SlideShare ist ein Scribd-Unternehmen logo

08 tcp-dns

P
pantu_1961

protocols

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010
Outline !   Basic Networking:   How things work now plus some problems !   Some network attacks   Attacking host-to-host datagram protocols   TCP Spoofing, …   Attacking network infrastructure   Routing   Domain Name System
Backbone ISP ISP Internet Infrastructure !   Local and interdomain routing   TCP/IP for routing, connections   BGP for routing announcements !   Domain Name System   Find IP address from symbolic name (www.cs.stanford.edu)
TCP Protocol Stack Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
Data Formats Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
Internet Protocol !  Connectionless   Unreliable   Best effort !  Notes:   src and dest ports not parts of IP hdr IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
IP Routing !  Internet routing uses numeric IP address !  Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
IP Protocol Functions (Summary) !   Routing   IP host knows location of router (gateway)   IP gateway must know route to other networks !   Fragmentation and reassembly   If max-packet-size less than the user-data-size !   Error reporting   ICMP packet to source if packet is dropped !   TTL field: decremented after every hop   Packet dropped f TTL=0. Prevents infinite loops.
Problem: no src IP authentication !   Client is trusted to embed correct source IP   Easy to override using raw sockets   Libnet: a library for formatting raw packets with arbitrary IP headers !   Anyone who owns their machine can send packets with arbitrary source IP   … response will be sent back to forged source IP   Implications: (solutions in DDoS lecture)   Anonymous DoS attacks;   Anonymous infection attacks (e.g. slammer worm)
User Datagram Protocol !  Unreliable transport on top of IP:   No acknowledgment   No congenstion control   No message continuation UDP
Transmission Control Protocol !  Connection-oriented, preserves order   Sender   Break data into packets   Attach packet numbers   Receiver   Acknowledge receipt; lost packets are resent   Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
TCP Header Source Port Dest port SEQ Number ACK Number Other stuff U R G P S R A C K P S H S Y N F I N TCP Header
Review: TCP Handshake C S SYN: SYN/ACK: ACK: Listening Store SNC , SNS Wait Established SNC←randC ANC←0 SNS←randS ANS←SNC SN←SNC+1 AN←SNS Received packets with SN too far out of window are dropped
Basic Security Problems 1. Network packets pass by untrusted hosts   Eavesdropping, packet sniffing   Especially easy when attacker controls a machine close to victim 2. TCP state can be easy to guess   Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities   DDoS lecture
1. Packet Sniffing !  Promiscuous NIC reads all packets   Read all unencrypted data (e.g., “wireshark”)   ftp, telnet (and POP, IMAP) send passwords in clear! Alice Bob Eve Network Prevention: Encryption (next lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
2. TCP Connection Spoofing !   Why random initial sequence numbers? (SNC , SNS ) !   Suppose init. sequence numbers are predictable   Attacker can create TCP session on behalf of forged source IP   Breaks IP-based authentication (e.g. SPF, /etc/hosts ) Victim Server SYN/ACK dstIP=victim SN=server SNS ACK srcIP=victim AN=predicted SNS command server thinks command is from victim IP addr attacker TCP SYN srcIP=victim
Example DoS vulnerability [Watson’04] !  Suppose attacker can guess seq. number for an existing connection:   Attacker can send Reset packet to close connection. Results in DoS.   Naively, success prob. is 1/232 (32-bit seq. #’s).   Most systems allow for a large window of acceptable seq. #’s   Much higher success probability. !  Attack is most effective against long lived connections, e.g. BGP
Random initial TCP SNs !   Unpredictable SNs prevent basic packet injection   … but attacker can inject packets after eavesdropping to obtain current SN !   Most TCP stacks now generate random SNs   Random generator should be unpredictable   GPR’06: Linux RNG for generating SNs is predictable   Attacker repeatedly connects to server   Obtains sequence of SNs   Can predict next SN   Attacker can now do TCP spoofing (create TCP session with forged source IP)
Routing Vulnerabilities
Routing Vulnerabilities !  Common attack: advertise false routes   Causes traffic to go though compromised hosts !   ARP (addr resolution protocol): IP addr -> eth addr   Node A can confuse gateway into sending it traffic for B   By proxying traffic, attacker A can easily inject packets into B’s session (e.g. WiFi networks) !   OSPF: used for routing within an AS !   BGP: routing between ASs   Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.   Example: Youtube mishap (see DDoS lecture)
Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) OSPF BGP Autonomous System earthlink.net Stanford.edu
BGP overview !  Iterative path announcement   Path announcements grow from destination to source   Packets flow in reverse direction !  Protocol specification   Announcements can be shortest path   Not obligated to use announced path
BGP example [D. Wetherall] !   Transit: 2 provides transit for 7 !   Algorithm seems to work OK in practice   BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
Issues !  Security problems   Potential for disruptive attacks   BGP packets are un-authenticated   Attacker can advertise arbitrary routes   Advertisement will propagate everywhere   Used for DoS and spam (detailed example in DDoS lecture) !  Incentive for dishonesty   ISP pays for some routes, others free
Domain Name System
Domain Name System !  Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
DNS Root Name Servers !   Hierarchical service   Root name servers for top-level domains   Authoritative name servers for subdomains   Local name resolvers contact authoritative servers when they do not know a name
DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu NS stanford.eduwww.cs.stanford.edu NS cs.stanford.edu cs.stanford.edu DNS server DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM) )
Caching !   DNS responses are cached   Quick response for repeated translations   Useful for finding servers as well as addresses   NS records for domains !   DNS negative queries are cached   Save time for nonexistent sites, e.g. misspelling !   Cached data periodically times out   Lifetime (TTL) of data controlled by owner of data   TTL passed with every record
DNS Packet !   Query ID:   16 bit random value   Links response to query (from Steve Friedl)
Resolver to NS request
Response to resolver Response contains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID
Authoritative response to resolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)
Basic DNS Vulnerabilities !   Users/hosts trust the host-address mapping provided by DNS:   Used as basis for many security policies: Browser same origin policy, URL address bar !   Obvious problems   Interception of requests or compromise of DNS servers can result in incorrect or malicious responses   e.g.: hijack BGP route to spoof DNS   Solution – authenticated requests/responses   Provided by DNSsec … but no one uses DNSsec
DNS cache poisoning (a la Kaminsky’08) !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com a.bank.com QID=x1 attackerattacker wins if ∃j: x1 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP
If at first you don’t succeed … !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com b.bank.com QID=x2 attacker 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x2 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr success after ≈ 256 tries (few minutes)
Defenses !   Increase Query ID size. How? a. Randomize src port, additional 11 bits Now attack takes several hours b. Ask every DNS query twice:   Attacker has to guess QueryID correctly twice (32 bits)   Apparently DNS system cannot handle the load
Pharming !   DNS poisoning attack (less common than phishing)   Change IP addresses to redirect URLs to fraudulent sites   Potentially more dangerous than phishing attacks   No email solicitation is required !   DNS poisoning attacks have occurred:   January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.   In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy   In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
DNS Rebinding Attack Read permitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
DNS Rebinding Defenses !  Browser mitigation: DNS Pinning   Refuse to switch to a new IP   Interacts poorly with proxies, VPN, dynamic DNS, …   Not consistently implemented in any browser !  Server-side defenses   Check Host header for unrecognized domains   Authenticate users with something other than IP !  Firewall defenses   External names can’t resolve to internal addresses   Protects browsers inside the organization
Summary !   Core protocols not designed for security   Eavesdropping, Packet injection, Route stealing, DNS poisoning   Patched over time to prevent basic attacks (e.g. random TCP SN) !   More secure variants exist (next lecture) : IP -> IPsec DNS -> DNSsec BGP -> SBGP

Empfohlen

Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dnsCulverton Blessy
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilitiesn|u - The Open Security Community
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1HamesKellor
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 

Empfohlen

Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dnsCulverton Blessy
 
Network and DNS Vulnerabilities
Network and DNS VulnerabilitiesNetwork and DNS Vulnerabilities
Network and DNS Vulnerabilitiesn|u - The Open Security Community
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1HamesKellor
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfsphanleson
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Best!
Best!Best!
Best!gofortution
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
network security
network securitynetwork security
network securitySrinivasa Rao
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
 
Breaking ssl
Breaking sslBreaking ssl
Breaking sslVinayak Raghuvamshi
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.pptAlmaOraevi
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
 

Was ist angesagt? (20)

Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptx
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Best!
Best!Best!
Best!
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance tools
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
network security
network securitynetwork security
network security
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocols
 
Breaking ssl
Breaking sslBreaking ssl
Breaking ssl
 

Ähnlich wie 08 tcp-dns

Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network securityRishabh Mehan
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocolsbabak danyal
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffersleminhvuong
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suiteYash Kotak
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)NYversity
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edgeHarold Wong
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 

Ähnlich wie 08 tcp-dns (20)

6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocols
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
security problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suitesecurity problems in the tcp/ip protocol suite
security problems in the tcp/ip protocol suite
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Lec21 22
Lec21 22Lec21 22
Lec21 22
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)
 
Networking 101
Networking 101Networking 101
Networking 101
 
Networking 101
Networking 101Networking 101
Networking 101
 
Networking 101
Networking 101Networking 101
Networking 101
 
Networking 101
Networking 101Networking 101
Networking 101
 
Lync 2010 deep dive edge
Lync 2010 deep dive edgeLync 2010 deep dive edge
Lync 2010 deep dive edge
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 

Kürzlich hochgeladen

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

08 tcp-dns

  • 1. Network Protocols and Vulnerabilities Dan Boneh CS 155 Spring 2010
  • 2. Outline !   Basic Networking:   How things work now plus some problems !   Some network attacks   Attacking host-to-host datagram protocols   TCP Spoofing, …   Attacking network infrastructure   Routing   Domain Name System
  • 3. Backbone ISP ISP Internet Infrastructure !   Local and interdomain routing   TCP/IP for routing, connections   BGP for routing announcements !   Domain Name System   Find IP address from symbolic name (www.cs.stanford.edu)
  • 4. TCP Protocol Stack Application Transport Network Link Application protocol TCP protocol IP protocol Data Link IP Network Access IP protocol Data Link Application Transport Network Link
  • 5. Data Formats Application Transport (TCP, UDP) Network (IP) Link Layer Application message - data TCP data TCP data TCP data TCP Header dataTCPIP IP Header dataTCPIPETH ETF Link (Ethernet) Header Link (Ethernet) Trailer segment packet frame message
  • 6. Internet Protocol !  Connectionless   Unreliable   Best effort !  Notes:   src and dest ports not parts of IP hdr IP Version Header Length Type of Service Total Length Identification Flags Time to Live Protocol Header Checksum Source Address of Originating Host Destination Address of Target Host Options Padding IP Data Fragment Offset
  • 7. IP Routing !  Internet routing uses numeric IP address !  Typical route uses several hops Meg Tom ISP Office gateway 121.42.33.12 132.14.11.51 Source Destination Packet 121.42.33.12 121.42.33.1 132.14.11.51 132.14.11.1
  • 8. IP Protocol Functions (Summary) !   Routing   IP host knows location of router (gateway)   IP gateway must know route to other networks !   Fragmentation and reassembly   If max-packet-size less than the user-data-size !   Error reporting   ICMP packet to source if packet is dropped !   TTL field: decremented after every hop   Packet dropped f TTL=0. Prevents infinite loops.
  • 9. Problem: no src IP authentication !   Client is trusted to embed correct source IP   Easy to override using raw sockets   Libnet: a library for formatting raw packets with arbitrary IP headers !   Anyone who owns their machine can send packets with arbitrary source IP   … response will be sent back to forged source IP   Implications: (solutions in DDoS lecture)   Anonymous DoS attacks;   Anonymous infection attacks (e.g. slammer worm)
  • 10. User Datagram Protocol !  Unreliable transport on top of IP:   No acknowledgment   No congenstion control   No message continuation UDP
  • 11. Transmission Control Protocol !  Connection-oriented, preserves order   Sender   Break data into packets   Attach packet numbers   Receiver   Acknowledge receipt; lost packets are resent   Reassemble packets in correct order TCP Book Mail each page Reassemble book 19 5 1 1 1
  • 12. TCP Header Source Port Dest port SEQ Number ACK Number Other stuff U R G P S R A C K P S H S Y N F I N TCP Header
  • 13. Review: TCP Handshake C S SYN: SYN/ACK: ACK: Listening Store SNC , SNS Wait Established SNC←randC ANC←0 SNS←randS ANS←SNC SN←SNC+1 AN←SNS Received packets with SN too far out of window are dropped
  • 14. Basic Security Problems 1. Network packets pass by untrusted hosts   Eavesdropping, packet sniffing   Especially easy when attacker controls a machine close to victim 2. TCP state can be easy to guess   Enables spoofing and session hijacking 3. Denial of Service (DoS) vulnerabilities   DDoS lecture
  • 15. 1. Packet Sniffing !  Promiscuous NIC reads all packets   Read all unencrypted data (e.g., “wireshark”)   ftp, telnet (and POP, IMAP) send passwords in clear! Alice Bob Eve Network Prevention: Encryption (next lecture: IPSEC) Sweet Hall attack installed sniffer on local machine
  • 16. 2. TCP Connection Spoofing !   Why random initial sequence numbers? (SNC , SNS ) !   Suppose init. sequence numbers are predictable   Attacker can create TCP session on behalf of forged source IP   Breaks IP-based authentication (e.g. SPF, /etc/hosts ) Victim Server SYN/ACK dstIP=victim SN=server SNS ACK srcIP=victim AN=predicted SNS command server thinks command is from victim IP addr attacker TCP SYN srcIP=victim
  • 17. Example DoS vulnerability [Watson’04] !  Suppose attacker can guess seq. number for an existing connection:   Attacker can send Reset packet to close connection. Results in DoS.   Naively, success prob. is 1/232 (32-bit seq. #’s).   Most systems allow for a large window of acceptable seq. #’s   Much higher success probability. !  Attack is most effective against long lived connections, e.g. BGP
  • 18. Random initial TCP SNs !   Unpredictable SNs prevent basic packet injection   … but attacker can inject packets after eavesdropping to obtain current SN !   Most TCP stacks now generate random SNs   Random generator should be unpredictable   GPR’06: Linux RNG for generating SNs is predictable   Attacker repeatedly connects to server   Obtains sequence of SNs   Can predict next SN   Attacker can now do TCP spoofing (create TCP session with forged source IP)
  • 20. Routing Vulnerabilities !  Common attack: advertise false routes   Causes traffic to go though compromised hosts !   ARP (addr resolution protocol): IP addr -> eth addr   Node A can confuse gateway into sending it traffic for B   By proxying traffic, attacker A can easily inject packets into B’s session (e.g. WiFi networks) !   OSPF: used for routing within an AS !   BGP: routing between ASs   Attacker can cause entire Internet to send traffic for a victim IP to attacker’s address.   Example: Youtube mishap (see DDoS lecture)
  • 21. Interdomain Routing connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain) OSPF BGP Autonomous System earthlink.net Stanford.edu
  • 22. BGP overview !  Iterative path announcement   Path announcements grow from destination to source   Packets flow in reverse direction !  Protocol specification   Announcements can be shortest path   Not obligated to use announced path
  • 23. BGP example [D. Wetherall] !   Transit: 2 provides transit for 7 !   Algorithm seems to work OK in practice   BGP is does not respond well to frequent node outages 3 4 6 5 7 1 8 2 7 7 2 7 2 7 2 7 3 2 7 6 2 7 2 6 52 6 5 2 6 5 3 2 6 5 7 2 6 5 6 5 5 5
  • 24. Issues !  Security problems   Potential for disruptive attacks   BGP packets are un-authenticated   Attacker can advertise arbitrary routes   Advertisement will propagate everywhere   Used for DoS and spam (detailed example in DDoS lecture) !  Incentive for dishonesty   ISP pays for some routes, others free
  • 26. Domain Name System !  Hierarchical Name Space root edunetorg ukcom ca wisc ucb stanford cmu mit cs ee www DNS
  • 27. DNS Root Name Servers !   Hierarchical service   Root name servers for top-level domains   Authoritative name servers for subdomains   Local name resolvers contact authoritative servers when they do not know a name
  • 28. DNS Lookup Example Client Local DNS resolver root & edu DNS server stanford.edu DNS server www.cs.stanford.edu NS stanford.eduwww.cs.stanford.edu NS cs.stanford.edu cs.stanford.edu DNS server DNS record types (partial list): - NS: name server (points to other server) - A: address record (contains IP address) - MX: address in charge of handling email - TXT: generic text (e.g. used to distribute site public keys (DKIM) )
  • 29. Caching !   DNS responses are cached   Quick response for repeated translations   Useful for finding servers as well as addresses   NS records for domains !   DNS negative queries are cached   Save time for nonexistent sites, e.g. misspelling !   Cached data periodically times out   Lifetime (TTL) of data controlled by owner of data   TTL passed with every record
  • 30. DNS Packet !   Query ID:   16 bit random value   Links response to query (from Steve Friedl)
  • 31. Resolver to NS request
  • 32. Response to resolver Response contains IP addr of next NS server (called “glue”) Response ignored if unrecognized QueryID
  • 33. Authoritative response to resolver final answer bailiwick checking: response is cached if it is within the same domain of query (i.e. a.com cannot set NS for b.com)
  • 34. Basic DNS Vulnerabilities !   Users/hosts trust the host-address mapping provided by DNS:   Used as basis for many security policies: Browser same origin policy, URL address bar !   Obvious problems   Interception of requests or compromise of DNS servers can result in incorrect or malicious responses   e.g.: hijack BGP route to spoof DNS   Solution – authenticated requests/responses   Provided by DNSsec … but no one uses DNSsec
  • 35. DNS cache poisoning (a la Kaminsky’08) !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: a.bank.com a.bank.com QID=x1 attackerattacker wins if ∃j: x1 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP
  • 36. If at first you don’t succeed … !   Victim machine visits attacker’s web site, downloads Javascript user browser local DNS resolver Query: b.bank.com b.bank.com QID=x2 attacker 256 responses: Random QID y1, y2, … NS bank.com=ns.bank.com A ns.bank.com=attackerIP attacker wins if ∃j: x2 = yj response is cached and attacker owns bank.com ns.bank.com IPaddr success after ≈ 256 tries (few minutes)
  • 37. Defenses !   Increase Query ID size. How? a. Randomize src port, additional 11 bits Now attack takes several hours b. Ask every DNS query twice:   Attacker has to guess QueryID correctly twice (32 bits)   Apparently DNS system cannot handle the load
  • 38. Pharming !   DNS poisoning attack (less common than phishing)   Change IP addresses to redirect URLs to fraudulent sites   Potentially more dangerous than phishing attacks   No email solicitation is required !   DNS poisoning attacks have occurred:   January 2005, the domain name for a large New York ISP, Panix, was hijacked to a site in Australia.   In November 2004, Google and Amazon users were sent to Med Network Inc., an online pharmacy   In March 2003, a group dubbed the "Freedom Cyber Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
  • 39. DNS Rebinding Attack Read permitted: it’s the “same origin” Firewall www.evil.com web server ns.evil.com DNS server 171.64.7.115 www.evil.com? corporate web server 171.64.7.115 TTL = 0 <iframe src="http://www.evil.com"> 192.168.0.100 192.168.0.100 [DWF’96, R’01] DNS-SEC cannot stop this attack
  • 40. DNS Rebinding Defenses !  Browser mitigation: DNS Pinning   Refuse to switch to a new IP   Interacts poorly with proxies, VPN, dynamic DNS, …   Not consistently implemented in any browser !  Server-side defenses   Check Host header for unrecognized domains   Authenticate users with something other than IP !  Firewall defenses   External names can’t resolve to internal addresses   Protects browsers inside the organization
  • 41. Summary !   Core protocols not designed for security   Eavesdropping, Packet injection, Route stealing, DNS poisoning   Patched over time to prevent basic attacks (e.g. random TCP SN) !   More secure variants exist (next lecture) : IP -> IPsec DNS -> DNSsec BGP -> SBGP