using the domain name system for system break ins
play

Using the Domain Name System for System Break-ins Steven M. - PowerPoint PPT Presentation

Mar 01, 2023 •253 likes •639 views

Using the Domain Name System for System Break-ins Steven M. Bellovin Presented by: Thomas Repantis trep@cs.ucr.edu CS255-Computer Security, Winter 2004 p.1/37 Overview Using DNS to spoof a hosts name and access network services that

  1. Using the Domain Name System for System Break-ins Steven M. Bellovin Presented by: Thomas Repantis trep@cs.ucr.edu CS255-Computer Security, Winter 2004 – p.1/37

  2. Overview Using DNS to spoof a host’s name and access network services that rely on the host name for authentication. 1. Introduction to the Domain Name System 2. Description of the Attack 3. Proposed Defenses 4. Current Status CS255-Computer Security, Winter 2004 – p.2/37

  3. Domain Name System (DNS) A distributed database, used to map host names to IP addresses, and vice-versa. www.cs.ucr.edu 138.23.169.15 Paul Mockapetris RFCs 882, 883 (1983) RFCs 1034, 1035 (1987) CS255-Computer Security, Winter 2004 – p.3/37

  4. DNS Basics 1/2 Periods in domain names define zones (www.example.com). Servers contain the authoritatitive data for each zone. Secondary authoritative servers poll the primary servers. If the data has changed, they initiate zone transfers. CS255-Computer Security, Winter 2004 – p.4/37

  5. DNS Basics 2/2 The resource records returned are cached locally for some time. The authority for a subdomain may be delegated to a subsidiary server (hierarchical namespace). CS255-Computer Security, Winter 2004 – p.5/37

  6. Zone Example 1/5 CS255-Computer Security, Winter 2004 – p.6/37

  7. Zone Example 2/5 Start Of Authority (SOA): Specifies the source of the zone information. CS255-Computer Security, Winter 2004 – p.7/37

  8. Zone Example 3/5 Name Server (NS): Specifi es the authoritative name servers for the domain. CS255-Computer Security, Winter 2004 – p.8/37

  9. Zone Example 4/5 Address (A): Specifies the address of a host. CS255-Computer Security, Winter 2004 – p.9/37

  10. Zone Example 5/5 Host Info (HINFO): Specifies host informa- tion, like computer and operating system. CS255-Computer Security, Winter 2004 – p.10/37

  11. Forward queries Forward queries (asking for the IP address, providing a machine name) can be answered using the records from the zone. An item may also contain Additional Information, (e.g. providing NS and A records, when asked for the IP of an unknown host). CS255-Computer Security, Winter 2004 – p.11/37

  12. Inverse queries Inverse queries (asking for the machine name, providing an IP address) are answered using a separate, parallel tree, keyed by IP address. CS255-Computer Security, Winter 2004 – p.12/37

  13. Attack! Assumption: Attacker controlling a primary server for a DNS zone, including the inverse mapping tree, as well as all TCP port numbers. Attacker’s goal: To find hosts that trust other hosts by name. Common examples: Clusters of time-sharing machines. File servers and their clients. CS255-Computer Security, Winter 2004 – p.13/37

  14. Starring: Softy, the victim: bullseye.softy.org 192.193.194.1 ringer.softy.org 192.193.194.64 groundzero.softy.org 192.193.194.65 Cuckoo, the attacker: cracker.ritts.org 150.151.152.153 CS255-Computer Security, Winter 2004 – p.14/37

  15. Guest star: The vulnerability in the address-to-name mapping! Attacker changes the inverse mapping record for 150.151.152.153 from the correct cracker.ritts.org to ringer.softy.org Attacker attempts rlogin to bullseye. CS255-Computer Security, Winter 2004 – p.15/37

  16. ... ˙ bullseye, the victim, validates the name of the calling machine: It calls gethostbyaddr(), passing 150.151.152.153. This generates a DNS inverse query for the PTR record for 153.152.151.150.in-addr.arpa This retrieves ringer.softy.org Call accepted, attack succeeded. CS255-Computer Security, Winter 2004 – p.16/37

  17. Why? Because there is no forced linkage between the two DNS trees owned by Cuckoo, ritts.org and 152.151.150.in-addr.arpa, allowing the latter’s en- tries to point to softy’s hosts. CS255-Computer Security, Winter 2004 – p.17/37

  18. The rest are details... Finding a target host name. Finding a user name to impersonate. Finding a machine trusted by the target host. CS255-Computer Security, Winter 2004 – p.18/37

  19. SNMP abuse Cuckoo finds the target host name from mail message or news article. He examines its TCP connection tables using SNMP . CS255-Computer Security, Winter 2004 – p.19/37

  20. finger abuse He examines current users using finger. He concludes: In bullseye, .rhosts file for bingo, authorizing user1 when coming from bullseye. CS255-Computer Security, Winter 2004 – p.20/37

  21. Done He modifies the appropriate PTR record. He creates local login names. He attacks. CS255-Computer Security, Winter 2004 – p.21/37

  22. Giving away information Apart from SNMP and finger... e-mail, DNS (SOA records, zone transfers, HINFO records) SMTP FTP rpcinfo ...can also provide information about the victim. CS255-Computer Security, Winter 2004 – p.22/37

  23. The Berkeley fix Validate the inverse mapping tree by looking at the corresponding node on the forward mapping tree. If gethostbyaddr() returns bullseye.softy.org for 150.151.152.153, then gethostbyname() should return the same IP for the same name. Otherwise we have an impersonation. CS255-Computer Security, Winter 2004 – p.23/37

  24. How the fix is circumvented... The PTR record to answer gethostbyaddr()’s request is in Cuckoo’s server. The A record to answer gethostbyname()’s request is in Softy’s server. However the query might be answered by the local machine’s name server cache. That DNS cache can be poisoned by the attacker... CS255-Computer Security, Winter 2004 – p.24/37

  25. Danger: Poison! The DNS message with the PTR record may contain a bogus A record in the Additional Information field (with short TTL). Or the bogus A record can be included in the NS records of a response to a lookup for a hostname. CS255-Computer Security, Winter 2004 – p.25/37

  26. Therefore... Caching-only name servers are vulnerable! Authoritative name servers for a domain will reject updates for their zones. Hence they cannot be poisoned. But they are vulnerable for requests outside their zone. CS255-Computer Security, Winter 2004 – p.26/37

  27. Extra measures The target can act as a secondary server for the inverse mapping. The target can use a local mapping table like NIS before consulting DNS. CS255-Computer Security, Winter 2004 – p.27/37

  28. Hardening DNS Servers Bogus A records could be tracked back, if DNS server cache entries were tagged with their source. Additional Information could be used only in the specific context in which it was returned, and then discarded. (At a performance cost.) CS255-Computer Security, Winter 2004 – p.28/37

  29. Defenses Use cryptographic instead of name- or address-based authentication (e.g. Kerberos). Apart from Berkeley’s fix: Limit the trusted hosts to those for which the local machine has authoritative name information. Have the local name server act as a secondary server for important neighboring zones, and thus possess authoritative forward-mapping data. Have all machines possess defi nitive mapping information for the hosts within an organization. CS255-Computer Security, Winter 2004 – p.29/37

  30. Logging and Auditing Attempts to impersonate hosts. Attempts to update authoritative zones. Attempts to connect to rlogind or rshd. Compare forward- and inverse-mapping data for a zone. CS255-Computer Security, Winter 2004 – p.30/37

  31. Abandon DNS? Return to static host tables? no (1990) NO! (2004) Problem lies not in DNS, but in inadequate host authentication methods. The information for host-to-address mapping is distributed, hence contamination from untrustworthy sources is always possible. The host table is huge and cannot be updated statically in a frequent and timely manner. CS255-Computer Security, Winter 2004 – p.31/37

  32. Is the attack still relevant? Paper written in 1990, published in 1995. 2004: Name-based authentication is not that widely used anymore (ssh instead of rsh). Firewalls disallow remote connections. Too many BIND fixes since then. Cryptographic authentication of DNS is used in experimental testbeds. Main idea still relevant, with new misuses. CS255-Computer Security, Winter 2004 – p.32/37

  33. DNS Threats in 2004 Threat Analysis Of The Domain Name System. D. Atkins. IETF Draft (2003). Packet Interception ID Guessing and Query Prediction Name Games Betrayal By Trusted Server Denial of Service Authenticated Denial of Domain Names Wildcards CS255-Computer Security, Winter 2004 – p.33/37

  34. DNSSEC DNS Security Extensions to provide end-to-end authenticity and integrity. All answers in DNSSEC are digitally signed. By checking the signature, a resolver is able to check if the info is identical (correct and complete) to the info on the authoritative server. D. Eastlake. RFC 2535 (1987). CS255-Computer Security, Winter 2004 – p.34/37

  35. Conclusions Inserting bogus resource records in a victim’s DNS cache. Still possible. Luckily, name-based authentication is not that widely used anymore. However, other misuses like server redirection are equally grave. DNSSEC CS255-Computer Security, Winter 2004 – p.35/37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The directory system for the Internet v Used by other application layer protocols v via socket programming q Maps a hostname to an IP address v Host

431 views • 19 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides
Name service Domain Name System (DNS) Name : identifier Need a system: Name IP

Name service Domain Name System (DNS) Name : identifier Need a system: Name IP

Name service Domain Name System (DNS) Name : identifier Need a system: Name IP address computers, services, remote objects, files, users, When the size of Internet was small, . a host file: two columns. a

375 views • 10 slides
A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System

A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System

A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System Martin Schanzenbach Masters Thesis October 5, 2012 Martin Schanzenbach (TUM) GNU Alternative Domain System 1 Secure, Memorable, Global:

387 views • 19 slides
Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name

Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name

Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name System (DNS) (DNS) (DNS) Raj Jain The Ohio State University Columbus, OH 43210 Jain@CIS.Ohio-State.Edu http://www.cis.ohio-state.edu/~jain/

812 views • 35 slides
DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen - lhansen@ethz.ch Overview Naming and Binding of Network Destinations Terminology Examples Interpretation Development of the Domain Name System

427 views • 30 slides
Naming Domain Name System Guevara Noubir Fundamentals of

Naming Domain Name System Guevara Noubir Fundamentals of

Naming Domain Name System Guevara Noubir Fundamentals of Computer Networks Northeastern University DNS 1 Domain Name System DNS is a fundamental

179 views • 15 slides
Security Mindset The adversary will do anything it can to break your system It will study

Security Mindset The adversary will do anything it can to break your system It will study

Security Mindset The adversary will do anything it can to break your system It will study your system and purposefully do the worst thing it can Might even disregard its own well being Will attack your implementation and your

1.07k views • 76 slides
Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University

Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University

Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University Nijmegen, SIDN 21 March 2016, ICT.Open Agenda 1. Research question 2. Domain Name System 3. Methodology & Results 4. Conclusion 5. Time for asking

525 views • 38 slides
About domain controllers Interaction diagrams Not usually a domain concept Dynamic

About domain controllers Interaction diagrams Not usually a domain concept Dynamic

About domain controllers Interaction diagrams Not usually a domain concept Dynamic views of interacting objects Added to the model during design Starts by system event ( external message ) They tie the system to external

75 views • 5 slides
Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011

Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011

Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps friendly

1.02k views • 40 slides
Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity

Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity

IN3210 Network Security Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity and Authenticity Confidentiality 2 Foundations of DNS 3 Domain Name System Directory services for name

727 views • 51 slides
CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 20: Domain Name System (DNS) and Content distribution networks Chapter 9.3.1 Xiaowei Yang xwy@cs.duke.edu Overview Domain Name System Content Distribution Networks Domain Name

777 views • 50 slides
Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling Workshop on Graphical Modeling Language Development at ECMFA 2012 Janne Vatjus-Anttila, Jari Kreku, Kari Tiensyrj VTT Technical Research Centre of

320 views • 20 slides
CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content distribution networks Chapter 9.3.1 Xiaowei Yang xwy@cs.duke.edu Overview Domain Name System Content Distribution Networks DNS attacks

610 views • 57 slides
Symmetry breaking Suppose the system had SU(3) symmetry initially. Let perturbation break the

Symmetry breaking Suppose the system had SU(3) symmetry initially. Let perturbation break the

Symmetry breaking Suppose the system had SU(3) symmetry initially. Let perturbation break the symmetry to SU(2). In this case (u,d,s) which describe 3- dimensional irrep of SU(3) will break into Two irreps of SU(2) (2 1) Dynamical

343 views • 11 slides
APPENDIX A D.A. Davidson Presentation Page C-1 Capital Facilities Planning May 31, 2016 J ON

APPENDIX A D.A. Davidson Presentation Page C-1 Capital Facilities Planning May 31, 2016 J ON

APPENDIX A D.A. Davidson Presentation Page C-1 Capital Facilities Planning May 31, 2016 J ON G ORES M ANAGING D IRECTOR (206) 389-4043 JGORES @ DADCO . COM 1 Discussion Topics Election Results Capital Facilities Financing Tax

673 views • 34 slides
2013-2014 Preliminary Results Department of Accountability School Board Work Session October 2,

2013-2014 Preliminary Results Department of Accountability School Board Work Session October 2,

Assessment Update: 2013-2014 Preliminary Results Department of Accountability School Board Work Session October 2, 2014 www.acps.k12.va.us Federal Annual Measurable Objectives (AMO) Replaced Annual Yearly Progress (AYP) Measures

482 views • 9 slides
DOMAIN COMMUNITY REFERENCE GROUP Meeting #16 Wednesday 24 July, Seasons Botanic Gardens 1 WORKS

DOMAIN COMMUNITY REFERENCE GROUP Meeting #16 Wednesday 24 July, Seasons Botanic Gardens 1 WORKS

DOMAIN COMMUNITY REFERENCE GROUP Meeting #16 Wednesday 24 July, Seasons Botanic Gardens 1 WORKS UPDATE 2 ANZAC STATION PROGRAM 2019 3 PROGRESS UPDATE NORTHERN SECTION 4 NORTHERN SECTION JUNE TIME-LAPSE 5 CURRENT AND UPCOMING WORKS

1.22k views • 87 slides
Data Review and Proposed Actions Schuylkill Technology Center PA School Climate Survey Data

Data Review and Proposed Actions Schuylkill Technology Center PA School Climate Survey Data

4.2018 School Climate Leadership Initiative Final Action Plan: Data Review and Proposed Actions Schuylkill Technology Center PA School Climate Survey Data Review: The STC School Climate Leadership Initiative (SCLI) Team conducted the PA School

320 views • 8 slides
Program Transfer Board Presentation Tracy Whitaker, M.A. Financials provided by Chris Kim,

Program Transfer Board Presentation Tracy Whitaker, M.A. Financials provided by Chris Kim,

Program Transfer Board Presentation Tracy Whitaker, M.A. Financials provided by Chris Kim, Ed.D., MBA 02/18/2020 A program transfer is when a school district or consortium plans on running a program like those run by SCOE. The What is a

483 views • 13 slides
2018-2019 Accountability Ratings Rachael Driggers Director of Research, Assessment and

2018-2019 Accountability Ratings Rachael Driggers Director of Research, Assessment and

2018-2019 Accountability Ratings Rachael Driggers Director of Research, Assessment and Accountability 8/20/2019 A-F Rating System House Bill 22, 85 th Texas Legislature The commissioner shall evaluate school district and campus

407 views • 16 slides
Presented By: Michael Lopata CPA, CCPS The Cost of College. Public - $10K to Private - $40K

Presented By: Michael Lopata CPA, CCPS The Cost of College. Public - $10K to Private - $40K

Presented By: Michael Lopata CPA, CCPS The Cost of College. Public - $10K to Private - $40K Undermatching and Overmatching in college enrollment Largest sources of financial aid. $185 Billion. Financial Need=COA EFC

341 views • 17 slides
Google Master Slides Monday, April 20 @ 12pm Why should I even care about Mater Slides? 1. Saves

Google Master Slides Monday, April 20 @ 12pm Why should I even care about Mater Slides? 1. Saves

Google Master Slides Monday, April 20 @ 12pm Why should I even care about Mater Slides? 1. Saves you time 2. Consistency in design 3. Create more visually stimulating presentations 4. Become a slideshow presentation ninja Kimberly Larson

401 views • 18 slides

More recommend