Domain Name Systems

ChesterRebeiroIITMadras

Someoftheslidesborrowedfromthebook‘ComputerSecurity:AHandsonApproach’byWenliangDu

DNS Hierarchy

2

.com .gov .edu .in

gov ernet ac res mil

iitmiitkiisciitb

Rootdomain

Topleveldomain

Secondleveldomain

iitm.ac.in.

LookuprecordsformappingfromdomainnamestoIPaddresses

DNS Hierarchy

3

.com .gov .edu .in

gov ernet ac res mil

iitmiitkiisciitb

Rootdomain

Topleveldomain

Secondleveldomain

iitm.ac.in.

LookuprecordsformappingfromdomainnamestoIPaddresses Domain:Isasubtree,sharingitsdomainnamewiththenameofthetopmostnodeinthesubtree

DNS Hierarchy

4

.com .gov .edu .in

gov ernet ac res mil

iitmiitkiisciitb

Rootdomain

Topleveldomain

Secondleveldomain

iitm.ac.in.

LookuprecordsformappingfromdomainnamestoIPaddressesSubDomains:Isadomainthatbranchesoffanother.

Root Domain

5

.com .gov .edu .in

gov ernet ac res mil

iitmiitkiisciitb

13rootdomainsmaintainedbyIANA

Topleveldomain

Secondleveldomain

iitm.ac.in.

Root Domain

6

10inUSA1inNetherlands1inSweden1inJapanWhyonly13rootservers?567mirroredrootservers(9mirrorsinIndia–2015)(3Jrootservers;2Lrootservers;1I,1K,1F,andDrootserver)

https://internetdemocracy.in/wp-content/uploads/2016/03/Dr.-Anja-Kovacs-and-Rajat-Rai-Handa-India-at-the-Internets-Root.pdf

Top Level Domains

7

.com .gov .edu .in

gov ernet ac res co

iitmiitkiisciitb

Topleveldomain

iitm.ac.in.

1547asonJuly2017EachTLDismanagedbydesignatedentitiescalledregistries.(forexample:.com,.netismanagedbyVerisign;.inismanagedbyNationalInternetExchangeofIndia)

https://en.wikipedia.org/wiki/INRegistry

Top Level Domains

8

.com .gov .edu .in

gov ernet ac res co

iitmiitkiisciitb

Topleveldomain

iitm.ac.in.

1547asonJuly2017

https://en.wikipedia.org/wiki/INRegistry

DNS Zone

9

.com

example

usaukfrance

Zone:Isadomain(orsubdomain)thatbranchesisservedbyaNameserver.Azonemaybeanentiredomainwithallitschilddomains,oraportionofadomain.Azonecanbetheentiresubtreestartingatexample.comOrthecompanymaydecidetohaveseveralsubzones,forexampleoneatusa.example.com

newyork chicago

Authoritative Name Servers

10

Startofauthority

2authorities.1primaryandtheothersecondary

EachDNSZonehasatleastoneauthoritativenameserverthatpublishesinformationaboutthatzone.Theyarecalled`authoritative’becausetheyprovideoriginalandanswerstoDNSqueriesasopposedtoobtaininganswersfromotherDNSservers.

DNS Query Process

11

Local DNS Server and Iterative Query Process

TheiterativeprocessstartsfromtheROOTServer.Ifitdoesn’tknowtheIPaddress,itsendsbacktheIPaddressofthenameserversofthenextlevelserver(.NETserver)andthenthelastlevelserver(example.net)whichprovidestheanswer.

DNS Query Process

13

http://www.iitm.ac.in Enteredinweb-browser

LocalSystem:Lookup/etc/hostsfile.Canthe/etc/hostsfileresolve(havetheIPaddress)forwww.iitm.ac.in?

1

DNS Query Process

14

http://www.iitm.ac.in Enteredinweb-browser

LocalDNSServer:LookupthelocalDNSserver(serverpresentintheLAN).HowtoidentifytheIPaddressoftheLocalDNSserver?(/etc/resolv.conf)Thisneedstobeconfiguredor,canbefound,ifthesystemisconfiguredforDHCP,thenthisfileisautomaticallymodified.IfthelocalDNSservercanresolvetheaddress;thenwearedone.Else,theresolverwouldbeactivated.TheresolverwouldneedtoqueryanotherDNSserver,higherupinthehierarchy.

2

DNS Query Process

15

http://www.iitm.ac.in.

ResolverinLocalDNSwillquerytheRootNameServerà(fromresolver)WhatistheIPaddressofwww.iitm.ac.inß(fromrootserver)Idon’tknowtheanswer,youcanaskanyoftheseauthorities.

3

Directlysendthequerytothisserver.

DNS Query Process

16

http://www.iitm.ac.in.

ResolverinLocalDNSwillquerytheTLDà(fromresolver)WhatistheIPaddressofwww.iitm.ac.inß(return)Idon’tknowtheanswer,youcanaskanyoftheseauthorities.

4

DNS Query Process

17

http://www.iitm.ac.in.

ResolverinLocalDNSwillquerythenextlevelNSàWhatistheIPaddressofwww.iitm.ac.inßTheSOAisdns1.iitm.ac.in.

5

DNS Cache

•  ThelocalDNSserverwillcacheallresponsesfromotherDNSservers(toreducequeries)

•  TTLavailablewithallresponses,whichdetermineswhentheentrywouldberemovedfromcache

18TTL

DNS Cache

• Duetocaching•  Mostresolverqueriesdonotneedaquerytotherootserver•  2%ofallqueriestotheroot-serversarelegitimate

•  75%wereduetoincorrectornon-existentcaching•  12.5%tounknownTLDs•  7%wereforlookupstoIPaddresses,asif,theyweredomainnames

19https://en.wikipedia.org/wiki/Root_name_server

Set Up DNS Zones on Local DNS Server Ø  UtilityinLinux:bind9Ø  Createzones:CreatetwozoneentriesintheDNSserverbyaddingthem

to/etc/bind/named.conf.

Forreverselookup(IPàhostname).

Forforwardlookup(HostnameàIP).

Zone File for Forward Lookup /etc/bind/example.net.db (Thefilenameisspecifiedinnamed.conf)

@:Representstheoriginspecifiedinnamed.conf(stringafter“zone”)[example.net]

Zone File for Reverse Lookup

/etc/bind/192.168.0.db:(Thefilenameisspecifiedinnamed.conf)

Testing the setup

NeedtoensurethatResolv.confispointingtotherecentlysetupDNSserver

DNS Queries

24http://www.zytrax.com/books/dns/ch15/

DNS Query Format

25http://www.zytrax.com/books/dns/ch15/

MessageHeaderSentinthequeryandreflectedbackbytheresponse

QR=0query;QR=1response

0:query,1:inversequery;2:status

AuthoritativeAnswer

DNS Question Section

26http://www.zytrax.com/books/dns/ch15/

QuestionSection

DNS Question Section

27http://www.zytrax.com/books/dns/ch15/

AnswerSection

DNS Question Section

28http://www.zytrax.com/books/dns/ch15/

AuthoritySection

ThissectionmentionstheserversthataretheultimateauthorityforansweringDNSqueries.Answers,maybeobtainedfromthecacheofotherDNSservers.Canbeusedtocheckwiththeauthoritativeresponse.

Attacks on Local DNS Servers Cache Poisoning Attacks

29

Usermachine

LocalDNSserver DNShierarchy

1 234

Attacks on Local DNS Servers Cache Poisoning Attacks

30

Usermachine

LocalDNSserver DNShierarchy

1 2

spoofedresponse

spoofedresponse

Attacks on Local DNS Servers Cache Poisoning Attacks

31

Usermachine

LocalDNSserver DNShierarchy

1 2

spoofedresponse

spoofedresponse

Damagelimited;usermachinedoesnotstoretheresult Considerabledamage;DNSstoresthe

responseanditcanaffectallsystemsinthenetworkforalongtime

Cacheispoisoned

Attacks on Local DNS Servers Cache Poisoning Attacks

32

Usermachine

LocalDNSserver DNShierarchy

1 2

spoof

Cacheispoisoned

www.example.net

3

sniff

4

Local DNS Cache Poisoning Attack Goal:ForgeDNSrepliesafterseeingaqueryfromLocalDNSServerTechnique:SniffingandSpoofing

Local DNS Cache Poisoning Attack

Result

Attack

Inspect the Cache

●  Run“sudo rndc dumpdb –cache”andcheckthecontentsof“/var/cache/bind/dump.db”.

●  Cleanthecacheusing“sudo rndc flush”beforedoingtheattack.

Targeting the Authority section

Cantargettheauthoritysection

ns.attacker.net

AnyDNSquerysenttothelocalDNSserverwillbe(ifneeded)directedtotheattacker’sns.attacker.net

Attacks on Local DNS Servers Cache Poisoning Attacks

37

LocalDNSserver DNShierarchy

1 2

spoof

Cacheispoisoned

www.example.net

3

Whatifwecan’tsniffandcanonlyspoof

Cache Poisoning Without Sniffing

38

Twodifficultiesincreatingavalidspoof:1.  NeedtoguessthelocalDNSserver’ssourceport(2^16possibilities)2.  TheresponseshouldhavethesameMessageIDastheDNSqueryinstep(2).

(Bruteforceattack2^32àat1000spoofedqueries/second,itwilltake50daystotryall2^32possibilities

Further Difficulties: the Local DNS server’s cache

39

LocalDNSserver DNShierarchy

1 2

www.example.net

3

cache

5

46

7

Iftherealresponse(3)arrivesanditiscached(4).Thensubsequentquerieswillreadoffthecache(5à6à7)andnoqueryismadefromtheLocalDNS.Thus,tomakeanothertry,theattackershouldwaittillthecacheisflushed.

Flaw in the Protocol ● Whenlookingupsiblingnameslike1.google.com,and2.google.com.

○  Attackerscandothisandsaythey’retheofficialserverforwww.google.com,tellingthelocalDNSserverwhatwww.needstobe,andthelocalDNSwillbelievetheattacker.

40https://duo.com/blog/the-great-dns-vulnerability-of-2008-by-dan-kaminsky

Kaminsky Attack

41

HowtokeeptryingspoofedDNSresponses(2^32times)withoutworryingaboutthecacheeffect?

Kaminsky’sIdea:•  Askadifferentquestioneverytime,socachingtheanswerdoesnotmatter,andthelocalDNSserverwillsendoutanewqueryeachtime.

•  ProvideforgedanswerintheAuthoritysection

Kaminsky Attack

42

The Kaminsky Attack: A Sample Response

Thisrandomnamewillchangefor

eachattackattempt

Thisanswerdoesnotmatter

ThisiswhatwewantthelocalDNSservertocache

TelltheDNSservertousethisoneasthenameserverfortheexample.comdomain

Spoofing Replies: IP and UDP headers

DNSResponseAnswerisauthoritative

Spoofing Replies: DNS Header and Payload

Digital Signatures

46

Protection Against DNS Cache Poisoning Attacks DNSSEC●  DNSSECisasetofextensiontoDNS,aimingtoprovideauthentication

andintegritycheckingonDNSdata.●  WithDNSSEC,allanswersfromDNSSECprotectedzonesaredigitally

signed.●  Bycheckingthedigitalsignatures,aDNSresolverisabletocheckifthe

informationisauthenticornot.●  DNScachepoisoningwillbedefeatedbythismechanismasanyfake

datawillbedetectedbecausetheywillfailthesignaturechecking.

Protection Using DNSSEC

Protection Using TLS/SSL TransportLayerSecurity(TLS/SSL)protocolprovidesasolutionagainstthecachepoisoningattacks.●  AftergettingtheIPaddressforadomainname(www.example.net)

usingDNSprotocol,acomputerwillasktheowner(server)oftheIPaddresstoprovethatitisindeedwww.example.net.

●  Theserverhastopresentapublic-keycertificatesignedbyatrustedentityanddemonstratesthatitknowsthecorrespondingprivatekeyassociatedwithwww.example.net(i.e.,itistheownerofthecertificate).

●  HTTPSisbuiltontopofTLS/SSL.ItdefeatsDNScachepoisoningattacks.

DNSSEC versus TLS/SSL ●  BothDNSSECandTLS/SSLarebasedonthepublickeytechnology,but

theirchainsoftrustaredifferent.●  DNSSECprovideschainoftrustusingDNSzonehierarchy,so

nameserversintheparentzonesvouchforthoseinthechildzones.●  TLS/SSLreliesonPublicKeyInfrastructurewhichcontainsCertificate

Authoritiesvouchingforothercomputers.

Denial of Service Attacks on Root Servers AttacksontheRootandTLDServers:Rootnameservers:Iftheattackerscanbringdowntheserversoftherootzone,theycanbringdowntheentireInternet.However,attackrootserversisdifficult:●  Therootnameserversarehighlydistributed.Thereare13(A,B….M)rootnameservers(server

farm)consistingofalargenumberofredundantcomputerstoprovidereliableservices.●  AsthenameserversfortheTLDsareusuallycachedinthelocalDNSservers,therootservers

neednotbequeriedtillthecacheexpires(48hrs).Attacksontherootserversmustlastlongtoseeasignificanteffect.

Denial of Service Attacks on TLD Servers NameserversfortheTLDsareeasiertoattack.TLDssuchasgov,com,netetchavequiteresilientinfrastructureagainstDOSattacks.ButcertainobscureTLDslikecountry-codeTLDsdonothavesufficientinfrastructure.Duetothis,theattackerscanbringdowntheInternetofatargetedcountry.

Attacks on Nameservers of a Particular Domain Dynnetwork:In2016,multipleDDoSattackswerelaunchedagainstamajorDNSserviceproviderforcompanieslikeCNN,BBC,HBO,PayPaletc.TheattacksarebelievedtohavebeenlaunchedthroughbotnetconsistingofdifferentIoTdeviceslikeIPcameras,babymonitorsetc.ItcausedmajorInternetservicesunavailable.

Mirai Botnet Malware ● NumberofIoTdevicesincreasingatarapidrate●  Thesedevicesarecharacterizedby

○  Lowprofile○  Lessuserinteractions○  Securityoftencompromised(forbetterperformance/smallerprofile)○  Notalwaysup-to-datewithsecuritypatches

● MalwarewithIoTdevicesastargets○  BashlightandMiraiarethemostpopular○  PNScan,targetsx86platforms.

■  Trytodeterminerouterloginbaedonaspecialdictionary■  Connectusingsshconnectionusingpredefinedusercredentials

54

Lowhangingfruitforhackers

Mirai BotNet Malware

55TheMiraiBotnetandtheIoTZombieArmies,2017

280Gbpsmaxflooding50,000uniqueIps164countries

Mirai BotNet Malware

56TheMiraiBotnetandtheIoTZombieArmies,2017

Bots:ELFimages,codedinC,Responsiblefor(1)  Propagationofthemalware(2)  Theactualattack

Bots

TargetsLinuxbasedIoTdevices.MostlybusyboxsystemslikeWebcams,Cameras,etc.

Mirai BotNet Malware

57TheMiraiBotnetandtheIoTZombieArmies,2017

Infiltration

Bots

EverybotgeneratesrandomIPsandtriestoconnecttoPort23(telnet)orport2323(alternatetelnetport)Bruteforcedictionarysearchforvalidusernamesandpasswordsthatwillpermitlogin.Thedictionaryisbuiltof62possibleusername/passwords.Theseinclude,adminaccountcredentials,debuglogins,usernameswithnopasswords,etc.

SomeIPaddressesareblacklisted.Loopback,internalnetworks,multicastnetworks,USpostalservcie,DoD,GE,HP,IANA,

Mirai BotNet Malware

58TheMiraiBotnetandtheIoTZombieArmies,2017

Onasuccessfullogin:•  Trytoestablishashell.Especiallyinterestedinbusyboxshell•  Reportasuccessfullogintothereportserver.

(doesnottrytochangethepasswordinthenewvictim)

Mirai BotNet Malware

59TheMiraiBotnetandtheIoTZombieArmies,2017

Infrastructure

CommandandControl.Managementserver.ImplementedinGo.Atanytime,itcangetalistofactivebotsfromthereportserver.Itcan,also,atanytime,instructtheloadertoloadmalwareintothebot.Loader,dependingonthehardwarearchitectureofthebot,instructsittodownload(usingwgetortftp)andexecuterequiredbinaryimageofthemalware.

Mirai BotNet Malware

60TheMiraiBotnetandtheIoTZombieArmies,2017

Infrastructure

Loader,dependingonthehardwarearchitectureofthebot,instructsittodownload(usingwgetortftp)andexecuterequiredbinaryimageofthemalware.Beforethisisdone,thebotneedstoknowapartitionthatiswriteable.Iftftporwgetclientsarenotavailable,themalwarewillemployechocommandstodynamicallycreatetheexecutable.

18hardwarevariantssupportedincludingARM,MIPS,x86,SPARC

Mirai BotNet Malware

61

Infrastructure

NewlyformedbotestablishesconnectionwithC&C.Periodicheartbeatsbetweenthetwo.Otheractivitiesinthebot:*memoryscrapingtoidentifyothermalwarepresentinthebot.Iffound,killtheprocess.(wantstobetheownthedevice)•  Deletesitselffromthepersistentstorage.WillonlybeavailableinRAM(filelessmalware)•  Monitorsthewatchdogtimertodefendagainstsystemhangsandreboots.•  Oncommand,canstartavarietyoffloods:SYN,ACK,UDP,GRE,DNS,STOMP,ETH.Applicationlayerflooding.25,000SYNpacketspersecond.

Mirai BotNet Malware

62

Infrastructure

AllbotnetsattackthetargetoncommandbyfloodingSYN,ACK,UDP,GREIP,ETH,STOMP,DNS.Applicationlevelflooding.Peak:620GbpsControls:0.5millionIOTdevicesOnraspberryPi3:25000packetspersecond

Other Mirai Variants ● USuniversity(Feb2017)● Windowsbasedstrain● Miraistrainusedforbitcoinmining

63

Detection ●  Patternsofcommunications

○  Hugecommunicationonports23,2323,22forauthorizationpurposes

○  Frequentexchangeoftrafficwithinfrastructure

○  Surgeofegresstrafficthroughoutthecourseoftheattack

64

Mitigation Short-termmitigations●  BlockingTCPportsusedforprobingandbruteforcingthedevice●  FilteringegressandingresspacketsbyTCPrules

Betterdesignstrategies●  Leastprivilegeimplementations●  capabilitybasedsystems● Microkernel/Unikernelbasedapproaches(Linuxistoolargeforembeddedapplications)

65