new vulnerabilities
play

New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th - PowerPoint PPT Presentation

Nov 26, 2022 •130 likes •463 views

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come s come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University

  1. DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNS NSSEC SEC, , th the ti time me ha has come s come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013

  2. About us Bar Ilan University NetSec group Haya Shulman: Amir Herzberg: Fresh Graduate NetSec/Crypto PhD Thesis: Researcher DNS Security Attacks: DNS, TCP/IP, DoS , … (and more...) Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  3. 2013 … DNSSEC, IPSEC:15yrs old Yet: < 6% of traffic encrypted,…  Insecure against MitM attacker WHY??? False hope : attackers are `off-path` Can send spoofed packets but not intercept Reality: MitM attackers are common Open WiFi, route hijacking , mal-devices, DNS poisoning False belief : DNS, TCP immune to off-path attacks Reality: TCP hijacking, DNS poisoning Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  4. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  5. Attacker Model: MitM or Off-Path?  Man-in-the-Middle attacker  On path  Harder but possible: wifi , route hijack, vulnerable router, …  Or: give wrong address – DNS poisoning  Prevent with crypto : overhead, complexity, PKI …  Why bother? Bob, I Leave U! Alice Bob, ILU! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  6. Attacker Model: MitM or Off-Path?  Folklore: most attackers are weak, off-path  `Security ’ is often against Off-Path Oscar  Do not control devices en-route  Cannot intercept/modify/block traffic  Prevent: with challenge-response (`cookie`) Bob, ILU! Alice Bob, I Leave U! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  7. Attacker Model: MitM or Off-Path?  Folklore: most attackers are weak, off-path  `Security ’ is often against Off-Path Oscar  Do not control devices en-route  Cannot intercept/modify/block traffic  Prevent: with challenge-response (`cookie`) (Cookie=challenge) Bob, ILU! Alice Bob, I Leave U! Alice Bob Alice Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  8. Challenge-Response: What Can Go Wrong?  Attacker has MitM capabilities  Insufficient entropy : t oo short or non-uniform  TCP [Zalewski01, Watson04]  DNS [Klein03, Kaminsky08]  Side-channel: reused field (source port)  DNS [HS12, HS13], TCP [GH12, GH13, QM(X)12]  Cut-&-paste: use real cookie in spoofed packet  DNS [HS13] 8/1/2013

  9. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  10. DNS Poisoning: the Hacker’s Knife Phishing Circumvent: Blacklists, Cookies SOP, CSP, theft SPF, DKIM DoS Malware Distribution Block updates Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  11. DNS Cache Poisoning 6.6.6.6 Packet with source IP: 156.4.5.6 www.bob.com A 6.6.6.6 www.bob.com A 6.6.6.6 6.6.6.6 Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  12. DNS Cache Poisoning 6.6.6.6 • But, must match: TX-ID (16b in req.), query, source port. Also: request not sent if in cache www.bob.com A 6.6.6.6 www.bob.com A 6.6.6.6 6.6.6.6 Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  13. Defenses against DNS Poisoning  Currently , mostly Challenge-response defenses: – Unilateral (in resolver ): `challenges’ using existing request fields echoed in responses – TX-ID (16b), Source port (16b), Query [0x20]  Cryptographic defenses ( DNSSEC ): limited use  Root and many TLDs signed  Many resolvers request signatures, but few validate  Why? Myths (rare MitM, weak Oscar) Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  14. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  15. Source Port De-Randomisation Attacks • Learn source-port via side channel • Attacks on two common configurations: • Resolver-behind- NAT [Esorics’ 12] • Attacks for most types of NATs (only one was secure) • Upstream resolver (e.g., OpenDNS ) [Esorics’ 13] • Learn resolver’s IP address, too [often enough for DoS !] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  16. Resolver-behind-NAT: Attack  Example: attack on per-dest incrementing (e.g., Linux)  Initial port is random; can attacker predict/trap port?  Attack phases:  Hole-punch the NAT  Exploit assigned mapping to guess port  Variations apply to different NAT devices Herzberg and Shulman: DNSSEC, the time has come!

  17. Upstream DNS Resolver  Upstream DNS resolvers:  Popular: Google’s public -DNS, OpenDNS, many others  Recommended by experts, vendors  E.g., Akamai : ‘ Customer’s primary DNS are not directly exposed to end users, so the risk of cache poisoning and DoS attacks is mitigated ’…  Proxy resolvers often has lower bandwidth, weaker security  We found (CAIDA): 54% incrementing ports, 30% fixed port  And… both types are vulnerable! Herzberg and Shulman: DNSSEC, the time has come!

  18. Upstream DNS Resolver - Attack  Poisoning attack in three phases  Phase 1 : find proxy’s IP address  Many requests with fragmented response… `kill` with spoofed frag  Suffices for DoS attack on proxy!  Phase 2: find fixed/current port #  By a more complex frag attack, or by `port overloading’  Phase 3 : `regular’ (` Kaminsky ’) poisoning Herzberg and Shulman: DNSSEC, the time has come!

  19. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  20. 1 st -fragment piggybacking attacks • Cut’n’Paste attack: • Poison a long, fragmented DNS response • Source fragmentation will do [works even for IPv6] • All `challenges’ are in the first fragment! • TXID, “ src ” port, even query [e.g., 0x20 defense] • Replace 2 nd fragment with a fake one! • Few details and quick recap on IP fragmentation Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  21. IP Fragmentation Nets have a limit on maximal packet size If the packet is larger than the limit: fragmentation Reassemble at the receiver Net Net Net 3.3.3 2.2.2 5.5.5 From: 2.2.2.5 To : 3.3.3.7 Bob, how From: 2.2.2.5 Bob, how much I ... much I To : 3.3.3.7 love you Bob, how much I From: 2.2.2.5 love you To : 3.3.3.7 ... love you ! MTU=1500 MTU=1200 8/1/2013

  22. Fragment Reassembly Bob receives fragments of a packet How to reassemble without introducing mistakes Identify fragments of the same packet By sender/receiver addresses and protocol (TCP/UDP) Not enough, add 16 bit, IP-ID Net Net Net 3.3.3 2.2.2 5.5.5 34 34 Bob, how love you Bob how Bob, how Bob, how much I much I much I much I love you!! 34 need love you a fridge I’ve 35 35 Need a I’ve decided I don’t decided I fridge… need a fridge 8/1/2013 35 don’t

  23. Off-Path Discarding and Modifying • We show off-path can discard and modify fragments!! • Exploit fragmentation for poisoning! • In reality fragmentation is rare (<1%) • But, off-path attacker can cause fragmentation!! • Two methods: 1. Trigger requests whose responses fragment • E.g., DNSSEC protected 2. Attacker registered domain 8/1/2013

  24. Modify Long DNSSEC Responses 8/1/2013

  25. Poisoning DNSKEY Response

  26. Causing Long, Fragmented Responses • Often, attacker doesn’t need to find a long response • Attacker causes a long, fragmented response • From a victim NS of a TLD (.ORG, .CO.UK, …) • By registering an `appropriate’ subdomain • To cause fragmentation: • Register many name servers • With long names • Example? One-Domain-to-Rule-them-All . ORG • Or see paper [CNS2013 ]… or next foil  Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

  28. Outline  Attack model: MitM vs. Off-path  DNS poisoning: Background  Source-port de-randomization attacks  Resolver-behind-NAT, proxy-using-upstream  1 st -fragment piggybacking attacks  Implications and defenses  Patches: to resolvers, name-servers, registrars  Deploy DNSSEC – correctly… [and fix it, too??] Herzberg and Shulman: DNSSEC, the time has come! 8/1/2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities &gt; analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities

SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities Yuan Xiao, Yinqian Zhang, Radu Teodorescu The Ohio State University SPEculative Execution side Channel Hardware (SPEECH) Vulnerabilities Leverage

512 views • 24 slides
The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus

The Beauty and the Beast Vulnerabilities in Red Hats Packages Stephan Neuhaus &lt;Stephan.Neuhaus@disi.unitn.it&gt; Thomas Zimmermann &lt;tzimmer@microsoft.com&gt; Vulnerabilities are important because fixing them costs a lot of money (2005

1.9k views • 73 slides
Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design

Outstanding Communications Solutions Root Canal A new class of SS7 vulnerabilities Agenda SS7 Vulnerable by design Acknowledged signalling vulnerabilities The root problem Mitigation The signaling band-aid A new class

787 views • 54 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1

Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Dependence in IV-related bytes of RC4 key enhances vulnerabilities in WPA Sourav Sen Gupta 1 Subhamoy Maitra 1 Willi Meier 2 Goutam Paul 1 Santanu Sarkar 3 Indian

749 views • 30 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Intermission: gdb demo Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

401 views • 8 slides
Long Live Poison! Nuno Lopes (Microsoft Research) Gil Hur, Juneyoung Lee, Yoonseung Kim, Youngju

Long Live Poison! Nuno Lopes (Microsoft Research) Gil Hur, Juneyoung Lee, Yoonseung Kim, Youngju

Undefined Behavior: Long Live Poison! Nuno Lopes (Microsoft Research) Gil Hur, Juneyoung Lee, Yoonseung Kim, Youngju Song (Seoul N. Univ.) Sanjoy Das (Azul Systems), David Majnemer (Google), John Regehr (Univ. Utah) Outline 1. Motivation for

626 views • 38 slides
Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison

Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison

Poison Ivy for Incident Responders Andreas Schuster Poison Ivy in the Press What is Poison Ivy? Poison Ivy is a Powerful RAT Target platform: Microsoft Windows, 32bit System information and manipulation Keyword search Password

778 views • 55 slides
Sequence alignment Alignment specifies which positions in two sequences l match acgtctag

Sequence alignment Alignment specifies which positions in two sequences l match acgtctag

Sequence alignment Alignment specifies which positions in two sequences l match acgtctag acgtctag acgtctag || ||||| || ||||| actctag- -actctag ac-tctag 2 matches 5 matches 7 matches 5 mismatches 2 mismatches 0 mismatches 1 not

782 views • 42 slides
r t

r t

tr t tr rr rr

568 views • 24 slides
Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory

Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory

Poison centres: why notify now? a Brexit special Caroline Raine | Principal regulatory consultant www.the-ncec/poisoncentres Agenda Introduction to poison centres Annex VIII to CLP What is it? How will it affect businesses?

652 views • 38 slides
Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy:

Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy:

Causal Theory of Intention Phil 255 David Armstrong Armstrong begins with some meta - philosophy: Logical positivists generated a crisis in philosophy: Wittgenstein: role for philosophy was to clarify problems Ryle: philosophers were to perform

273 views • 14 slides
METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein

METAPOISON: LEARNING TO CRAFT POISON W. Ronny Huang,* Jonas Geiping,* Liam Fowl,^ Tom Goldstein *Equal Contribution ^Speaker University of Maryland NeurIPS MetaLearn 2019 DATA POISONING Training data Testing example Plane Frog Base

251 views • 11 slides
T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz

T argeted attacks: from being a victim to counter attacking Andrzej Dereszowski deresz &lt;at&gt; signal11.eu www.signal11.eu Motivation Are we able to counteratack ? Different possibilities: Traditional network scan and attack

1.02k views • 52 slides

More recommend