Internet: Authoritive DNS Servers Resolver: gethostbyname() Server: is 1.2.3.4 Client Caching DNS Server

DNS POISONINGATTACKS LAB

DNS POISONING IN OUR LIFEINTERNET CENSORSHIP AND HACKING

INTERNET CENSORSHIP

THE GREAT FIREWALL

HOW IT WORKS

● DNS CHACHE POISIONING

● IP FILTERING

● URL FILTERING

● PACKET FILTERING

● TCP CONNECTION RESET

HACK ATTACKING

● REDIRECT USER TO A WEBSITE OR SERVER UNDER THE ATTACKERS’ CONTROL

● SEND MALIOUS INFORMATION(I.E. WORMS, VIRUS), PRETENDING IT IS WHAT USER ASK FOR

Internet: AuthoritiveDNS Servers

A SHORT OVERVIEW ON DNS

Resolver: gethostbyname(www.microsoft.com)

Server: www.microsoft.c

om is 1.2.3.4

Client

CachingDNS Server

dns.microsoft.com

dns.hacker.com

A SIMPLE ATTACK – SENDING ADDITIONAL RESOURCE RECORDS

gethostbyname(www.hacker.com)

www.hacker.com is 1.2.3.4

And www.microsoft.com is 5.5.5.5

Server

DNS Cache:www.hacker.com = 1.2.3.4www.microsoft.com = 5.5.5.5

Client

AN EVEN EASIER ATTACK – JUST LYING

gethostbyname(www.microsoft.com)

www.microsoft.com is 6.6.6.6

Server

Client

THE PROBLEM

• DNS IS NOT A SECURE PROTOCOL

• EVERY HOST ON THE INTERNET CAN CLAIM THAT IT IS AN AUTHORITY FOR RESOLVING QUERIES

• EVEN IF A DNS SERVER IS AUTHORITATIVE FOR DOMAIN A, IT DOES NOT MEAN IT CAN BE TRUSTED TO GIVE TRUE ANSWERS FOR DOMAIN B

• ALL ANSWERS ARE ASSUMED TO BE TRUE

QUERY ID

• EACH DNS QUERY CONTAINS AN ID

• A RESPONSE CONTAINS THE MATCHING QUERY ID

• THE ID IS GENERATED BY A PRNG

• IN MOST PAST IMPLEMENTATIONS THE ID WAS GENERATED BY A WEAK PRNG FUNCTION.

PRNG ATTACK

gethostbyname(www.microsoft.com)

Server

www.microsoft.com is 6.6.6.6

I don’t know…I better ask

somebody else

www.micr

osof

t.com

is 1

.2.3

.4

geth

ostb

ynam

e(www.m

icroso

ft.co

m)

First answer wins!

Client

PRNG ATTACK (CONT)

• IN OLDER SYSTEMS IT WAS POSSIBLE TO PREDICT THE NEXT PRNG NUMBER BY OBSERVING ONLY THE LAST NUMBER GENERATED.

• IN NEWER SYSTEMS IT IS POSSIBLE TO PREDICT THE NEXT NUMBER WITH SUCCESS PROBABILITY OF 0.2 BY OBSERVING THE LAST 5000 NUMBERS.

• MUCH BETTER, BUT STILL NOT PERFECT.

OUR LABCENSORSHIP OF A WEBSITE

THE TOOLS AND TECHNIQUES

• DNS POISONING IN THEORY

• WIRESHARK

• SOCKET PROGRAMMING

• C/JAVA/PYTHON

• HOSTS FILE (LOCAL DNS POISONING)

THE CHALLENGE

1. USE WIRESHARK TO ANALYZE HTTP TRAFFIC TO A POPULAR WEBSITE

2. REDIRECT TRAFFIC TO/FROM THAT WEBSITE THROUGH YOUR LOCAL COMPUTER

3. CREATE A PROGRAM TO ROUTE TRAFFIC THROUGH YOUR COMPUTER TO THE WEBSITE IN QUESTION

4. CHANGE THE FORMATTING OF THE HTTP TO ENSURE THE DATA IS ACCESSIBLE

5. CENSOR/CHANGE THE CONTENT AS YOU SEE FITRequest Request

ContentCensorshi

p

CONTINUING THE CHALLENGE

• HOW CAN THIS TECHNIQUE BE UTILIZED IN THE REAL WORLD?

• WHAT SYSTEMS ARE IN PLACE TO STOP DNS POISONING IN VARIOUS OPERATING SYSTEMS?

• ARE THERE WAYS TO CONDUCT DNS POISONING WITHOUT ACCESS TO THE HOSTS FILE?

Documents

Internet: Authoritive DNS Servers Resolver: gethostbyname() Server: is 1.2.3.4 Client Caching DNS Server