Storm, Conficker, etc. 28

  29. Protecting your users 29

  30. Dealing with malware • Prevent infections (antivirus) • Block at the perimeter (NGFW, IDS) • Block at the client (DNS) 30

  31. Antivirus • Useful but has issues: Ø Depends on client update cycles Ø Too many mutations Ø Not hard to disable Ø Poor catch rates for new viruses 31

  32. Perimeter defenses • Necessary but not complete: Ø Limited usefulness after client is already infected Ø Detection of infected files only after download starts Ø Usually IP-based reputation lists Ø Limited sources of data 32

  33. RPZ DNS • Uses a reputation feed(s) (ala spam) • Can be IP or DNS based ID • Fast updates via AXFR/IXFR • Protects infected clients, helps ID them • Can isolate infected clients to walled garden 33

  34. There is *not* only one Use all methods you can! 34

  35. Q & A 35

  36. Thank you! 36

Recommend


More recommend