Embed Size (px)
Citation preview
Network Attack via DNS
Fagpakke: IT SikkerhedModul: Introduktion til IT Sikkerhed
17-02-2012
Jesper Buus Nielsen
DNSTCP
IP
Link
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Internet Protokol Stack
Applications
IP
1
2
3
4
1
2
3
4
Ex.: Can send a package to port 4 on address 10.11.8.2
• Machines have IP address• Machines have a number of ports (216)• Can send individual packages to a port on an address
ServerServer
ClientClient
212.88.78.122 10.11.82.2
TCP/IP
1
2
3
4
1
2
3
4
Ex.: Can establish a connection to port 4 on address 10.11.8.2Typically the client gets a random free local port, here 2
ServerServer
ClientClient
212.88.78.122 10.11.82.2
• Machines have IP address• Machines have a number of ports (216)• Can establish connections between two (address, port)
pairs
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Domain Name System (DNS)
• How to map DNS name like www.cs.au.dk to IP addresses in the Internet?– “Back in the days”: HOSTS.TXT file FTP’ed among hosts
• Now a distributed name service– Hierarchical name space– Each level separated by ‘.’
• Analogous to ‘/’ separator in file systems– One global root
• Replicated across 13 root servers• There have been Denial of Service (DoS) attacks on these root
servers, none real successful• Because of caching, queries to root servers relatively rare
• DNS is the true backbone of the Internet
DNS is simple but powerful
• Three major components– Domain Name Space and Resource Records
• Specification for a tree-structured name space and small databases associated with nodes (both internal nodes and leaf nodes)
– Name Servers• Servers which hold the databases associated with some
nodes and references to other name servers
– Resolvers• Client programs that extract information from name servers• Name servers can be resolvers
– Will be so in so-called recursive lookup
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Resource Records (1/3)
• Each name server holds a set of resource records which for each path specifies, e.g., what is the name server for the path and what is the address of the machine at the path
• path type datacs.au.dk. MX mx.nfit.au.dk
means that mx.nfit.au.dk is mail server for the domain cs.au.dk
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Resource Records (2/3)
path type data
• Some types of records– NS: Name server for the path– A: IP address for the path, if any
• Not all partial paths, like dk, correspond to machines
– MX: Name of the mail server for path, if any(Mail eXchange)
– AAAA: IPv6 address
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Resource Records (3/3)
• Examples of resource records:
path type datadk. NS a.nic.dk.a.nic.dk. A 212.88.78.122au.dk. NS ns.au.dkns.au.dk A 130.225.9.11cs.au.dk A 130.225.16.1cs.au.dk A 130.225.16.42cs.au.dk MX mx.nfit.au.dk.mx.nfit.au.dk A 130.225.31.136
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Glue
• If a name server holds a record like
path type dataau.dk. NS ns.au.dk
then it also holds a record like
path type datans.au.dk A 130.225.9.11
• And it sends it along with the NS record
DiGLet us ask the NS for “dk.” what the NS for “au.dk.” is?
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5
Implementation of Name Resolution
• Figure 5-15. The principle of iterative name resolution.
Path name resolved: dk, au Name server: ns.au.dk.
130.225.9.11Knows: “cs.au.dk.” A 130.225.16.1Knows: “cs.au.dk.” NS 130.225.9.11
au
Looking up cs.au.dkPath name resolved: Name server: a.root-servers.net.
198.41.0.4Knows: “dk.” NS 212.88.78.122
Path name resolved: dk Name server: a.nic.dk
212.88.78.122Knows: “au.dk.” NS 130.225.9.11
dk
comorg
aau
Path name resolved: dk, au, cs DNS name: cs.au.dk.
IP: 130.225.16.1
cs science
Caching
• DNS resolvers are allowed to cache entries– This speeds up lookup immensely
• The name server sending the entry can tell how long it is safe to cache it
Cache Poisoning
• There is a very serious attack on the DNS system called cache poisoning– [http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html]
• The goal for some naughty hacker is to make a resolver, preferably a resolver for a lot of clients, think that the name server for, e.g. handelsbanken.dk, is at an IP address owned by the hacker
Attacking via DNSProvidersnameresolver
hacker inkûrruptyztan
root name server198.41.0.4
handelsbanken.dk?
dk.name server212.88.78.122
handelsbanken.dk?
handelsbanken.dk. name server194.68.56.130
666.666.666.666 NS dk = 212.88.78.122
handelsbanken.?
NS handelsbanken.dk = 194.68.56.130
NS handelsbanken.dk = 666.666.666.666Cache for long time!
Handelsbankenkundeunderprovider
handelsbanken.dk?
NS handelsbanken.dk = 666.666.666.666
handelsbanken.dk?
A handelsbanken.dk = 666.666.666.666
DNSSEC
• A secure version of DNS, called DNSSEC, is being deployed
• DNSSEC uses digital signature schemes to authenticate the provided resource records
• Each DNS server has its own key pair• Public key of the root servers known by all
resolvers• Each DNS server authenticates the public keys
of the DNS servers in its sub-domains• Not yet widely used
