Annual FIRST Conference 2013 LT presentation

1. DQB – DNS Query Blocker
Kunio Miyamoto
Twitter: @wakatono
Facebook: www.facebook.com/wakatono
1Copyright by Kunio Miyamoto

2. DQB – DNS Query Blocker
(in fact, fakes DNS response
rather than blocking DNS query)
Kunio Miyamoto
Twitter: @wakatono
Facebook: www.facebook.com/wakatono
2Copyright by Kunio Miyamoto

3. Introduce myself☺
It’s a Joke ☺
Copyright by Kunio Miyamoto 3
A member and session chair of
Kyoto 2012 FIRST TC Committee

4. Phishing makes malicious sites
like a real service sites.
Copyright by Kunio Miyamoto 4
Reference:
http://www.atmarkit.co.jp/fsecurity/special/65phishing/phishing01.html

5. MITB viruses inject malicious
forms to real contents
Copyright by Kunio Miyamoto 5
Reference: http://www.smbc.co.jp/security/popup.html

6. Common Spec:malicious hosts
exist
• Attacker prepares the host to receive data
of victims’ like banking information.
• Most of malicious host has own FQDN
• IP addresses is changed due to their
lifecycle
– Stopping access to malicious hosts that have
fixed IP addresses is easy due to many
technology to take down.
Copyright by Kunio Miyamoto 6

7. Modern Attacks triggered by
Web Access
Copyright by Kunio Miyamoto 7
Which is better, left “Google” or right “Google” ?
Both sites are better(correct) web site ☺

8. How to avoid accessing to
malicious host?
• HTTP/HTTPS Proxy Server access block
by using Blacklist
– Load of Proxy Rises Up!
• Takedown by ISP and Various Service
Provider
– Sometimes Long Term discussion is needed
• Temporarily:
– Stop by using DNS fake response
• I assume this to use edge network(fake response
from nearest DNS Cache Server)
Copyright by Kunio Miyamoto 8

9. How to make DNS fake
response?
Copyright by Kunio Miyamoto 9
1. Capture DNS request
2. Decide whether the response
of captured request must be
faked or not.
3. Get Request ID,
Source IP/PORT,
Destination IP/PORT,
and request content.
4. Make Fake Response Packet
from information of 2
5. Send fake response to clinet
as soon as possible!

10. Concept Diagram
Copyright by Kunio Miyamoto 10

11. Proof of Concept:
Copyright by Kunio Miyamoto 11
About
1ms
1ms from request packet is captured
to response packet (faked) is captured

12. Normal Request/Response
Copyright by Kunio Miyamoto 12
about 10ms from request packet is captured
to response packet (faked) is captured
I defeated the real DNS response speed ☺
DNS Response
Chicken Race!

13. Name Resolution Step
interfared by DQB:
• 1. DNS Request is sent by client
• 2. Fake DNS Response is sent by DQB
• 3. Real DNS Response is sent by DNS
Cache
Copyright by Kunio Miyamoto 13
One Request for Two Response!

14. Now in progress of this research
• I’m developing and evaluating the concept
of DNS Query Blocker
– To use linear search for finding DNS query to
fake response spends 1ms for searching
10000 hosts to be blocked
• Ideas for more(for example):
Counter to fake response related to the
request of domain name generated by
DGA(Domain Generation Algorithm)
Copyright by Kunio Miyamoto 14
What we call “Future Work” ☺

15. LIMITATION!
• Of course, this mechanism is not suitable
for faking DNS response signed by
DNSSEC mechanism.
Copyright by Kunio Miyamoto 15

16. Copyright by Kunio Miyamoto
Thank you!
@wakatono
If possible, any questions are welcome via email
or Twitter. Of course, in banquet or any
networking time ☺
Special thanks to:
My friends (they are illustrator in Japan)
16