Upload
dorthy-johns
View
221
Download
3
Embed Size (px)
Citation preview
Internet: AuthoritiveDNS Servers
A Short Overview on DNS
Resolver: gethostbyname(www.microsoft.com)
Server: www.microsoft.c
om is 1.2.3.4
Client
CachingDNS Server
dns.microsoft.com
dns.hacker.com
A Simple Attack – Sending Additional Resource Records
gethostbyname(www.hacker.com)
www.hacker.com is 1.2.3.4
And www.microsoft.com is 5.5.5.5
Server
DNS Cache:www.hacker.com = 1.2.3.4www.microsoft.com = 5.5.5.5
Client
An Even Easier Attack – Just Lying
gethostbyname(www.microsoft.com)
www.microsoft.com is 6.6.6.6
Server
Client
The Problem
• DNS is not a secure protocol– Every host on the internet can claim that it is
an authority for resolving queries– Even if a DNS server is authoritative for
domain A, it does not mean it can be trusted to give true answers for domain B
– All answers are assumed to be true
More Sophisticated Attacks
• PRNG Vulnerability
• The Birthday Attack
• Both attacks relay on the “First answer wins” property
Query ID
• Each DNS query contains an ID
• A response contains the matching query ID
• The ID is generated by a PRNG– In most past
implementations the ID was generated by a weak PRNG function.
PRNG Attack
gethostbyname(www.microsoft.com)
Server
www.microsoft.com is 6.6.6.6
I don’t know…I better ask
somebody else
www.micr
osof
t.com
is 1
.2.3
.4
geth
ostb
ynam
e(www.m
icros
oft.c
om)
First answer wins!
Client
PRNG Attack (cont)
• In older systems it was possible to predict the next PRNG number by observing only the last number generated.
• In newer systems it is possible to predict the next number with success probability of 0.2 by observing the last 5000 numbers.– Much better, but still not perfect.
The Birthday Attack
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
Gethostbyname(www.microsoft.com)Gethostbyname(www.microsoft.com)
www.microsoft.com 6.6.6.6www.microsoft.com 6.6.6.6
www.microsoft.com 6.6.6.6www.microsoft.com 6.6.6.6
www.microsoft.com 6.6.6.6www.microsoft.com 6.6.6.6
The Birthday Attack (cont)
• Based on the mathematical phenomena called The Birthday Paradox:– If there are 23 people in the room, the probability that you share
the same birthday with another person is at most 23/365. – But, what is the probability that 2 persons share same birthday?
It is greater than 0.5!
• The problem is that the server generates a recursive query for each of the client’s queries
• This vulnerability has nothing to do with the strength of the PRNG function.
• There are many DNS servers that are still vulnerable to this attack, including Microsoft’s implementation.
The Birthday Attack (cont)
• The probability of succeeding in the birthday attack while sending 700 queries is very close to 1
• The probability of succeeding with just sending 700 packets is 0.01
How Can Be done to Mitigate the Attack?
• Firewalls:– Truncate packets with additional resource
records– How should it deal with the birthday attack?– How should it deal with the PRNG
vulnerability attack?
• Deployment– “Split DNS”, protect your network caching
DNS server from Man-in-the-Middle attacks