assessing dns vulnerability
play

Assessing DNS Vulnerability to Record Injection Kyle Schomp , Tom - PowerPoint PPT Presentation

Sep 21, 2023 •646 likes •1.29k views

Assessing DNS Vulnerability to Record Injection Kyle Schomp , Tom Callahan, Michael Rabinovich , Mark Allman Case Western Reserve University International Computer Science Institute Passive and Active Measurement Conference

  1. Assessing DNS Vulnerability to Record Injection Kyle Schomp †, Tom Callahan†, Michael Rabinovich †, Mark Allman†‡ †Case Western Reserve University ‡International Computer Science Institute Passive and Active Measurement Conference 2014 3/11/2014 PAM 2014 1

  2. 3/11/2014 PAM 2014 2

  3. DNS Recording Injection • Subverting the DNS name to address bindings can result in: • Redirection to a malicious webserver • Privacy issues • Denial of service • Phishing attacks • Malware installation 3/11/2014 PAM 2014 3

  4. Our Contribution • Assess vulnerability to extraneous record injection • Bailiwick violations • Examine the incidence rate of intentional response rewriting by resolvers • Negative response rewriting • Search engine hijacking (Paxfire) • Survey use of established mitigations to the Kaminsky vulnerability • Demonstrate a new record injection attack (the Preplay vulnerability) 3/11/2014 PAM 2014 4

  5. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain Open Egress Resolver Resolver ADNS for dnsresearch.us Scanner • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  6. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain Open Resolver “RDNS”, Recursive Resolver ADNS for dnsresearch.us Scanner • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  7. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain “RDNS”, Recursive Resolver ADNS for dnsresearch.us Scanner “FDNS”, Forwarding Resolver • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  8. Dataset Collection Methodology • Discover open resolvers by sampling randomly from the Internet • Deploy our own authoritative DNS server ( ADNS ) • DNS request probes target our own domain “RDNS”, Recursive Resolver ADNS for dnsresearch.us Client “FDNS”, Forwarding Resolver • Test open and egress resolvers for vulnerability to record injection 3/11/2014 PAM 2014 5

  9. Bailiwick Violations • Over 10 years old • Mitigated via the bailiwick rules www.x.com ? • 749 violations found in 1.09M open resolvers tested • Some resolvers still vulnerable to this very old attack! RDNS ADNS for x.com Query www.x.com ? Answer 1.2.3.4 Additional www.hsbc.com A 2.3.4.5 3/11/2014 PAM 2014 6

  10. Negative Response Rewriting anazon.com ? anazon.com ? Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  11. Negative Response Rewriting anazon.com ? anazon.com ? does not exist Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  12. Negative Response Rewriting anazon.com ? anazon.com ? anazon.com = A does not exist Client RDNS ADNS for x.com 3/11/2014 PAM 2014 7

  13. Negative Response Rewriting anazon.com ? anazon.com ? anazon.com = A does not exist Client RDNS ADNS for x.com • Why? DNS provider profits from advertising at A • Happens to 24% of open resolvers 3/11/2014 PAM 2014 7

  14. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  15. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = G RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  16. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com 3/11/2014 PAM 2014 8

  17. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com A G 3/11/2014 PAM 2014 8

  18. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G 3/11/2014 PAM 2014 8

  19. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G 3/11/2014 PAM 2014 8

  20. Search Engine Hijacking (Paxfire) www.google.com ? www.google.com ? www.google.com = A www.google.com = G RDNS ADNS for google.com search result A G • Again, the primary reason is to monetize user’s search traffic • While once common, this is no longer a widespread practice 3/11/2014 PAM 2014 8

  21. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response 3/11/2014 PAM 2014 9

  22. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request Resolver 3/11/2014 PAM 2014 9

  23. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request malicious response Resolver 3/11/2014 PAM 2014 9

  24. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response real request malicious response real response Resolver 3/11/2014 PAM 2014 9

  25. Off-path Attacks • Craft an acceptable DNS response to squeeze between the real DNS request and response • Fields to match: real request • IP addresses: source and destination malicious response • Port numbers: source and destination real response • Query string and transaction ID Resolver 3/11/2014 PAM 2014 9

  26. Kaminsky Vulnerability • In 2008, Dan Kaminsky discovered a new vulnerability • 2 keys to Kaminsky • Transaction ID is the only field the attacker needs to guess • Simple way to attempt multiple guesses • Kaminsky showed that a cache could be poisoned in under 10 minutes! 3/11/2014 PAM 2014 10

  27. Kaminsky Vulnerability (cont.) RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  28. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  29. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  30. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  31. Kaminsky Vulnerability (cont.) x1.victim.com ? TID= y answer TID= y RDNS ADNS for victim.com Query x1.victim.com ? Answer doesn’t matter Authority victim.com NS ns1.victim.com Attacker Additional ns1.victim.com A attacker 3/11/2014 PAM 2014 11

  32. Kaminsky Vulnerability (cont.) www.victim.com ? RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  33. Kaminsky Vulnerability (cont.) www.victim.com ? RDNS ADNS for victim.com Attacker 3/11/2014 PAM 2014 11

  34. Kaminsky Vulnerability (cont.) • 65K possible transaction IDs • First attempt likely unsuccessful, so repeat with: • x2.victim.com • x3.victim.com • e tc… • Since none of these names will be in the resolver’s cache, can retry immediately • Eventually, the attacker will guess correctly 3/11/2014 PAM 2014 12

  35. Mitigating the Kaminsky Vulnerability • Add entropy to response beyond just a random transaction ID • Randomized ephemeral port • 0x20 encoding • Random capitalization of query string, i.e. X1.VicTIm.Com • ADNS echoes the capitalization back • Attacker must guess capitalization • 1 bit of entropy per letter in query string • DNSSEC and ingress filtering defeat the Kaminsky Attack • Slow progress means mitigation is needed 3/11/2014 PAM 2014 13

  36. Survey of Mitigations to Kaminsky • Send multiple DNS requests through each RDNS • Classify RDNS where 10 or more DNS requests arrive at our ADNS • Nearly all classified resolvers appear to use random transaction IDs • 16% of classified resolvers use static ephemeral ports! • 0x20 encoding rare Observation RDNS • (lower bound) Number Percentage Total Classified 57K 100% Complex Transaction ID Sequence 57K 100% Variable Ephemeral Port 48K 84% 0x20 Encoding 195 0.3% 3/11/2014 PAM 2014 14

  37. Preplay Vulnerability • If RDNS are vulnerable, what about FDNS? • FDNS: • Residential locations • Most likely home wifi routers • Little attention paid to security • We found that FDNS have a vulnerablility that is much easier to exploit than the Kaminsky vulnerability 3/11/2014 PAM 2014 15

  38. Preplay Vulnerability (cont.) www.victim.com = V www.victim.com ? www.victim.com ? FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  39. Preplay Vulnerability (cont.) www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  40. Preplay Vulnerability (cont.) www.victim.com = A www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

  41. Preplay Vulnerability (cont.) www.victim.com = A www.victim.com = V www.victim.com ? www.victim.com ? www.victim.com = A www.victim.com = V www.victim.com = A FDNS Attacker RDNS 3/11/2014 PAM 2014 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health

Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health

Monitoring for Ocean Acidification near coastal villages and communities in south-central Alaska ; Building Capacity & Assessing Vulnerability with the emphasis on shellfish health Wiley Evans, Burke Hales, Jacqueline Ramsay, Jeff Hetrick,

484 views • 21 slides
Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce

Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce

Preventing Elder Investment Fraud: Assessing for Vulnerability to Financial Exploitation Dulce M. Cruz, MD, CMD Associate Professor Division of Geriatrics Saint Louis University Robert E. Roush, EdD, MPH Director, Texas Consortium GEC Baylor

954 views • 38 slides
Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty

Assessing the Vulnerability of Coastal Wetlands to Sea-Level Rise Application of a Model Patty Glick Senior Climate Adaptation Specialist National Wildlife Federation Overview of Sea-Level Rise Subsidence, tectonic Ocean circulation

518 views • 21 slides
Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013

Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013

Assessing Climate Change Vulnerability and Resilience in a Commercial Property Portfolio 2013 Local Government Planners Forum Greg Johnson National Environmental Sustainability Manager Stockland Sustainable Communities Property Portfolio

334 views • 19 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia

Assessing BYOD with the Smarthpone Pentest Framework Georgia Weidman BYOD Is Not New Contractor Laptop Rogue Access Point Gaming Console Tradi>onal Vulnerability Scanning

1.28k views • 95 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your

Patient Engagement, Your Revenue Model, and Practice Fragility Assessing and fixing your practices hidden vulnerability for the COVID Era If you havent already, register at VirtualPractices.org Inoculate your patient and

330 views • 22 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
The impact of future climate change on the water level of Lake Lesser Prespa: assessing the

The impact of future climate change on the water level of Lake Lesser Prespa: assessing the

The impact of future climate change on the water level of Lake Lesser Prespa: assessing the vulnerability of fjsh spawning grounds, and bird nesting- / foraging sites LIFE Prespa Waterbirds ( LIFE15/NAT/GR/000936 ): Sep 2016-Sep 2021

229 views • 20 slides
On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective

On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective

Unclassified Unclassified On Infantry Vulnerability Casualties from Direct Fire Ben Levav CEMA Unclassified Objective Formulating a descriptive mathematical model for assessing casualty rates in an Infantry attack 2 Unclassified Scope

578 views • 23 slides
Semantic Representation and Scale-up of Integrated Air Traffic Management Data Rich Keller, Ph.D.

Semantic Representation and Scale-up of Integrated Air Traffic Management Data Rich Keller, Ph.D.

Semantic Representation and Scale-up of Integrated Air Traffic Management Data Rich Keller, Ph.D. * Shubha Ranjan + Mei Wei * Michelle Eshow *Intelligent Systems Division / Aviation Systems Division + Moffett Technologies, Inc. NASA

497 views • 21 slides
A Solution for Densely Annotated Large Scale Object Detection Task Yuan Gao, Hui Shen, Donghong

A Solution for Densely Annotated Large Scale Object Detection Task Yuan Gao, Hui Shen, Donghong

A Solution for Densely Annotated Large Scale Object Detection Task Yuan Gao, Hui Shen, Donghong Zhong, Jian Wang, Zeyu Liu, Ti Bai, Xiang Long and Shilei Wen Ob Object 365 365 Da Datas aset # Box in Box Num Image Image Box Area

287 views • 25 slides
1 20.2 20.2 Structure and Reactivity Structure and Reactivity Fig. 20.2 20.2 20.2

1 20.2 20.2 Structure and Reactivity Structure and Reactivity Fig. 20.2 20.2 20.2

Chapter 20: Carboxylic Acid Derivatives Chapter 20: Carboxylic Acid Derivatives - - NAS NAS Carboxylic acid Acyl (or acid) Acid anhydride chloride Ester Carboxamide All closely related and made from carboxylic acids most are

513 views • 8 slides
AttentionNAS: Spatiotemporal Attention Cell Search for Video Classification Xiaofang Wang, Xuehan

AttentionNAS: Spatiotemporal Attention Cell Search for Video Classification Xiaofang Wang, Xuehan

AttentionNAS: Spatiotemporal Attention Cell Search for Video Classification Xiaofang Wang, Xuehan Xiong, Maxim Neumann, AJ Piergiovanni, Michael S. Ryoo, Anelia Angelova, Kris M. Kitani, Wei Hua Convolutional networks are dominant C3D [ICCV

746 views • 26 slides
Improving Virtually Guided Product Certification with Implicit Finite Element Analysis at Scale

Improving Virtually Guided Product Certification with Implicit Finite Element Analysis at Scale

Improving Virtually Guided Product Certification with Implicit Finite Element Analysis at Scale Seid Koric 1 , Robert F. Lucas 2 , Erman Guleryuz 1 1 National Center for Supercomputing Applications (NCSA) 2 Livermore Software Technology Corporation

180 views • 13 slides
Welcome 1 Agenda 9:15 AM 10:00 AM Getting Started with SBIR/STTR 10:15 AM 11:00 AM

Welcome 1 Agenda 9:15 AM 10:00 AM Getting Started with SBIR/STTR 10:15 AM 11:00 AM

Welcome 1 Agenda 9:15 AM 10:00 AM Getting Started with SBIR/STTR 10:15 AM 11:00 AM Inside the Head of an Evaluator: Common Mistakes 11:15 AM 12 noon Success in Phase I - Moving to Phase II and Beyond 12:15 PM 1:00 PM U.S.

114 views • 7 slides
Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA/U of I Astronomy Currently in Production BIMA/CARMA millimeter radio array +

285 views • 12 slides
Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a

Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a

Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a state of the art international peering exchange facility designed to serve research and education networks throughout the Pacific Rim and the

889 views • 20 slides

More recommend