attacks on dns d j bernstein university of illinois at
play

Attacks on DNS D. J. Bernstein University of Illinois at Chicago - PDF document

Apr 15, 2023 •252 likes •813 views

Attacks on DNS D. J. Bernstein University of Illinois at Chicago The Domain Name System cert.org wants to see http://www.lsec.be . Browser at cert.org The web server www.lsec.be has IP address

  1. Attacks on DNS D. J. Bernstein University of Illinois at Chicago

  2. � The Domain Name System cert.org wants to see �� �� http://www.lsec.be . �� �� Browser at cert.org “The web server www.lsec.be has IP address �� �� �� �� 81.246.94.54.” Administrator at lsec.be Now cert.org retrieves web page from IP address 81.246.94.54.

  3. � Same for Internet mail. cert.org has mail �� �� to deliver to someone@lsec.be . �� �� Mail client at cert.org “The mail server for lsec.be has IP address �� �� �� �� 80.92.66.174.” Administrator at lsec.be Now cert.org delivers mail to IP address 80.92.66.174.

  4. � Forging DNS packets cert.org has mail �� �� to deliver to someone@lsec.be . �� �� Mail client at cert.org “The mail server for lsec.be has IP address �� �� �� �� 157.22.245.20.” Attacker anywhere on network Now cert.org delivers mail to IP address 157.22.245.20, actually the attacker’s machine.

  5. “Can attackers do that?”

  6. “Can attackers do that?” — Yes.

  7. “Can attackers do that?” — Yes. “Really?”

  8. “Can attackers do that?” — Yes. “Really?” — Yes.

  9. “Can attackers do that?” — Yes. “Really?” — Yes. “Don’t the clients check who’s sending information?”

  10. “Can attackers do that?” — Yes. “Really?” — Yes. “Don’t the clients check who’s sending information?” — Yes, but the attacker forges the sender address; as easy as forging address on a physically mailed postcard.

  11. Real postcard from administrator: From: lsec.be admin To: cert.org mail client The mail server for lsec.be has IP address 80.92.66.174. Hoping to have informed you sufficiently! Forged postcard from attacker: From: lsec.be admin To: cert.org mail client The mail server for lsec.be has IP address 157.22.245.20. Hoping to have informed you sufficiently!

  12. Real packet from administrator: From: lsec.be admin To: cert.org mail client The mail server for lsec.be has IP address 80.92.66.174. Hoping to have informed you sufficiently! Forged packet from attacker: From: lsec.be admin To: cert.org mail client The mail server for lsec.be has IP address 157.22.245.20. Hoping to have informed you sufficiently!

  13. “Is the client always listening for the address of lsec.be ?”

  14. “Is the client always listening for the address of lsec.be ?” — No. When client wants to know address of lsec.be , it sends a query to the administrator, and listens for the response. Forged lsec.be information is effective if it arrives at this time.

  15. Many ways for attackers to time forgeries properly: 1. Attack repeatedly. One of the forgeries will arrive at the right time. 2. Poke the client to trigger a known lookup. 3. Attack caches a long time in advance.

  16. Many ways for attackers to time forgeries properly: 1. Attack repeatedly. One of the forgeries will arrive at the right time. 2. Poke the client to trigger a known lookup. 3. Attack caches a long time in advance. 4. Easy, succeeds instantly: Sniff the network.

  17. �� �� � � � Browser at cert.org �� �� “The web server www.lsec.be DNS cache has IP address �� �� 81.246.94.54.” �� �� Administrator at lsec.be Browser pulls data from DNS cache at cert.org . Cache pulls data from administrator if it doesn’t already have the data.

  18. A typical blind attack: Attacker sets up a web page supersecuritytools.to , including an inline image from www.lsec.be . Victim asks browser to view supersecuritytools.to . Attacker sees HTTP request, sends web page to browser, waits a moment (for browser to ask cache about www.lsec.be ), and sends the DNS cache forged data for www.lsec.be .

  19. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at lsec.be? ”

  20. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at lsec.be? ” — Yes, but many ways for attackers to win race: 1. Deafen the legitimate server. 2. Mute the legitimate server. 3. Poke-jab-jab-jab-jab-jab.

  21. “Doesn’t the attacker have to win a race against the legitimate DNS packets from the administrator at lsec.be? ” — Yes, but many ways for attackers to win race: 1. Deafen the legitimate server. 2. Mute the legitimate server. 3. Poke-jab-jab-jab-jab-jab. 4. Easy, succeeds instantly: Sniff the network.

  22. Typical combined blind attack: Attacker floods lsec.be servers with queries that consume all available CPU time, or floods lsec.be network with packets that consume all available network capacity. Attacker pokes the client to trigger an lsec.be lookup. Attacker immediately sends a series of forged packets to the DNS cache.

  23. “What if attacker loses race?” — Many ways for attacker to continue his attack: 1. He attacks another cache. 2. He attacks another name on the same cache. 3. He attacks the same name on the same cache, sideways. With any of these approaches, number of cached forgeries increases linearly over time.

  24. Sideways attacks were popularized in 2008 by Dan Kaminsky. Attacker pokes the client to trigger a DNS lookup for 8675309.lsec.be . Attacker forges response for 8675309.lsec.be with extra information about www.lsec.be . For various performance reasons, DNS caches are willing to accept the extra information.

  25. Interlude: types of security Confidentiality : The attacker cannot see this information. Integrity : The attacker cannot silently modify this information. User doesn’t see wrong data. Availability : The attacker cannot modify this information. User sees the right data.

  26. Attacker flooding a network is compromising availability. (“Denial of service.”) Attacker successfully forging DNS packets of lsec.be is compromising integrity. Attacker stealing email is compromising confidentiality: attacker sees the email. Also compromising availability: user doesn’t see the email.

  27. Lack of availability often helps compromise integrity: e.g., flooding a server can assist in DNS forgeries. Lack of confidentiality often helps compromise integrity: e.g., sniffing DNS queries makes forgeries trivial. Lack of integrity often helps compromise confidentiality: e.g., forging DNS packets allows redirecting mail. etc.

  28. PGP-encrypting your email can provide confidentiality. Attacker who steals email still won’t understand it. Also integrity. Attacker can’t modify email. But it won’t provide availability. The email silently disappeared! Retroactively checking integrity doesn’t restore availability.

  29. What about cookies? Cache’s DNS query packet contains a 16-bit ID. RFC 1035 (1987): “This identifier is copied [to the] reply and can be used by the requester to match up replies to outstanding queries.” Traditional ID sequence: 1, 2, 3, 4, 5, etc. Cache discards any reply that has the wrong ID. “How does the attacker guess the right ID?”

  30. Attacker sets up a web page supersecuritytools.to , including an inline image from www.lsec.be . Attacker provides DNS data for supersecuritytools.to from his own DNS servers. Victim asks browser to view supersecuritytools.to . Attacker sees cache’s ID for supersecuritytools.to DNS query. Attacker then predicts ID for lsec.be query.

  31. � � � � � � � � � “ ID 47603: SST.to? ” Cache Attacker “ ID 47603: SST.to 157.22.245.20 (and please don’t cache this) ” “ http://SST.to ” Browser Attacker “ ... lsec.be ... ” Cache Attacker “ID 47604: lsec.be 157.22.245.20 ” Cache Attacker “ID 47604: lsec.be 157.22.245.20 ” Cache Attacker “ID 47604: lsec.be 157.22.245.20 ” Cache Attacker “ID 47604: lsec.be 157.22.245.20 ” Cache Attacker “ID 47604: lsec.be 157.22.245.20 ”

  32. More recent idea: “Hey, let’s use random IDs! Then the attacker won’t be able to forge a packet with the right ID!” Can use any good stream cipher to expand a short secret key into a long sequence of “random” numbers. � 10 cycles/byte. AES-CTR: � 3 cycles/byte. Salsa20/12: Output is very hard to predict: attacker has no idea what the next ID will be, even after seeing entire sequence of previous IDs.

  33. Client can randomize 16-bit ID and 16-bit UDP source port. Implemented and advertised in djbdns since 1999, and in PowerDNS since 2006. Same feature added 2008.07 in “emergency” upgrade to BIND, Microsoft DNS, Nominum CNS, most Cisco products, etc. New York Times headline: “WITH SECURITY AT RISK, A PUSH TO PATCH THE WEB”

  34. Bad news: Ignorant developers often whip up breakable ciphers. See, e.g., Klein’s analysis leading to 2007.07.24 “emergency” BIND 9 upgrade: In essence, this is a weak version (since the output is 16 bits, as opposed to the traditional 1 bit) of the well studied cryptosystem known by many names: “bilateral stop/go (LFSR) generator”, “mutually clock controlled (LFSR) generator” and “mutual (or bilateral) step-1/step-2 (LFSR) generator”. ... The Perl script in Appendix C takes around 10-15 milliseconds ... to extract the internal state from 13-15 consecutive transaction IDs.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bit attacks D. J. Bernstein University of Illinois at Chicago From: andr...@ise... Date: 11 Feb

Bit attacks D. J. Bernstein University of Illinois at Chicago From: andr...@ise... Date: 11 Feb

Bit attacks D. J. Bernstein University of Illinois at Chicago From: andr...@ise... Date: 11 Feb 2009 14:48 Subject: Question Running CubeHash8/1 with 64 bit output over 2 different datasets give me the same hash under Visual Studio. Using

394 views • 13 slides
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise:

Attacks on DNS Cryptography in DNS D. J. Bernstein University of Illinois at Chicago Exercise: How big is the dig +dnssec -t any se response packet? @a.ns.se How big was the query packet? Some general questions Why doesnt the Internet

1.43k views • 86 slides
Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of

Better price-performance ratios for generalized birthday attacks D. J. Bernstein University of Illinois at Chicago Motivation A hashing structure proposed by Bellare/Micciancio, 1996: f 1 ; f 2 ; : : : Standardize functions from, e.g.,

297 views • 17 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers

1 2 NTRU Prime Can we predict future attacks? Daniel J. Bernstein 1996 DobbertinBosselaers Preneel RIPEMD-160: University of Illinois at Chicago & a strengthened version of Technische Universiteit Eindhoven RIPEMD: It is

1.93k views • 149 slides
Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University of Illinois at Chicago http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 1996: qmail 0.70. 1997: qmail 1.00.

1.04k views • 69 slides
Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS

Lecture 22 CAs and HTTPS Attacks Stephen Checkoway University of Illinois at Illinois CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Certificates Make use of trusted Certificate Authorities (CA) This public

472 views • 29 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS9600083 NSF DMS9970409 NSF DMS0140542 Alfred P. Sloan Foundation NSF ITR0716498 T as the time Define n . used by NFS to factor T depends on

433 views • 31 slides
Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago Context: speed What is

500 views • 36 slides
Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836)

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836)

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836) NIST (60NANB10D263) Cisco (University Research Program) Interpolation Fix coprime 1 Z 0 . Remainder repn

1.19k views • 70 slides
ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 New EECM web site: http://eecm.cr.yp.to Joint work with: 1 2 3 Tanja Lange 1 Peter Birkner 1 Christiane Peters 2 3 Chen-Mou Cheng 2 3

470 views • 29 slides
Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement:

Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement:

Breaking DNSSEC D. J. Bernstein University of Illinois at Chicago Advertisement: Special-purpose hardware for attacking cryptographic systems, Lausanne, 2009.09.0910; http://sharcs.org . 1993.11 Galvin: The DNS Security design

1.05k views • 65 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC: This sounds simple but it has deep reaching consequences in both the protocol and the

2.05k views • 180 slides
CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu

source: computer-networks-webdesign.com CSCI x760 - Computer Networks Spring 2016 Instructor: Prof. Roberto Perdisci perdisci@cs.uga.edu These slides are adapted from the textbook slides by J.F. Kurose and K.W. Ross Chapter 2: Application

955 views • 84 slides
Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i

Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i

Caching Demystified presented by Aaron Welch and C a c h i n g D e m y s t i f i e d A a r o n W e l c h C a d r e W e b H o s t i n g What is a cache? A cache is a mechanism that allows you to

607 views • 17 slides
Memory Hierarchy (Performance Optimization) 2 Lab Schedule Activities Assignments Due This

Memory Hierarchy (Performance Optimization) 2 Lab Schedule Activities Assignments Due This

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Memory Hierarchy (Performance Optimization) 2 Lab Schedule Activities Assignments Due This Week Lab 6 Due by Mar 6 th 5:00am Lab 6 Perf

1.02k views • 50 slides
OpenCms Days 2011 Workshop Track: The OpenCms 8 Content Subscription Engine Georg Westenberger,

OpenCms Days 2011 Workshop Track: The OpenCms 8 Content Subscription Engine Georg Westenberger,

OpenCms Days 2011 Workshop Track: The OpenCms 8 Content Subscription Engine Georg Westenberger, Alkacon Software GmbH Agenda Introduction Basic concepts Demonstration Using subscriptions The <cms:usertracking> tag

580 views • 30 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 6 Practical Aspects Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie,

1.07k views • 60 slides
Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial

Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial

Website Fingerprinting Attacking Popular Privacy Enhancing Technologies with the Multinomial Nave-Bayes Classifier Dominik Herrmann , Hannes Federrath Rolf Wendolsky University of Regensburg, Germany JonDos GmbH Motivation To Whom It May

901 views • 34 slides
DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on

DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on

DNS and HTTP Finally, the application layer! We have learned about: Signals being sent on wires Frames carried over dumb local networks Packets carried over the entire internet Making communication useably reliable + efficient

708 views • 13 slides
X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is

X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is

X ways to improve your web application's performance Eduard Tudenhfner adesso AG Why is performance important? 400 ms delay cause 0.59% drop A page that was 2 seconds slower in searches/user results in a 4.3% drop in revenue/user ( Bing ) (

1.05k views • 45 slides

More recommend