new vulnerabilities
play

New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th - PowerPoint PPT Presentation

Nov 26, 2022 •130 likes •463 views

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come s come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University

  1. DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come s come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013

  2. About us Bar Ilan University NetSec group Haya Shulman: Amir Herzberg: Fresh Graduate NetSec/Crypto PhD Thesis: Researcher DNS Security Attacks: DNS, TCP/IP, DoS , … (and more...) Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  3. 2013 … DNSSEC, IPSEC:15yrs old Yet: < 6% of traffic encrypted,…  Insecure against MitM attacker WHY??? False hope : attackers are `off-path` Can send spoofed packets but not intercept Reality: MitM attackers are common Open WiFi, route hijacking , mal-devices, DNS poisoning False belief : DNS, TCP immune to off-path attacks Reality: TCP hijacking, DNS poisoning Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  4. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  5. Attacker Model: MitM or Off-Path?  Man-in-the-Middle attacker  On path  Harder but possible: wifi , route hijack, vulnerable router, …  Or: give wrong address – DNS poisoning  Prevent with crypto : overhead, complexity, PKI …  Why bother? Bob, I Leave U! Alice Bob, ILU! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  6. Attacker Model: MitM or Off-Path?  Folklore: most attackers are weak, off-path  `Security ’ is often against Off-Path Oscar  Do not control devices en-route  Cannot intercept/modify/block traffic  Prevent: with challenge-response (`cookie`) Bob, ILU! Alice Bob, I Leave U! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  7. Attacker Model: MitM or Off-Path?  Folklore: most attackers are weak, off-path  `Security ’ is often against Off-Path Oscar  Do not control devices en-route  Cannot intercept/modify/block traffic  Prevent: with challenge-response (`cookie`) (Cookie=challenge) Bob, ILU! Alice Bob, I Leave U! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  8. Challenge-Response: What Can Go Wrong?  Attacker has MitM capabilities  Insufficient entropy : t oo short or non-uniform  TCP [Zalewski01, Watson04]  DNS [Klein03, Kaminsky08]  Side-channel: reused field (source port)  DNS [HS12, HS13], TCP [GH12, GH13, QM(X)12]  Cut-&-paste: use real cookie in spoofed packet  DNS [HS13] 8/1/2013

  9. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  10. DNS Poisoning: the Hacker’s Knife Phishing Circumvent: Blacklists, Cookies SOP, CSP, theft SPF, DKIM DoS Malware Distribution Block updates Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  11. DNS Cache Poisoning 6.6.6.6 Packet with source IP: 156.4.5.6 www.bob.com A 6.6.6.6 www.bob.com A 6.6.6.6 6.6.6.6 Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  12. DNS Cache Poisoning 6.6.6.6 • But, must match: TX-ID (16b in req.), query, source port. Also: request not sent if in cache www.bob.com A 6.6.6.6 www.bob.com A 6.6.6.6 6.6.6.6 Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  13. Defenses against DNS Poisoning  Currently , mostly Challenge-response defenses: – Unilateral (in resolver ): `challenges’ using existing request fields echoed in responses – TX-ID (16b), Source port (16b), Query [0x20]  Cryptographic defenses ( DNSSEC ): limited use  Root and many TLDs signed  Many resolvers request signatures, but few validate  Why? Myths (rare MitM, weak Oscar) Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  14. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  15. Source Port De-Randomisation Attacks • Learn source-port via side channel • Attacks on two common configurations: • Resolver-behind- NAT [Esorics’ 12] • Attacks for most types of NATs (only one was secure) • Upstream resolver (e.g., OpenDNS ) [Esorics’ 13] • Learn resolver’s IP address, too [often enough for DoS !] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  16. Resolver-behind-NAT: Attack  Example: attack on per-dest incrementing (e.g., Linux)  Initial port is random; can attacker predict/trap port?  Attack phases:  Hole-punch the NAT  Exploit assigned mapping to guess port  Variations apply to different NAT devices Herzberg and Shulman: DNSSEC, the time has come!

  17. Upstream DNS Resolver  Upstream DNS resolvers:  Popular: Google’s public -DNS, OpenDNS, many others  Recommended by experts, vendors  E.g., Akamai : ‘ Customer’s primary DNS are not directly exposed to end users, so the risk of cache poisoning and DoS attacks is mitigated ’…  Proxy resolvers often has lower bandwidth, weaker security  We found (CAIDA): 54% incrementing ports, 30% fixed port  And… both types are vulnerable! Herzberg and Shulman: DNSSEC, the time has come!

  18. Upstream DNS Resolver - Attack  Poisoning attack in three phases  Phase 1 : find proxy’s IP address  Many requests with fragmented response… `kill` with spoofed frag  Suffices for DoS attack on proxy!  Phase 2: find fixed/current port #  By a more complex frag attack, or by `port overloading’  Phase 3 : `regular’ (` Kaminsky ’) poisoning Herzberg and Shulman: DNSSEC, the time has come!

  19. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  20. 1 st -fragment piggybacking attacks • Cut’n’Paste attack: • Poison a long, fragmented DNS response • Source fragmentation will do [works even for IPv6] • All `challenges’ are in the first fragment! • TXID, “ src ” port, even query [e.g., 0x20 defense] • Replace 2 nd fragment with a fake one! • Few details and quick recap on IP fragmentation Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  21. IP Fragmentation Nets have a limit on maximal packet size If the packet is larger than the limit: fragmentation Reassemble at the receiver Net Net Net 3.3.3 2.2.2 5.5.5 From: 2.2.2.5 To : 3.3.3.7 Bob, how From: 2.2.2.5 Bob, how much I ... much I To : 3.3.3.7 love you Bob, how much I From: 2.2.2.5 love you To : 3.3.3.7 ... love you ! MTU=1500 MTU=1200 8/1/2013

  22. Fragment Reassembly Bob receives fragments of a packet How to reassemble without introducing mistakes Identify fragments of the same packet By sender/receiver addresses and protocol (TCP/UDP) Not enough, add 16 bit, IP-ID Net Net Net 3.3.3 2.2.2 5.5.5 34 34 Bob, how love you Bob how Bob, how Bob, how much I much I much I much I love you!! 34 need love you a fridge I’ve 35 35 Need a I’ve decided I don’t decided I fridge… need a fridge 8/1/2013 35 don’t

  23. Off-Path Discarding and Modifying • We show off-path can discard and modify fragments!! • Exploit fragmentation for poisoning! • In reality fragmentation is rare (<1%) • But, off-path attacker can cause fragmentation!! • Two methods: 1. Trigger requests whose responses fragment • E.g., DNSSEC protected 2. Attacker registered domain 8/1/2013

  24. Modify Long DNSSEC Responses 8/1/2013

  25. Poisoning DNSKEY Response

  26. Causing Long, Fragmented Responses • Often, attacker doesn’t need to find a long response • Attacker causes a long, fragmented response • From a victim NS of a TLD (.ORG, .CO.UK, …) • By registering an `appropriate’ subdomain • To cause fragmentation: • Register many name servers • With long names • Example? One-Domain-to-Rule-them-All . ORG • Or see paper [CNS2013 ]… or next foil  Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  28. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

Recommend

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities &gt; analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus &lt;Stephan.Neuhaus@disi.unitn.it&gt; Thomas Zimmermann &lt;tzimmer@microsoft.com&gt; Vulnerabilities are important because fixing them costs a lot of money (2005

1.9k views • 73 slides
Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class

787 views • 54 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

749 views • 30 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Intermission: gdb demo Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

401 views • 8 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides
Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of Informatics University of Edinburgh 24th February 2014 Outline Introduction Network and transport-level vulnerabilities Higher-level protocol

1.01k views • 88 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Objectives Objectives 1. Define vulnerabilities prevalent among 1. Define vulnerabilities

Objectives Objectives 1. Define vulnerabilities prevalent among 1. Define vulnerabilities

2/25/2017 What Can Geriatrics Teach Us About the Care of Vulnerable Patients? I have nothing to disclose Anna Chodos MD Assistant Professor Director, ZSFG Geriatrics Consult Clinics These slides heavily adapted from Helen UCSF February 25,

422 views • 11 slides
Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen

Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen

Programming Language Vulnerabilities within the ISO/IEC Standardization Community Stephen Michell International Convenor JTC 1/SC 22 WG 23 Programming Language Vulnerabilities Canadian HoD to ISO/IEC/JTC 1SC 22 Programming Language

557 views • 27 slides
ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through

ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through

ISO/IEC JTC 1/SC 22/WG 23 N0192 ISO/IEC JTC 1/SC 22/WG 23 ISO working group on Guidance for Avoiding Vulnerabilities through language selection and use John Benito, Convener Jim Moore, Secretary June 2009 1 The Problem Any programming

367 views • 26 slides
Cybersecurity Status regarding traditional vulnerabilities Some grand

Cybersecurity Status regarding traditional vulnerabilities Some grand

Topics Cybersecurity Status regarding traditional vulnerabilities Some grand challenges IT and counterterrorism Some legal and regulatory issues Ed Lazowska Security in open vs. closed systems IT &amp; Public

301 views • 7 slides
Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen Moti

351 views • 33 slides

More recommend