DNS Poisoning Attacks

Dns poisoning attacks l.jpg
1 / 14
0
0
707 days ago, 232 views
PowerPoint PPT Presentation
Web: Authoritive DNS Servers. A Short Overview on DNS. Resolver: gethostbyname(www.microsoft.com). Server: www.microsoft.com is 1.2.3.4. Customer. Reserving DNS Server. . . dns.microsoft.com. dns.hacker.com. A Simple Attack

Presentation Transcript

Slide 1

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D

Slide 2

A Short Overview on DNS Internet: Authoritive DNS Servers dns.hacker.com dns.microsoft.com Caching DNS Server Resolver: gethostbyname(www.microsoft.com) Server: www.microsoft.com is 1.2.3.4 Client

Slide 3

A Simple Attack – Sending Additional Resource Records Server gethostbyname(www.hacker.com) www.hacker.com is 1.2.3.4 And www.microsoft.com is 5.5.5.5 DNS Cache: www.hacker.com = 1.2.3.4 www.microsoft.com = 5.5.5.5 Client

Slide 4

An Even Easier Attack – Just Lying Server gethostbyname(www.microsoft.com) www.microsoft.com is 6.6.6.6 Client

Slide 5

The Problem DNS is not a safe convention Every host on the web can guarantee that it is an expert for settling inquiries Even if a DNS server is definitive for area An, it doesn't mean it can be trusted to give genuine responses for space B All answers are thought to be valid

Slide 6

Other Protocols in the TCP/IP Protocol Suite DHCP – non-secure HTTPS – secure

Slide 7

More Sophisticated Attacks PRNG Vulnerability The Birthday Attack Both assaults transfer on the " First answer wins " property

Slide 8

Query ID Each DNS question contains an ID A reaction contains the coordinating inquiry ID The ID is produced by a PRNG In most past executions the ID was created by a powerless PRNG work.

Slide 9

I don't have the foggiest idea… I better ask another person PRNG Attack First answer wins! gethostbyname(www.microsoft.com) www.microsoft.com is 1.2.3.4 gethostbyname(www.microsoft.com) Server www.microsoft.com is 6.6.6.6 Client

Slide 10

PRNG Attack (cont) In more seasoned frameworks it was conceivable to anticipate the following PRNG number by watching just the last number produced. In fresher frameworks it is conceivable to anticipate the following number with achievement likelihood of 0.2 by watching the last 5000 numbers. Much better, yet at the same time not great.

Slide 11

The Birthday Attack Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) Gethostbyname(www.microsoft.com) www.microsoft.com 6.6.6.6 www.microsoft.com 6.6.6.6 www.microsoft.com 6.6.6.6 www.microsoft.com 6.6.6.6 www.microsoft.com 6.6.6.6 www.microsoft.com 6.6.6.6

Slide 12

The Birthday Attack (cont) Based on the scientific marvels called The Birthday Paradox: If there are 23 individuals in the room, the likelihood that you have a similar birthday with someone else is at most 23/365. In any case, what is the likelihood that 2 people share same birthday? It is more noteworthy than 0.5! The issue is that the server produces a recursive question for each of the customer's inquiries This helplessness has nothing to do with the quality of the PRNG work. There are numerous DNS servers that are still powerless against this assault, including Microsoft's usage.

Slide 13

The Birthday Attack (cont) The likelihood of prevailing in the birthday assault while sending 700 inquiries is near 1 The likelihood of prevailing with simply sending 700 bundles is 0.01

Slide 14

How Can Be done to Mitigate the Attack? Firewalls: Truncate parcels with extra asset records How would it be a good idea for it to manage the birthday assault? In what capacity would it be a good idea for it to manage the PRNG defenselessness assault? Arrangement "Split DNS", shield your system reserving DNS server from Man-in-the-Middle assaults

SPONSORS