DNS Security for CERTs- Attack Scenarios & Demonstrations -

Chris EvansDelta Risk, LLC

7 March 2010

1

Attack Overview

• These attacks are demonstrations only

• They are not intended to incite FUD

• Rather, they are intended to

– Show you what’s possible!

– Open a discussion for mitigation & response actions!

2

Fear,

Uncertainty,

Doubt

Architecture

• Your Ubuntu VM, Windows TS, Your Host

• Attack Server (192.168.85.5)

• Target NameServer (182.168.101.10)

• Registry System (192.168.101.50)

• Mail Server (192.168.101.50)

3

Architecture

• The Target Nameserver

– Bind 9.4

• The Registry System

– A simple PHP application built just for this demonstration – it has security holes in it!

• The Mail Server

– A webmail system for you to view “phishing” emails

– Login: studentX, password: studentx

4

Scenarios

• Cache Poisoning

– Targets the NameServer

– Effects Visible Through DNS Queries, Phishing Email

• NameServer Redelegation

– Targets the NameServer via the Registry Web System

– Effects Visible Through DNS Queries

• Malicious Use

– Targets Individual VMs or Hosts

– Effects Visible Through Traffic Analysis

5

Rules of Engagement

• You can use your own systems for these scenarios

• Nothing here is truly malicious – even the botdemonstration – it can all be removed easily

• The phishing email will NOT do anything malicious –it will show you a link…

– The website it directs you to will NOT do anything malicious…

• If you prefer to use the VMs:

– Use your Ubuntu VM for DNS queries & traffic analysis

– Use your Windows TS as the “infected” bot

6

Let’s Party…

7

• Any questions on connectivity?

• If you are having trouble getting connected, please pair up with a neighbor for the exercises!

?