Domain Name Systems
ChesterRebeiroIITMadras
Someoftheslidesborrowedfromthebook‘ComputerSecurity:AHandsonApproach’byWenliangDu
DNS Hierarchy
2
.com .gov .edu .in
gov ernet ac res mil
iitmiitkiisciitb
Rootdomain
Topleveldomain
Secondleveldomain
iitm.ac.in.
LookuprecordsformappingfromdomainnamestoIPaddresses
DNS Hierarchy
3
.com .gov .edu .in
gov ernet ac res mil
iitmiitkiisciitb
Rootdomain
Topleveldomain
Secondleveldomain
iitm.ac.in.
LookuprecordsformappingfromdomainnamestoIPaddresses Domain:Isasubtree,sharingitsdomainnamewiththenameofthetopmostnodeinthesubtree
DNS Hierarchy
4
.com .gov .edu .in
gov ernet ac res mil
iitmiitkiisciitb
Rootdomain
Topleveldomain
Secondleveldomain
iitm.ac.in.
LookuprecordsformappingfromdomainnamestoIPaddressesSubDomains:Isadomainthatbranchesoffanother.
Root Domain
5
.com .gov .edu .in
gov ernet ac res mil
iitmiitkiisciitb
13rootdomainsmaintainedbyIANA
Topleveldomain
Secondleveldomain
iitm.ac.in.
Root Domain
6
10inUSA1inNetherlands1inSweden1inJapanWhyonly13rootservers?567mirroredrootservers(9mirrorsinIndia–2015)(3Jrootservers;2Lrootservers;1I,1K,1F,andDrootserver)
https://internetdemocracy.in/wp-content/uploads/2016/03/Dr.-Anja-Kovacs-and-Rajat-Rai-Handa-India-at-the-Internets-Root.pdf
Top Level Domains
7
.com .gov .edu .in
gov ernet ac res co
iitmiitkiisciitb
Topleveldomain
iitm.ac.in.
1547asonJuly2017EachTLDismanagedbydesignatedentitiescalledregistries.(forexample:.com,.netismanagedbyVerisign;.inismanagedbyNationalInternetExchangeofIndia)
https://en.wikipedia.org/wiki/INRegistry
Top Level Domains
8
.com .gov .edu .in
gov ernet ac res co
iitmiitkiisciitb
Topleveldomain
iitm.ac.in.
1547asonJuly2017
https://en.wikipedia.org/wiki/INRegistry
DNS Zone
9
.com
example
usaukfrance
Zone:Isadomain(orsubdomain)thatbranchesisservedbyaNameserver.Azonemaybeanentiredomainwithallitschilddomains,oraportionofadomain.Azonecanbetheentiresubtreestartingatexample.comOrthecompanymaydecidetohaveseveralsubzones,forexampleoneatusa.example.com
newyork chicago
Authoritative Name Servers
10
Startofauthority
2authorities.1primaryandtheothersecondary
EachDNSZonehasatleastoneauthoritativenameserverthatpublishesinformationaboutthatzone.Theyarecalled`authoritative’becausetheyprovideoriginalandanswerstoDNSqueriesasopposedtoobtaininganswersfromotherDNSservers.
DNS Query Process
11
Local DNS Server and Iterative Query Process
TheiterativeprocessstartsfromtheROOTServer.Ifitdoesn’tknowtheIPaddress,itsendsbacktheIPaddressofthenameserversofthenextlevelserver(.NETserver)andthenthelastlevelserver(example.net)whichprovidestheanswer.
DNS Query Process
13
http://www.iitm.ac.in Enteredinweb-browser
LocalSystem:Lookup/etc/hostsfile.Canthe/etc/hostsfileresolve(havetheIPaddress)forwww.iitm.ac.in?
1
DNS Query Process
14
http://www.iitm.ac.in Enteredinweb-browser
LocalDNSServer:LookupthelocalDNSserver(serverpresentintheLAN).HowtoidentifytheIPaddressoftheLocalDNSserver?(/etc/resolv.conf)Thisneedstobeconfiguredor,canbefound,ifthesystemisconfiguredforDHCP,thenthisfileisautomaticallymodified.IfthelocalDNSservercanresolvetheaddress;thenwearedone.Else,theresolverwouldbeactivated.TheresolverwouldneedtoqueryanotherDNSserver,higherupinthehierarchy.
2
DNS Query Process
15
http://www.iitm.ac.in.
ResolverinLocalDNSwillquerytheRootNameServerà(fromresolver)WhatistheIPaddressofwww.iitm.ac.inß(fromrootserver)Idon’tknowtheanswer,youcanaskanyoftheseauthorities.
3
Directlysendthequerytothisserver.
DNS Query Process
16
http://www.iitm.ac.in.
ResolverinLocalDNSwillquerytheTLDà(fromresolver)WhatistheIPaddressofwww.iitm.ac.inß(return)Idon’tknowtheanswer,youcanaskanyoftheseauthorities.
4
DNS Query Process
17
http://www.iitm.ac.in.
ResolverinLocalDNSwillquerythenextlevelNSàWhatistheIPaddressofwww.iitm.ac.inßTheSOAisdns1.iitm.ac.in.
5
DNS Cache
• ThelocalDNSserverwillcacheallresponsesfromotherDNSservers(toreducequeries)
• TTLavailablewithallresponses,whichdetermineswhentheentrywouldberemovedfromcache
18TTL
DNS Cache
• Duetocaching• Mostresolverqueriesdonotneedaquerytotherootserver• 2%ofallqueriestotheroot-serversarelegitimate
• 75%wereduetoincorrectornon-existentcaching• 12.5%tounknownTLDs• 7%wereforlookupstoIPaddresses,asif,theyweredomainnames
19https://en.wikipedia.org/wiki/Root_name_server
Set Up DNS Zones on Local DNS Server Ø UtilityinLinux:bind9Ø Createzones:CreatetwozoneentriesintheDNSserverbyaddingthem
to/etc/bind/named.conf.
Forreverselookup(IPàhostname).
Forforwardlookup(HostnameàIP).
Zone File for Forward Lookup /etc/bind/example.net.db (Thefilenameisspecifiedinnamed.conf)
@:Representstheoriginspecifiedinnamed.conf(stringafter“zone”)[example.net]
Zone File for Reverse Lookup
/etc/bind/192.168.0.db:(Thefilenameisspecifiedinnamed.conf)
Testing the setup
NeedtoensurethatResolv.confispointingtotherecentlysetupDNSserver
DNS Queries
24http://www.zytrax.com/books/dns/ch15/
DNS Query Format
25http://www.zytrax.com/books/dns/ch15/
MessageHeaderSentinthequeryandreflectedbackbytheresponse
QR=0query;QR=1response
0:query,1:inversequery;2:status
AuthoritativeAnswer
DNS Question Section
26http://www.zytrax.com/books/dns/ch15/
QuestionSection
DNS Question Section
27http://www.zytrax.com/books/dns/ch15/
AnswerSection
DNS Question Section
28http://www.zytrax.com/books/dns/ch15/
AuthoritySection
ThissectionmentionstheserversthataretheultimateauthorityforansweringDNSqueries.Answers,maybeobtainedfromthecacheofotherDNSservers.Canbeusedtocheckwiththeauthoritativeresponse.
Attacks on Local DNS Servers Cache Poisoning Attacks
29
Usermachine
LocalDNSserver DNShierarchy
1 234
Attacks on Local DNS Servers Cache Poisoning Attacks
30
Usermachine
LocalDNSserver DNShierarchy
1 2
spoofedresponse
spoofedresponse
Attacks on Local DNS Servers Cache Poisoning Attacks
31
Usermachine
LocalDNSserver DNShierarchy
1 2
spoofedresponse
spoofedresponse
Damagelimited;usermachinedoesnotstoretheresult Considerabledamage;DNSstoresthe
responseanditcanaffectallsystemsinthenetworkforalongtime
Cacheispoisoned
Attacks on Local DNS Servers Cache Poisoning Attacks
32
Usermachine
LocalDNSserver DNShierarchy
1 2
spoof
Cacheispoisoned
www.example.net
3
sniff
4
Local DNS Cache Poisoning Attack Goal:ForgeDNSrepliesafterseeingaqueryfromLocalDNSServerTechnique:SniffingandSpoofing
Local DNS Cache Poisoning Attack
Result
Attack
Inspect the Cache
● Run“sudo rndc dumpdb –cache”andcheckthecontentsof“/var/cache/bind/dump.db”.
● Cleanthecacheusing“sudo rndc flush”beforedoingtheattack.
Targeting the Authority section
Cantargettheauthoritysection
ns.attacker.net
AnyDNSquerysenttothelocalDNSserverwillbe(ifneeded)directedtotheattacker’sns.attacker.net
Attacks on Local DNS Servers Cache Poisoning Attacks
37
LocalDNSserver DNShierarchy
1 2
spoof
Cacheispoisoned
www.example.net
3
Whatifwecan’tsniffandcanonlyspoof
Cache Poisoning Without Sniffing
38
Twodifficultiesincreatingavalidspoof:1. NeedtoguessthelocalDNSserver’ssourceport(2^16possibilities)2. TheresponseshouldhavethesameMessageIDastheDNSqueryinstep(2).
(Bruteforceattack2^32àat1000spoofedqueries/second,itwilltake50daystotryall2^32possibilities
Further Difficulties: the Local DNS server’s cache
39
LocalDNSserver DNShierarchy
1 2
www.example.net
3
cache
5
46
7
Iftherealresponse(3)arrivesanditiscached(4).Thensubsequentquerieswillreadoffthecache(5à6à7)andnoqueryismadefromtheLocalDNS.Thus,tomakeanothertry,theattackershouldwaittillthecacheisflushed.
Flaw in the Protocol ● Whenlookingupsiblingnameslike1.google.com,and2.google.com.
○ Attackerscandothisandsaythey’retheofficialserverforwww.google.com,tellingthelocalDNSserverwhatwww.needstobe,andthelocalDNSwillbelievetheattacker.
40https://duo.com/blog/the-great-dns-vulnerability-of-2008-by-dan-kaminsky
Kaminsky Attack
41
HowtokeeptryingspoofedDNSresponses(2^32times)withoutworryingaboutthecacheeffect?
Kaminsky’sIdea:• Askadifferentquestioneverytime,socachingtheanswerdoesnotmatter,andthelocalDNSserverwillsendoutanewqueryeachtime.
• ProvideforgedanswerintheAuthoritysection
Kaminsky Attack
42
The Kaminsky Attack: A Sample Response
Thisrandomnamewillchangefor
eachattackattempt
Thisanswerdoesnotmatter
ThisiswhatwewantthelocalDNSservertocache
TelltheDNSservertousethisoneasthenameserverfortheexample.comdomain
Spoofing Replies: IP and UDP headers
DNSResponseAnswerisauthoritative
Spoofing Replies: DNS Header and Payload
Digital Signatures
46
Protection Against DNS Cache Poisoning Attacks DNSSEC● DNSSECisasetofextensiontoDNS,aimingtoprovideauthentication
andintegritycheckingonDNSdata.● WithDNSSEC,allanswersfromDNSSECprotectedzonesaredigitally
signed.● Bycheckingthedigitalsignatures,aDNSresolverisabletocheckifthe
informationisauthenticornot.● DNScachepoisoningwillbedefeatedbythismechanismasanyfake
datawillbedetectedbecausetheywillfailthesignaturechecking.
Protection Using DNSSEC
Protection Using TLS/SSL TransportLayerSecurity(TLS/SSL)protocolprovidesasolutionagainstthecachepoisoningattacks.● AftergettingtheIPaddressforadomainname(www.example.net)
usingDNSprotocol,acomputerwillasktheowner(server)oftheIPaddresstoprovethatitisindeedwww.example.net.
● Theserverhastopresentapublic-keycertificatesignedbyatrustedentityanddemonstratesthatitknowsthecorrespondingprivatekeyassociatedwithwww.example.net(i.e.,itistheownerofthecertificate).
● HTTPSisbuiltontopofTLS/SSL.ItdefeatsDNScachepoisoningattacks.
DNSSEC versus TLS/SSL ● BothDNSSECandTLS/SSLarebasedonthepublickeytechnology,but
theirchainsoftrustaredifferent.● DNSSECprovideschainoftrustusingDNSzonehierarchy,so
nameserversintheparentzonesvouchforthoseinthechildzones.● TLS/SSLreliesonPublicKeyInfrastructurewhichcontainsCertificate
Authoritiesvouchingforothercomputers.
Denial of Service Attacks on Root Servers AttacksontheRootandTLDServers:Rootnameservers:Iftheattackerscanbringdowntheserversoftherootzone,theycanbringdowntheentireInternet.However,attackrootserversisdifficult:● Therootnameserversarehighlydistributed.Thereare13(A,B….M)rootnameservers(server
farm)consistingofalargenumberofredundantcomputerstoprovidereliableservices.● AsthenameserversfortheTLDsareusuallycachedinthelocalDNSservers,therootservers
neednotbequeriedtillthecacheexpires(48hrs).Attacksontherootserversmustlastlongtoseeasignificanteffect.
Denial of Service Attacks on TLD Servers NameserversfortheTLDsareeasiertoattack.TLDssuchasgov,com,netetchavequiteresilientinfrastructureagainstDOSattacks.ButcertainobscureTLDslikecountry-codeTLDsdonothavesufficientinfrastructure.Duetothis,theattackerscanbringdowntheInternetofatargetedcountry.
Attacks on Nameservers of a Particular Domain Dynnetwork:In2016,multipleDDoSattackswerelaunchedagainstamajorDNSserviceproviderforcompanieslikeCNN,BBC,HBO,PayPaletc.TheattacksarebelievedtohavebeenlaunchedthroughbotnetconsistingofdifferentIoTdeviceslikeIPcameras,babymonitorsetc.ItcausedmajorInternetservicesunavailable.
Mirai Botnet Malware ● NumberofIoTdevicesincreasingatarapidrate● Thesedevicesarecharacterizedby
○ Lowprofile○ Lessuserinteractions○ Securityoftencompromised(forbetterperformance/smallerprofile)○ Notalwaysup-to-datewithsecuritypatches
● MalwarewithIoTdevicesastargets○ BashlightandMiraiarethemostpopular○ PNScan,targetsx86platforms.
■ Trytodeterminerouterloginbaedonaspecialdictionary■ Connectusingsshconnectionusingpredefinedusercredentials
54
Lowhangingfruitforhackers
Mirai BotNet Malware
55TheMiraiBotnetandtheIoTZombieArmies,2017
280Gbpsmaxflooding50,000uniqueIps164countries
Mirai BotNet Malware
56TheMiraiBotnetandtheIoTZombieArmies,2017
Bots:ELFimages,codedinC,Responsiblefor(1) Propagationofthemalware(2) Theactualattack
Bots
TargetsLinuxbasedIoTdevices.MostlybusyboxsystemslikeWebcams,Cameras,etc.
Mirai BotNet Malware
57TheMiraiBotnetandtheIoTZombieArmies,2017
Infiltration
Bots
EverybotgeneratesrandomIPsandtriestoconnecttoPort23(telnet)orport2323(alternatetelnetport)Bruteforcedictionarysearchforvalidusernamesandpasswordsthatwillpermitlogin.Thedictionaryisbuiltof62possibleusername/passwords.Theseinclude,adminaccountcredentials,debuglogins,usernameswithnopasswords,etc.
SomeIPaddressesareblacklisted.Loopback,internalnetworks,multicastnetworks,USpostalservcie,DoD,GE,HP,IANA,
Mirai BotNet Malware
58TheMiraiBotnetandtheIoTZombieArmies,2017
Onasuccessfullogin:• Trytoestablishashell.Especiallyinterestedinbusyboxshell• Reportasuccessfullogintothereportserver.
(doesnottrytochangethepasswordinthenewvictim)
Mirai BotNet Malware
59TheMiraiBotnetandtheIoTZombieArmies,2017
Infrastructure
CommandandControl.Managementserver.ImplementedinGo.Atanytime,itcangetalistofactivebotsfromthereportserver.Itcan,also,atanytime,instructtheloadertoloadmalwareintothebot.Loader,dependingonthehardwarearchitectureofthebot,instructsittodownload(usingwgetortftp)andexecuterequiredbinaryimageofthemalware.
Mirai BotNet Malware
60TheMiraiBotnetandtheIoTZombieArmies,2017
Infrastructure
Loader,dependingonthehardwarearchitectureofthebot,instructsittodownload(usingwgetortftp)andexecuterequiredbinaryimageofthemalware.Beforethisisdone,thebotneedstoknowapartitionthatiswriteable.Iftftporwgetclientsarenotavailable,themalwarewillemployechocommandstodynamicallycreatetheexecutable.
18hardwarevariantssupportedincludingARM,MIPS,x86,SPARC
Mirai BotNet Malware
61
Infrastructure
NewlyformedbotestablishesconnectionwithC&C.Periodicheartbeatsbetweenthetwo.Otheractivitiesinthebot:*memoryscrapingtoidentifyothermalwarepresentinthebot.Iffound,killtheprocess.(wantstobetheownthedevice)• Deletesitselffromthepersistentstorage.WillonlybeavailableinRAM(filelessmalware)• Monitorsthewatchdogtimertodefendagainstsystemhangsandreboots.• Oncommand,canstartavarietyoffloods:SYN,ACK,UDP,GRE,DNS,STOMP,ETH.Applicationlayerflooding.25,000SYNpacketspersecond.
Mirai BotNet Malware
62
Infrastructure
AllbotnetsattackthetargetoncommandbyfloodingSYN,ACK,UDP,GREIP,ETH,STOMP,DNS.Applicationlevelflooding.Peak:620GbpsControls:0.5millionIOTdevicesOnraspberryPi3:25000packetspersecond
Other Mirai Variants ● USuniversity(Feb2017)● Windowsbasedstrain● Miraistrainusedforbitcoinmining
63
Detection ● Patternsofcommunications
○ Hugecommunicationonports23,2323,22forauthorizationpurposes
○ Frequentexchangeoftrafficwithinfrastructure
○ Surgeofegresstrafficthroughoutthecourseoftheattack
64
Mitigation Short-termmitigations● BlockingTCPportsusedforprobingandbruteforcingthedevice● FilteringegressandingresspacketsbyTCPrules
Betterdesignstrategies● Leastprivilegeimplementations● capabilitybasedsystems● Microkernel/Unikernelbasedapproaches(Linuxistoolargeforembeddedapplications)
65