dns the kaminsky blind spoofing attack
play

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security - PowerPoint PPT Presentation

Sep 25, 2023 •227 likes •768 views

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification,

  1. DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016

  2. 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification, attacker has a 1/65536 chance of guessing it # Questions # Answer RRs correctly. # Authority RRs # Additional RRs Are we pretty much safe? Questions (variable # of resource records) Answers Attacker can send lots of replies, (variable # of resource records) not just one … Authority (variable # of resource records) Additional information However: once reply from legit (variable # of resource records) server arrives (with correct Unless attacker can send Identification), it’s cached and 1000s of replies before legit no more opportunity to poison it. arrives, we’re likely safe – Victim is innoculated! phew! ?

  3. DNS Blind Spoofing (Kaminsky 2008) • Two key ideas: – Attacker can get around caching of legit replies by generating a series of different name lookups: <img src="http://random1.google.com" …> <img src="http://random2.google.com" …> <img src="http://random3.google.com" …> ... <img src="http://randomN.google.com" …> – Trick victim into looking up a domain you don’t care about, use Additional field to spoof the domain you do

  4. Kaminsky Blind Spoofing For each lookup of randomk .google.com , attacker spoofs a bunch of records like this, each with a different Identifier ;; QUESTION SECTION: ;random7.google.com. IN A ;; ANSWER SECTION: random7.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Once they win the race, not only have they poisoned mail.google.com … but also the cached NS record for google.com ’ s name server - so any future X .google.com lookups go through the attacker ’ s machine

  5. Kaminsky Blind Spoofing For each lookup of randomk .google.com , attacker spoofs a bunch of records like this, each with a different Identifier ;; QUESTION SECTION: ;random7.google.com. IN A ;; ANSWER SECTION: random7.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Once they win the race, not only have they poisoned mail.google.com … but also the cached NS record for google.com ’s name server – so any future X .google.com lookups go through the attacker’s machine

  6. Defending Against Blind Spoofing Central problem: all that tells a 16 bits 16 bits client they should accept a SRC=53 DST=53 response is that it matches the checksum length Identification field. Identification Flags With only 16 bits, it lacks # Questions # Answer RRs sufficient entropy: even if truly # Authority RRs # Additional RRs random, the search space an Questions attacker must brute force is too (variable # of resource records) small. Answers (variable # of resource records) Authority Where can we get more (variable # of resource records) entropy? ( Without requiring a Additional information (variable # of resource records) protocol change.)

  7. Defending Against Blind Spoofing Total entropy : 16 bits For requestor to receive DNS 16 bits 16 bits reply, needs both correct SRC=53 DST=53 Identification and correct ports. checksum length On a request, DST port = 53. Identification Flags SRC port usually also 53 – but # Questions # Answer RRs not fundamental, just convenient. # Authority RRs # Additional RRs Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) Additional information (variable # of resource records)

  8. Defending Against Blind Spoofing Total entropy : ? bits “ Fix ” : client uses random 16 bits 16 bits source port ⇒ attacker doesn’t SRC= 53 DST= rnd know correct dest. port to use in reply checksum length Identification Flags # Questions # Answer RRs # Authority RRs # Additional RRs Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) Additional information (variable # of resource records)

  9. Defending Against Blind Spoofing Total entropy : 32 bits “ Fix ” : client uses random 16 bits 16 bits source port ⇒ attacker doesn’t SRC= 53 DST= rnd know correct dest. port to use in reply checksum length Identification Flags 32 bits of entropy makes it orders of magnitude harder for # Questions # Answer RRs attacker to guess all the # Authority RRs # Additional RRs necessary fields and dupe victim Questions (variable # of resource records) into accepting spoof response. Answers (variable # of resource records) This is what primarily “ secures ” Authority (variable # of resource records) DNS against blind spoofing Additional information today. (variable # of resource records)

  10. Lessons learned • Special risks of caching and distributed systems where information is spread across many machines • Security risks: friend (cache) might be malicious • Communication channel to friend (cache) might be insecure • Friend (cache) might be well-intentioned but misinformed

  11. Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner April 1, 2016

  12. Attacks on Availability • Denial-of-Service (DoS): preventing legitimate users from using a computing service • We do though need to consider our threat model … – What might motivate a DoS attack?

  27. Motivations for DoS • Showing off / entertainment / ego • Competitive advantage – Maybe commercial, maybe just to win • Vendetta / denial-of-money • Extortion • Political statements • Impair defenses • Espionage • Warfare

  28. Attacks on Availability • Deny service via a program flaw ( “ *NULL ” ) – E.g., supply an input that crashes a server – E.g., fool a system into shutting down • Deny service via resource exhaustion ( “ while(1); ” ) – E.g., consume CPU, memory, disk, network • Network-level DoS vs application-level DoS

  29. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login?

  30. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login? – char buf[1024]; int f = open("/tmp/junk"); while (1) write(f, buf, sizeof(buf)); o Gobble up all the disk space! – while (1) fork(); o Create a zillion processes! – Create zillions of files, keep opening, reading, writing, deleting o Thrash the disk – … doubtless many more • Defenses?

  31. DoS & Operating Systems • How could you DoS a multi-user Unix system on which you have a login? – char buf[1024]; int f = open("/tmp/junk"); while (1) write(f, buf, sizeof(buf)); o Gobble up all the disk space! – while (1) fork(); o Create a zillion processes! – Create zillions of files, keep opening, reading, writing, deleting o Thrash the disk – … doubtless many more • Defenses? – Isolate users / impose quotas

  32. Network-level DoS • Can exhaust network resources by – Flooding with lots of packets (brute-force) – DDoS: flood with packets from many sources – Amplification: Abuse patsies who will amplify your traffic for you

  33. DoS & Networks • How could you DoS a target’s Internet access? – Send a zillion packets at them – Internet lacks isolation between traffic of different users! • What resources does attacker need to pull this off? – At least as much sending capacity (“bandwidth”) as the bottleneck link of the target’s Internet connection o Attacker sends maximum-sized packets – Or : overwhelm the rate at which the bottleneck router can process packets o Attacker sends minimum-sized packets! • (in order to maximize the packet arrival rate)

  34. Defending Against Network DoS • Suppose an attacker has access to a beefy system with high-speed Internet access (a “ big pipe ” ). • They pump out packets towards the target at a very high rate. • What might the target do to defend against the onslaught? – Install a network filter to discard any packets that arrive with attacker’s IP address as their source o E.g., drop * 66.31.1.37:* -> *:* o Or it can leverage any other pattern in the flooding traffic that’s not in benign traffic – Attacker’s IP address = means of identifying misbehaving user

  35. Filtering Sounds Pretty Easy … • … but DoS filters can be easily evaded: – Make traffic appear as though it’s from many hosts o Spoof the source address so it can’t be used to filter • Just pick a random 32-bit number of each packet sent o How does a defender filter this? • They don’t! • Best they can hope for is that operators around the world implement anti-spoofing mechanisms (today about 75% do) – Use many hosts to send traffic rather than just one o Distributed Denial-of-Service = DDoS (“dee-doss”) o Requires defender to install complex filters o How many hosts is “enough” for the attacker? • Today they are very cheap to acquire … :-(

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 ,

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 ,

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs 2 System Security Laboratory, KAIST 10th USENIX Workshop on Offensive

469 views • 33 slides
Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

RECHERCHE N O Y L E D S E E U Q I L P P A S E C N E I C S S E D L A N O Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T I T S N I C elestin Matte -

702 views • 20 slides
Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and

Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and

Defending your DNS in a post-Kaminsky world Paul Wouters &lt;paul@xelerance.com&gt; Vendor and NGO's involved Two phase deployment First release a generic fix for the Kaminsky attack that does not leak information to the bad guys (source

819 views • 81 slides
This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs ys.park@navercorp.com 2 Korea Advanced Institute of Science and Technology

248 views • 11 slides
VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith rich@immunityinc.com 1 Agenda VNC and it's underlying protocol RFB Why attack automation is needed Why RFB is hard to automate The VAASeline technique

954 views • 56 slides
disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing Denial of Service attack (DoS) Distributed DoS (DoS) Source address validation Link layer security Address resolution protocol (ARP)

1.72k views • 35 slides
SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky

SAT Based Attacks on SipHash By Santhosh Kantharaju Siddappa Supervised by Prof. Alan Kaminsky Department of Computer Science Rochester Institute of Technology Agenda SipHash Boolean Satisfiability Problem SAT Solver Attack

621 views • 35 slides
DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC

DNS cache poisoning CZ.NIC Ondrej Filip / ondrej.filip@nic.cz Study by Emanuel Petr CZ.NIC labs 8 Mar 2010 ccNSO techday, Nairobi 1 Agenda DNS, DNS resolver Cache Poisoning theory Kaminsky attack Attack theory Attack

503 views • 28 slides
Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark

Resilience of Deployed TCP to Blind Attacks Matthew Luckie , Robert Beverly, Tiange Wu, Mark Allman, kc claffy IMC 2015, October 28th 2015 1 w w w . cai da. or What is a Blind Attack on TCP? A brute-force attempt by an off-path

335 views • 29 slides
N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind

N. Healing two blind men and a deaf mute Matthew 9:27 34 1. Matthew 9:27 These blind men called to Jesus using the Messianic title Son of David . Matthew implied that these blind men saw more than the Pharisees and other national leaders

639 views • 27 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann, Raphael Hiesgen, Thomas C. Schmidt, Matthias Whlisch t.schmidt@haw-hamburg.de Spoofing Detection in Interdomain Traffic Starting Point: Our

326 views • 8 slides
A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann October 9, 2019 iNET RG, Hamburg University of Applied Sciences Overview IP Spoofing Mitigation in General Detection in Inter-Domain Traffic

778 views • 42 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
than 1ms latency Martin Thompson &amp; Michael Barker QCon SF 2010 Agenda Context Setting

than 1ms latency Martin Thompson &amp; Michael Barker QCon SF 2010 Agenda Context Setting

How to do 100K+ TPS at less than 1ms latency Martin Thompson &amp; Michael Barker QCon SF 2010 Agenda Context Setting Tips for high performance computing (HPC) What is possible on a single thread??? New pattern for

856 views • 21 slides
Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4, 2018 Blind Signatures in Scriptless Scripts Jonas Nick

374 views • 22 slides
Set 2: State-spaces and Uninformed Search ICS 271 Fall 2016 Kalev Kask 271-fall 2016 You need

Set 2: State-spaces and Uninformed Search ICS 271 Fall 2016 Kalev Kask 271-fall 2016 You need

Set 2: State-spaces and Uninformed Search ICS 271 Fall 2016 Kalev Kask 271-fall 2016 You need to know State-space based problem formulation State space (graph) Search space Nodes vs. states Tree search vs graph search

893 views • 88 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin

Publishing while female Are women held to higher standards? Evidence from peer review. Erin Hengel University of Liverpool Gender and Career Progression Conference 14 May 2018 Background Women are underrepresented in economics (2016):

811 views • 44 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would

Practical Object Detection and Segmentation Vincent Chen and Edward Chou Agenda Why would understanding different architectures be useful? Modular Frameworks Describe Modern Frameworks Detection Segmentation

641 views • 38 slides

More recommend