Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed 17-02-2012 Jesper Buus Nielsen.

Network Attack via DNS

Fagpakke: IT SikkerhedModul: Introduktion til IT Sikkerhed

17-02-2012

Jesper Buus Nielsen

DNSTCP

IP

Link

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Internet Protokol Stack

Applications

IP

1

2

3

4

1

2

3

4

Ex.: Can send a package to port 4 on address 10.11.8.2

• Machines have IP address• Machines have a number of ports (216)• Can send individual packages to a port on an address

ServerServer

ClientClient

212.88.78.122 10.11.82.2

TCP/IP

1

2

3

4

1

2

3

4

Ex.: Can establish a connection to port 4 on address 10.11.8.2Typically the client gets a random free local port, here 2

ServerServer

ClientClient

212.88.78.122 10.11.82.2

• Machines have IP address• Machines have a number of ports (216)• Can establish connections between two (address, port)

pairs

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Domain Name System (DNS)

• How to map DNS name like www.cs.au.dk to IP addresses in the Internet?– “Back in the days”: HOSTS.TXT file FTP’ed among hosts

• Now a distributed name service– Hierarchical name space– Each level separated by ‘.’

• Analogous to ‘/’ separator in file systems– One global root

• Replicated across 13 root servers• There have been Denial of Service (DoS) attacks on these root

servers, none real successful• Because of caching, queries to root servers relatively rare

• DNS is the true backbone of the Internet

DNS is simple but powerful

• Three major components– Domain Name Space and Resource Records

• Specification for a tree-structured name space and small databases associated with nodes (both internal nodes and leaf nodes)

– Name Servers• Servers which hold the databases associated with some

nodes and references to other name servers

– Resolvers• Client programs that extract information from name servers• Name servers can be resolvers

– Will be so in so-called recursive lookup

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Resource Records (1/3)

• Each name server holds a set of resource records which for each path specifies, e.g., what is the name server for the path and what is the address of the machine at the path

• path type datacs.au.dk. MX mx.nfit.au.dk

means that mx.nfit.au.dk is mail server for the domain cs.au.dk

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Resource Records (2/3)

path type data

• Some types of records– NS: Name server for the path– A: IP address for the path, if any

• Not all partial paths, like dk, correspond to machines

– MX: Name of the mail server for path, if any(Mail eXchange)

– AAAA: IPv6 address

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Resource Records (3/3)

• Examples of resource records:

path type datadk. NS a.nic.dk.a.nic.dk. A 212.88.78.122au.dk. NS ns.au.dkns.au.dk A 130.225.9.11cs.au.dk A 130.225.16.1cs.au.dk A 130.225.16.42cs.au.dk MX mx.nfit.au.dk.mx.nfit.au.dk A 130.225.31.136

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Glue

• If a name server holds a record like

path type dataau.dk. NS ns.au.dk

then it also holds a record like

path type datans.au.dk A 130.225.9.11

• And it sends it along with the NS record

DiGLet us ask the NS for “dk.” what the NS for “au.dk.” is?

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5

Implementation of Name Resolution

• Figure 5-15. The principle of iterative name resolution.

Path name resolved: dk, au Name server: ns.au.dk.

130.225.9.11Knows: “cs.au.dk.” A 130.225.16.1Knows: “cs.au.dk.” NS 130.225.9.11

au

Looking up cs.au.dkPath name resolved: Name server: a.root-servers.net.

198.41.0.4Knows: “dk.” NS 212.88.78.122

Path name resolved: dk Name server: a.nic.dk

212.88.78.122Knows: “au.dk.” NS 130.225.9.11

dk

comorg

aau

Path name resolved: dk, au, cs DNS name: cs.au.dk.

IP: 130.225.16.1

cs science

Caching

• DNS resolvers are allowed to cache entries– This speeds up lookup immensely

• The name server sending the entry can tell how long it is safe to cache it

Cache Poisoning

• There is a very serious attack on the DNS system called cache poisoning– [http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html]

• The goal for some naughty hacker is to make a resolver, preferably a resolver for a lot of clients, think that the name server for, e.g. handelsbanken.dk, is at an IP address owned by the hacker

Attacking via DNSProvidersnameresolver

hacker inkûrruptyztan

root name server198.41.0.4

handelsbanken.dk?

dk.name server212.88.78.122

handelsbanken.dk?

handelsbanken.dk. name server194.68.56.130

666.666.666.666 NS dk = 212.88.78.122

handelsbanken.?

NS handelsbanken.dk = 194.68.56.130

NS handelsbanken.dk = 666.666.666.666Cache for long time!

Handelsbankenkundeunderprovider

handelsbanken.dk?

NS handelsbanken.dk = 666.666.666.666

handelsbanken.dk?

A handelsbanken.dk = 666.666.666.666

DNSSEC

• A secure version of DNS, called DNSSEC, is being deployed

• DNSSEC uses digital signature schemes to authenticate the provided resource records

• Each DNS server has its own key pair• Public key of the root servers known by all

resolvers• Each DNS server authenticates the public keys

of the DNS servers in its sub-domains• Not yet widely used