a cache poisoning attack targeting dns forwarding devices
play

A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng - PowerPoint PPT Presentation

Jul 14, 2023 •383 likes •593 views

Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian DNS Forwarder Devices

  1. Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian

  2. DNS Forwarder ● Devices standing in between stub and recursive resolvers E.g., home routers, open Wi-Fi networks Can have caching abilities Relies on the integrity of upstream resolvers 2

  3. DNS Cache Poisoning Attacks ● Forging attacks targeting recursive resolvers Crafu a DNS answer which matches the query’s metadata Example: Kaminsky Attack (2008) Mitigation: increase randomness of DNS packet RFC 5452: DNS resolver implementations should use randomized ephemeral port numbers and DNS transaction IDs 3

  4. Threat Model: Overview ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 4

  5. Threat Model: Overview ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 2. Use attacker’s own 1. Attacker & DNS forwarder domain name and locate in the same LAN authoritative server (e.g., in open Wi-Fi networks) 5

  6. Insight on Forwarder Roles ● Defragmentation attacks targeting DNS forwarders Reliably forces DNS response fragmentation Targets arbitrary victim domain names 2. Use attacker’s own 1. Attacker & DNS forwarder Relies on recursive resolvers domain name and locate in the same LAN authoritative server Target of cache poisoning (e.g., in open Wi-Fi networks) Security checks 6 (e.g., DNSSEC)

  7. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response > 1,500 Bytes (Ethernet MTU) Always produce fragments 7

  8. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response Use CNAME to point attacker’s domain to any victim What the What the recursive DNS resolver forwarder sees sees 8

  9. Attacker’s Oversized DNS Response ● CNAME chain Use dummy CNAME records to enlarge attacker’s DNS response Use CNAME to point attacker’s domain to any victim What the What the recursive DNS resolver forwarder sees sees 9

  10. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 10

  11. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS query 11

  12. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized response (> Ethernet MTU) 12

  13. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized response 4. Defragment (> Ethernet MTU) by forwarder 13

  14. Flow of Defragmentation Attack ● Defragmentation attacks targeting DNS forwarders 1. Crafu spoofed 2nd fragment 2. Issue a DNS 3. Authoritative query returns oversized Lack response 4. Defragment Security (> Ethernet MTU) by forwarder Checks 14

  15. Conditions of Successful Attacks ● DNS caching by record The tampered record can be cached separately ● EDNS(0) support Allows transfer of DNS messages larger than 512 Bytes ● No active truncation of DNS response Ensures that the entire oversized response is transfered ● No response verification DNS forwarders rely on upstream resolvers 15

  16. Vulnerable DNS Software ● Home routers 16 models are tested (by real attacks in controlled environment) 8 models are vulnerable ● DNS sofuware 2 kinds of popular DNS sofuware are vulnerable 16

  17. Vulnerable DNS Software ● Home routers 16 models are tested (by real attacks in controlled environment) 8 models are vulnerable ● DNS sofuware 2 kinds of popular DNS sofuware are vulnerable ● Responsible Disclosure ASUS and D-Link release firmware patches Linksys accepts issue via BugCrowd 17

  18. Measuring Clients Potentially Under Risk ● Collect vantage points Implement measurement code in a network diagnosis tool 20K clients , mostly located in China ● Check the forwarder conditions Ethical considerations: no real attack 40% do not support EDNS(0) yet Estimated vulnerable clients: 6.6% 18

  19. Discussion ● Mitigation for DNS forwarders Perform response verification (e.g., DNSSEC) DNS caching by response (short-term solution) ● Lack clear guidelines of DNS forwarders What role should they play? What features should be supported? 19

  20. ● An attack targeting DNS forwarders ● Affects forwarder implementations extensively ● Call for more attention on DNS forwarder security Any Questions? zxf19@mails.tsinghua.edu.cn

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

934 views • 23 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline Background q What are bandits? q Motivations Data poisoning attacks on stochastic bandits q Offline model q Online model q Simulation results

218 views • 17 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning Attack Scenarios Vulnerability Analysis Remedies DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious Researcher David Dagon 1 1 Georgia Institute of Technology Atlanta, Georgia

327 views • 28 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from AES in 3s + 3min Very weak assumptions No known plaintext needed No special rights needed, only to be able to spawn and control threads

378 views • 16 slides
CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning is the most common exposure poisoning in the United States and the rest of the world. 2. It is an odorless, colorless gas that can cause sudden

198 views • 15 slides
Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b. Forefathers of toxicology c. Famous poisoning cases d. Misconception about poisoning e. Basic principles of poisoning f. Factors influencing toxic

843 views • 16 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS

Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS

Cyber Incident trends in Korea KrCERT/CC Ji-Yong PARK October 21 st , 2015 Chronological order in Internet Incidents event Targeting Enterprise/Government using DDoS attack and APT Internet incident occurs targeting enterprises using APT

195 views • 4 slides
Java: Learning to Program with Robots Chapter 08: Collaborative Classes Chapter Objectives

Java: Learning to Program with Robots Chapter 08: Collaborative Classes Chapter Objectives

Java: Learning to Program with Robots Chapter 08: Collaborative Classes Chapter Objectives After studying this chapter, you should be able to: Write a class that uses references to an object with instance variables, parameter variables,

488 views • 31 slides
US U SE ER R S S M MA AN NU UA AL L Aldo Vecchietti

US U SE ER R S S M MA AN NU UA AL L Aldo Vecchietti

US U SE ER R S S M MA AN NU UA AL L Aldo Vecchietti aldovec@santafe-conicet.gov.ar LogMIP Users Manual 1 INDEX 1. Introduction 2 2. Disjunctive model formulation 2 3 2.1. SMALL EXAMPLE 1 7 2.2. SMALL EXAMPLE 2

648 views • 35 slides
On Banach spaces of vector-valued random variables and their duals motivated by risk measures

On Banach spaces of vector-valued random variables and their duals motivated by risk measures

Introduction The Banach spaces L p ( P, X ) The dual of L p ( P, X ) On Banach spaces of vector-valued random variables and their duals motivated by risk measures Thomas Kalmes - TU Chemnitz joint work with A. Pichler - TU Chemnitz FNRS

757 views • 65 slides
6. Approximation and fitting norm approximation least-norm problems regularized

6. Approximation and fitting norm approximation least-norm problems regularized

Convex Optimization Boyd & Vandenberghe 6. Approximation and fitting norm approximation least-norm problems regularized approximation robust approximation 61 Norm approximation minimize Ax b ( A R m

877 views • 20 slides
Caffe tutorial borrowed slides from: caffe official tutorials Recap Convnet Supervised learning

Caffe tutorial borrowed slides from: caffe official tutorials Recap Convnet Supervised learning

Caffe tutorial borrowed slides from: caffe official tutorials Recap Convnet Supervised learning trained by stochastic gradient descend J ( W, b ) = 1 2 || h ( x ) y || 2 1. feedforward: get the activations for each layer and the cost 2.

682 views • 25 slides
LOGO LOGO HERE HERE Lorem Ipsum is simply dummy text of the printing and typesetting industry

LOGO LOGO HERE HERE Lorem Ipsum is simply dummy text of the printing and typesetting industry

LOGO LOGO HERE HERE Lorem Ipsum is simply dummy text of the printing and typesetting industry HEADING You our r Text Here Here You our r Text Here Here You our r Text Here Here You our r Text Here Here Lorem Ipsum is simply dummy

357 views • 10 slides
Edge Clouds with OpenNebula Vlastimil Holer Lead Cloud Engineer OpenNebula Systems FOSDEM 2020

Edge Clouds with OpenNebula Vlastimil Holer Lead Cloud Engineer OpenNebula Systems FOSDEM 2020

Edge Clouds with OpenNebula Vlastimil Holer Lead Cloud Engineer OpenNebula Systems FOSDEM 2020 ONE edge.io This work has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement ONEedge

539 views • 35 slides
EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 2: DATAFLOW ANALYSIS 1 Christoph Reichenbach In the last lecture. . . Uses of Program Analysis Static vs. Dynamic Program Analysis Soundness, Precision, Termination Abstraction and Simplification

4.44k views • 52 slides

More recommend