network security dns caching and dos
play

Network security (DNS caching and DoS) CS 161: Computer Security - PowerPoint PPT Presentation

Dec 21, 2022 •240 likes •1.14k views

Network security (DNS caching and DoS) CS 161: Computer Security Prof. Raluca Ada Popa March 1, 2018 Slides adapted from David Wagner DNS Overview DNS translates www.google.com to 74.125.25.99 Its a performance-critical

  1. Network security (DNS caching and DoS) CS 161: Computer Security Prof. Raluca Ada Popa March 1, 2018 Slides adapted from David Wagner

  2. DNS Overview • DNS translates www.google.com to 74.125.25.99 • It’s a performance-critical distributed database. • DNS security is critical for the web. • Analogy: If you don’t know the answer to a question, ask a friend for help (who may in turn refer you to a friend of theirs, and so on).

  3. DNS Overview • DNS translates www.google.com to 74.125.25.99 • It’s a performance-critical distributed database. • DNS security is critical for the web. • Analogy: If you don’t know the answer to a question, ask a friend for help (who may in turn refer you to a friend of theirs, and so on). • Security risks: friend might be malicious, communication channel to friend might be insecure, friend might be well-intentioned but misinformed

  4. DNS Lookups via a Resolver root DNS server ( ‘ . ’ ) Host at xyz.poly.edu wants IP address for 2 eecs.mit.edu 3 TLD (top-level domain) DNS 4 server ( ‘ .edu ’ ) local DNS server (resolver) 5 dns.poly.edu Caching heavily 6 7 1 8 used to minimize authoritative DNS server (for ‘ mit.edu ’ ) lookups dns.mit.edu 9 client( requesting host) xyz.poly.edu eecs.mit.edu

  5. Security risk #1: malicious DNS server • Of course, if any of the DNS servers queried are malicious, they can lie to us and fool us about the answer to our DNS query

  6. Security risk #2: on-path attacker • If attacker can eavesdrop on our traffic… we’re hosed. • Why? We’ll see why.

  7. Security risk #3: off-path attacker • If attacker can’t eavesdrop on our traffic, can he inject spoofed DNS responses? • Yes. This case is especially interesting, so we’ll look at it in detail.

  8. DNS Threats • DNS: path-critical for just about everything we do – Maps hostnames Û IP addresses – Design only scales if we can minimize lookup traffic o #1 way to do so: caching o #2 way to do so: return not only answers to queries, but additional info that will likely be needed shortly • What if attacker eavesdrops on our DNS queries? – Then similar to DHCP/TCP, can spoof responses • Consider attackers who can’t eavesdrop - but still aim to manipulate us via how the protocol functions • Directly interacting w/ DNS: dig program on Unix – Allows querying of DNS system – Dumps each field in DNS responses

  9. Use Unix “ dig ” utility to look up IP address dig eecs.mit.edu A ( “ A ” ) for hostname eecs.mit.edu via DNS ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;eecs.mit.edu. IN A ;; ANSWER SECTION: eecs.mit.edu. 21600 IN A 18.62.1.6 ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  10. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;eecs.mit.edu. IN A ;; ANSWER SECTION: eecs.mit.edu. 21600 IN A 18.62.1.6 ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. The question we asked the server ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  11. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;eecs.mit.edu. IN A A 16-bit transaction identifier that enables ;; ANSWER SECTION: the DNS client ( dig , in this case) to match up eecs.mit.edu. 21600 IN A 18.62.1.6 the reply with its original request ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  12. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: “ Answer ” tells us the IP address associated ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 with eecs.mit.edu is 18.62.1.6 and we can ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 cache the result for 21,600 seconds ;; QUESTION SECTION: ;eecs.mit.edu. IN A ;; ANSWER SECTION: eecs.mit.edu. 21600 IN A 18.62.1.6 ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  13. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;eecs.mit.edu. IN A ;; ANSWER SECTION: eecs.mit.edu. 21600 IN A 18.62.1.6 ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. In general, a single Resource Record (RR) like mit.edu. 11088 IN NS W20NS.mit.edu. this includes, left-to-right, a DNS name, a time- mit.edu. 11088 IN NS STRAWB.mit.edu. to-live , a family ( IN for our purposes - ignore), a type ( A here), and an associated value ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  14. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a “ Authority ” tells us the name servers responsible for ;; global options: +cmd the answer. Each RR (resource record) gives the ;; Got answer: hostname of a different name server ( “ NS ” ) for names ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 in mit.edu. We should cache each record for 11,088 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 seconds. ;; QUESTION SECTION: If the “ Answer ” had been empty, then the resolver’s ;eecs.mit.edu. IN A next step would be to send the original query to one of these name servers. ;; ANSWER SECTION: eecs.mit.edu. 21600 IN A 18.62.1.6 ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

  15. dig eecs.mit.edu A ; ; <<>> DiG 9.6.0-APPLE-P2 <<>> eecs.mit.edu a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19901 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: “ Additional ” provides extra information to save us from ;eecs.mit.edu. IN A making separate lookups for it, or helps with bootstrapping. ;; ANSWER SECTION: Here, it tells us the IP addresses for the hostnames of the eecs.mit.edu. 21600 IN A 18.62.1.6 name servers. We add these to our cache. ;; AUTHORITY SECTION: mit.edu. 11088 IN NS BITSY.mit.edu. mit.edu. 11088 IN NS W20NS.mit.edu. mit.edu. 11088 IN NS STRAWB.mit.edu. ;; ADDITIONAL SECTION: STRAWB.mit.edu. 126738 IN A 18.71.0.151 BITSY.mit.edu. 166408 IN A 18.72.0.3 W20NS.mit.edu. 126738 IN A 18.70.0.160

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching Previous work has shown that hit rate increases with population size [Duska et al. 97, Breslau et al. 98] However, single proxy caches have practical limits

868 views • 53 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
On the Power of In-Network Caching in the Hadoop Distributed File System ERIC NEWBERRY,

On the Power of In-Network Caching in the Hadoop Distributed File System ERIC NEWBERRY,

On the Power of In-Network Caching in the Hadoop Distributed File System ERIC NEWBERRY, BEICHUAN ZHANG Motivation In-network caching Lots of research has been done about ICN/NDN caching, but mostly using synthetic traffic. How much

867 views • 20 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Tree-Like Network Yu an Su n

Tree-Like Network Yu an Su n

Coded Caching in Tree-Like Network Yu an Su n Introduction Problem Setting Main Results CONTANTS Discussion I n t r o d u c t i o n What is the cache? caching is a necessary and

461 views • 14 slides
Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual

Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual

Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual Mirroring Caching Other Registries Summary 1 / 35 @sudo_bmitch How to Use Mirroring and Caching to Optimize Your Image Registry Brandon Mitchell

837 views • 35 slides
Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions:

Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions:

Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions: Evidence and Implications , L. Breslau, P. Cao, L. Fan, G. Phillips, S. Shenker On the scale and performance of cooperative Web proxy caching ,

640 views • 24 slides
Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and

Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and

Adaptive Caching Algorithms with Optimality Guarantees for NDN Networks Stratis Ioannidis and Edmund Yeh A Caching Network Nodes in the network store content items (e.g., files, file chunks) 1 Adaptive Caching Networks w. Optimality Guarantees

734 views • 57 slides
Jointly Optimal Routing &amp; Caching for Arbitrary Network Topologies Stratis Ioannidis and

Jointly Optimal Routing &amp; Caching for Arbitrary Network Topologies Stratis Ioannidis and

Jointly Optimal Routing &amp; Caching for Arbitrary Network Topologies Stratis Ioannidis and Edmund Yeh ICN 2017 A Caching Network Webserver User ? User nodes generate requests for content items with certain arrival rates Jointly Optimal

883 views • 74 slides
Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Web performance

438 views • 22 slides
access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency compromise: consistent for typical use check on open write on close callbacks for caching server notifjes interested clients disconnected operation

785 views • 49 slides
Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki university of technology Csar Fernndez Gago Jean-Baptiste Escoyez 1 Index Web caching concepts Web caching issues How does it works?

417 views • 18 slides
NetCache: Balancing Key-Value Stores with Fast In-Network Caching Xin Jin, Xiaozhou Li , Haoyu

NetCache: Balancing Key-Value Stores with Fast In-Network Caching Xin Jin, Xiaozhou Li , Haoyu

NetCache: Balancing Key-Value Stores with Fast In-Network Caching Xin Jin, Xiaozhou Li , Haoyu Zhang, Robert Soul Jeongkeun Lee, Nate Foster, Changhoon Kim, Ion Stoica NetCache is a rack-scale key-value store that leverages in-network data

1.07k views • 31 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Scaling Your Cache &amp; Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache &amp; Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache &amp; Caching at Scale Alex Miller @puredanger Mission Why does caching work? Whats hard about caching? How do we make choices as we design a caching architecture? How do we test a cache for performance?

965 views • 59 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Time-aware API Popularity Prediction via Heterogeneous Features Yao

Time-aware API Popularity Prediction via Heterogeneous Features Yao

ICWS 2015 New York, USA June 27- July 2 2015 Time-aware API Popularity Prediction via Heterogeneous Features Yao Wan 1 , Liang Chen 1 , Jian Wu 1 and Qi Yu 2 1 Zhejiang University,

543 views • 23 slides
Using the Library for your Final Year Project Laura Woods, Computing &amp; Engineering Librarian

Using the Library for your Final Year Project Laura Woods, Computing &amp; Engineering Librarian

Using the Library for your Final Year Project Laura Woods, Computing &amp; Engineering Librarian library@hud.ac.uk Todays lecture is a Choose Your Own Adventure! What would you most like to cover? We can do any two of these: (go to

606 views • 31 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
Building the Kamus Besar Bahasa Indonesia (KBBI) Database and Its Online Application David

Building the Kamus Besar Bahasa Indonesia (KBBI) Database and Its Online Application David

Building the Kamus Besar Bahasa Indonesia (KBBI) Database and Its Online Application David Moeljadi Division of Linguistics and Multilingual Studies, Nanyang Technological University, Singapore The 21st International Symposium on

835 views • 35 slides
Big Data for Data Science Data streams and low latency processing event.cwi.nl/lsde DATA STREAM

Big Data for Data Science Data streams and low latency processing event.cwi.nl/lsde DATA STREAM

Big Data for Data Science Data streams and low latency processing event.cwi.nl/lsde DATA STREAM BASICS event.cwi.nl/lsde2015 event.cwi.nl/lsde What is a data stream? Large data volume, likely structured, arriving at a very high rate

650 views • 64 slides
IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic

IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic

Dynamic Federations Storage federations for HTTP and WebDAV Fabrizio Furano (presenter) Adrien Devresse CERN IT-SDC IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic HTTP/WebDAV storage endpoints,

704 views • 47 slides
2D Face Image Analysis Probabilistic Morphable Models Summer School, June 2017 Sandro Schnborn

2D Face Image Analysis Probabilistic Morphable Models Summer School, June 2017 Sandro Schnborn

&gt; DEPARTMENT OF MATHEMATICS AND COMPUTER SCIENCE PROBABILISTIC MORPHABLE MODELS | JUNE 2017 | BASEL 2D Face Image Analysis Probabilistic Morphable Models Summer School, June 2017 Sandro Schnborn University of Basel &gt; DEPARTMENT OF

1.13k views • 33 slides
Problems Samples &amp; Perspectives on Cyber-Physical Energy Networks ETH D-INFK Seminar @ Oct 31

Problems Samples &amp; Perspectives on Cyber-Physical Energy Networks ETH D-INFK Seminar @ Oct 31

Problems Samples &amp; Perspectives on Cyber-Physical Energy Networks ETH D-INFK Seminar @ Oct 31 2016 Florian D orfler @ETH for Complex Systems Control system control Simple control systems are well understood.

818 views • 63 slides

More recommend