dns cache poisoning attack relo loaded
play

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid - PowerPoint PPT Presentation

Aug 15, 2022 •681 likes •934 views

DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan Contents Background DNS Cache Poisoning Part I: Infer

  1. DNS Cache Poisoning Attack Relo loaded: Revolutions wit ith Sid ide Channels Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng†, Youjun Huang†, Haixin Duan† †

  2. Contents • Background • DNS Cache Poisoning • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Our Attacks • Defenses • Conclusion • Disclosure 2

  3. DNS Cache Poisoning 6.6.6.6 2.2.2.2 5.6.7.8 Trudy (Off-path) Cached Wrong record! www.bank.com IP=6.6.6.6 www.bank.com IP=? Alice’s Browser www.bank.com IP=6.6.6.6 www.bank.com IP=? www.bank.com IP=2.2.2.2 www.bank.com IP=? 5.6.7.8 Resolver bank.com Nameserver (NS) Trudy www.bank.com IP=6.6.6.6 3

  4. DNS Cache Poisoning www.bank.com IP=6.6.6.6 5.6.7.8 Resolver Trudy (Off-path) Src: 5.6.7.8 IP Layer Dst: (resolver) UDP Layer Src Port: 53 Dst Port: ? (16 bit) TxID: ? (16 bit) DNS Layer Question: www.bank.com A ? Answer: www.bank.com A 6.6.6.6, TTL= 99999 Traditional: 2 16 × 2 16 = 2 32 (Impossible in short time) Ephemeral Port=Client Port Our Side Channel: 2 16 + 2 16 ≈ 2 16 Q:12345->53 R:53->12345 Resolver 4 NS

  5. Contents • Background • Part I: Infer Ephemeral Port • Method I: Direct Scan (Refer to the Paper) • Method II: Side-channel-based Scan • Part II: Extend Attack Window • Our Attacks • Defenses • Conclusion • Disclosure 5

  6. Port In Inference: Basics Resolver Attacker APP OS Listen on 53 UDP dport=53 Packet UDP dport=67 ICMP : 67 isn’t open 6

  7. Port In Inference: Ephemeral Ports Resolver Nameserver Attacker DNS Query (Ephemeral Port) 1234->53 UDP dport=1234 UDP dport=1234 ICMP : 1234 isn’t open 7

  8. Port In Inference: IP IP Spoofing 5.6.7.8 5.6.7.8 Resolver Nameserver Attacker UDP dport=1234 UDP dport=5678 ICMP : 5678 isn’t open 8

  9. Port In Inference: Side Channel • ICMP Global Rate Limit: 50 ICMPs / 50 ms • Limit sending rate • Shared by all IPs Off-Path TCP Exploits: Global Rate Limit Considered Dangerous 9 USENIX Security 2016

  10. Port In Inference: How It It Works Resolver Resolver Nameserver Nameserver Attacker Attacker with ONE port open with NO port open Counter=50 Counter=50 Hit 49 closed ports 50 UDP Probes 50 UDP Probes & Hit 50 closed ports 1 open port 50 ICMPs 49 ICMPs Counter=50-49=1 Counter=50-50=0 Verification Verification Spoofed ICMP Reply Normal 10

  11. Port In Inference: Measurement • Open Resolvers: • Well-known Public Resolvers: • 34% Vulnerable • 12 /14 Vulnerable Google 8.8.8.8 Cloudflare 1.1.1.1 OpenDNS 208.67.222.222 Comodo 8.26.56.26 Dyn 216.146.35.35 Quad9 9.9.9.9 AdGuard 176.103.130.130 CleanBrowsing 185.228.168.168 Neustar 156.154.70.1 Yandex 77.88.8.1 Baidu DNS 180.76.76.76 114 DNS 114.114.114.114 Tencent DNS 119.29.29.29 Ali DNS 223.5.5.5 11

  12. Contents • Background • Overview • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Strategy I: Malicious Name Server (Refer to the Paper) • Strategy II: Response Rate Limiting • Our Attacks • Defenses • Conclusion • Disclosure 12

  13. Ext xtend Attack Window RRL: 18% Deployed Client Resolver Attacker Nameserver Query Query Fake Attack Response Window Attack Flooding Window Queries Response Response 13

  14. Contents • Background • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Our Attacks • Forwarder Attack (Refer to the Paper) • Resolver Attack • Defenses • Conclusion • Disclosure 14

  15. Production Resolver Attack Unbound Worker Unbound Worker Pacific Ocean 70M queries/day Attacker 2 Name Servers (Ethical Concerns: Controlled by us) Open Resolver 20ms delay, 3ms jitter, 0.2% loss 15

  16. Resolver Attack: Results Setup Result Attack # Back Server # NS Jitter Delay Loss Total Time Success Rate Tsinghua 2 2 3ms 20ms 0.2% 15 mins 5/5 Commercial 4 1 2ms 30ms 0.6% 2.45 mins 1/1 Refer to the paper for more exciting results! 16

  17. Contents • Background • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Our Attacks • Defenses • Conclusion • Disclosure 17

  18. Defenses • DNSSEC • 0x20 encoding • DNS cookie • Only 5% open resolvers deployed • Disable ICMP port unreachable • Randomize ICMP global rate limit 18

  19. Contents • Background • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Our Attacks • Defenses • Conclusion • Disclosure 19

  20. Conclusion • Side-channel-based UDP port scan. • Make DNS cache poisoning possible again! • Real-world attacks. 20

  21. Contents • Background • Part I: Infer Ephemeral Port • Part II: Extend Attack Window • Our Attacks • Defenses • Conclusion • Disclosure 21

  22. Disclosure 22

  23. Thank you! Q & A Source code & more interesting projects Keyu Man https://github.com/seclab-ucr/ kman001@ucr.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the

Anatomy of a DNS Cache Poisoning Attack Introduction The purpose of this presentation is to dissect the Domain Name System (DNS) Cache Poisoning Cyber attack. We will cover: - Real-world examples of DNS cache poisoning - A defjnition of

607 views • 58 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng,

A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng,

Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices Xiaofeng Zheng , Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan and Zhiyun Qian DNS Forwarder Devices

593 views • 20 slides
Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey

Poisoning Attacks: p-Tampering and Poison Frogs Simons Robustness Reading Group Bolton Bailey July 1, 2019 What is a Poisoning Attack? Data poisoning is an attack on machine learning models wherein the attacker adds (or modifies) examples

1.28k views • 12 slides
Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

589 views • 34 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline Background q What are bandits? q Motivations Data poisoning attacks on stochastic bandits q Offline model q Online model q Simulation results

218 views • 17 slides
DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious

DNS Poisoning Attack Scenarios Vulnerability Analysis Remedies DNS Poisoning: Developments, Attacks and Research Directions Suggestions for the Idle and Curious Researcher David Dagon 1 1 Georgia Institute of Technology Atlanta, Georgia

327 views • 28 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from

Cache-based attack on AES Mikal Fourrier Contribution of this paper Get the secret key from AES in 3s + 3min Very weak assumptions No known plaintext needed No special rights needed, only to be able to spawn and control threads

378 views • 16 slides
RELO GRINDING BODIES www.relogrindingbodies.com Contents : 2 Introduction

RELO GRINDING BODIES www.relogrindingbodies.com Contents : 2 Introduction

RELO GRINDING BODIES www.relogrindingbodies.com Contents : 2 Introduction . ... ....3 What is RELO Grinding Body?

730 views • 23 slides
CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning

CARBON MONOXIDE POISONING The Silent Killer PATHOPHYSIOLOGY OF CARBON MONOXIDE 1. CO poisoning is the most common exposure poisoning in the United States and the rest of the world. 2. It is an odorless, colorless gas that can cause sudden

198 views • 15 slides
Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b.

Poison and Poisoning Azwin bin Md Tumin National Poison Centre Outline a. Definition b. Forefathers of toxicology c. Famous poisoning cases d. Misconception about poisoning e. Basic principles of poisoning f. Factors influencing toxic

843 views • 16 slides
Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

732 views • 30 slides
L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache,

L09: Cache Name: ID: Question: Direct Mapping Cache Hit Rate Consider a 4-block empty Cache, and all blocks initially marked as not valid , Given the main memory word addresses 0 1 2 3 4 3 4 15, calculate Cache hit rate. Cache Index

654 views • 9 slides
by TDSC-IIT Bombay of Jalyukt Shivar Abhiyan in Palghar District 10 Oct 2016 Contents Key

by TDSC-IIT Bombay of Jalyukt Shivar Abhiyan in Palghar District 10 Oct 2016 Contents Key

Third Party Evaluation and Impact Assessment by TDSC-IIT Bombay of Jalyukt Shivar Abhiyan in Palghar District 10 Oct 2016 Contents Key Objectives of JSA Methodology as per GR Assessment process Assessment results (tabulation, Ok

1.18k views • 65 slides
Statistical Neurodynamics of Deep Networks Shun ichi Amari RIKEN Brain Science Institute

Statistical Neurodynamics of Deep Networks Shun ichi Amari RIKEN Brain Science Institute

Statistical Neurodynamics of Deep Networks Shun ichi Amari RIKEN Brain Science Institute Statistical Neurodynamics Rozonoer (1969 Amari (1971; 197 Amari et al (2013) Toyoizumi et al (2015) Poole, , Ganguli (2016) ~ (0, 1) w N ij

461 views • 32 slides
Disclosure: Cook, Inc. Juxtarenal, Pararenal, and Patents Thoracoabdominal Aneurysms

Disclosure: Cook, Inc. Juxtarenal, Pararenal, and Patents Thoracoabdominal Aneurysms

Endovascular Repair of Disclosure: Cook, Inc. Juxtarenal, Pararenal, and Patents Thoracoabdominal Aneurysms Consulting Research Support Tim Chuter, DM UCSF Vascular Surgery And we can all have our favourite way There's more

360 views • 7 slides
Tracking moving objects form image sequences Janno Jgeva Mihkel Pajusalu Tartu, 2011 GENERAL

Tracking moving objects form image sequences Janno Jgeva Mihkel Pajusalu Tartu, 2011 GENERAL

University of Tartu Faculty of Mathematics and Computer Science MTAT.03.260 Pattern Recognition and Image Analysis Tracking moving objects form image sequences Janno Jgeva Mihkel Pajusalu Tartu, 2011 GENERAL EFFECTS OF TIME Static to dynamic

678 views • 44 slides
LBNF/DUNE Far Site Detector Grounding System Requirements This document sets forth the LBNF

LBNF/DUNE Far Site Detector Grounding System Requirements This document sets forth the LBNF

LBNF/DUNE Far Site Detector Grounding System Requirements 1/6/2016 LBNF/DUNE Far Site Detector Grounding System Requirements This document sets forth the LBNF infrastructure requirements necessary for the implementation of an isolated

321 views • 9 slides
Manifest Sharing with Session Types Stephanie Balzer and Frank Pfenning Work in Progress!

Manifest Sharing with Session Types Stephanie Balzer and Frank Pfenning Work in Progress!

Manifest Sharing with Session Types Stephanie Balzer and Frank Pfenning Work in Progress! Department of Computer Science Carnegie Mellon University Theory and Applications of Behavioural Types Dagstuhl Seminar 17051 February 2, 2017 1 / 21

447 views • 21 slides
TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles,

TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles,

TAGPMA The Americas Grid Policy Management Authority Drivers Members OS G, Bob Cowles, TeraGrid, Tony Dane S kow Rimovski DOEGrids, Tony Texas High Energy Genovese, Mike Grid, Alan S ill Helms S DS C, Bill Link

375 views • 9 slides
Ladministration en silo Aurlien Bordes SSTIC 7 juin 2017 Dessine-moi ton SI

Ladministration en silo Aurlien Bordes SSTIC 7 juin 2017 Dessine-moi ton SI

Ladministration en silo Aurlien Bordes SSTIC 7 juin 2017 Dessine-moi ton SI Postes de travail Donnes Serveurs Produits de VIP scurit Utilisateurs Prestataires 07/06/2017 SSTIC 2017 Aurlien Bordes

572 views • 35 slides

More recommend