View
218
Download
2
Category
Preview:
Citation preview
1
Presented by:
Syed Nasir Mehdi
PhD Computer Science and EngineeringBiocom Lab
snasirmehdi@hanyang.ac.kr
•
INCREASED DNS FORGERY
RESISTANCE THROUGH 0X20
BIT ENCODING
DAVID DAGONMANOS ANTONAKAKIS
PAUL VIXIETATUYA JINMEI
WENKE LEE
2
IntroductionBackgroundDNS NomenclatureDNS PoisoningBasic DNS Poisoning ModelDNS Ox20 Bit Encoding QueriesAnalysisOx20 ProbingRelated Work Future Work Conclusion
OUTLINE
3
Main Goal: To make DNS queries more resistant to poisoning attacks:
What it entails: Creation of DNS light-weight forgery-resistance technology
How : Preservation of case encoding of DNS Queries by Authority
Servers bit-for-bit and upon return the verification of the same and caching by recursive server.
Constraints: No Radical Changes. DNS Infrastructure should remain intact Protocol Stability. DNS Protocol should remain intact Backward Compatible. Other technologies that rely on existing
DNS standards should remain intact
Example: www.example.com, recursive DNS servers would instead query for wwW.eXamPLe.cOM
INTRODUCTION
4
DNSStub Resolver(Client)Resolver(Name Server)Recursive Resolver(NS Client) Authoritative Servers(SOA)Zone(.net, .org)DelegationCaching RRRoot(13)WHOIS(Registrant,nameserverTTL)
DNS OVERVIEW
5
Attackers can iterativelyObserve cache values over t ime OR be forced to do lookups Guess the 16 bit ID-fi eld Birthday Attacks Exploit weak random number generation. Berstein suggests UDP ports+ID Kaminsky class(IN A answer+NSupdate) No of guesses attackercan make. Port randomization togrow the key space.
DNS POISONING
6
Definition 1: DNS server isforgery resistant where TTL(caching period) ≫ △t, and the chance of an attack being successful within △t time is low.Assumption 1. If attack isnot 10% likely to succeed within Tmax, we deem the DNS server is forgery
resistant.
DNS POISONING MODEL
7
DNSSEC DNS servers, KingKaminsky-class advocate theImportance of RTT. Calculate tA,tB, tC andThen calculate RTT= tC-tB.Verify tC-tB ≈ tC −tA If domain cached,Avg response time<100ms If not cached, 400ms. Answer’s TTL(caching period)
RTT
8
RTT OBSERVATIONS
Randomly select 5000 servers, with hosts open recursive.
9
α = Number of Diff erent DNS IDs 2¹6 β = Number of Source Ports (conceptual ly 2¹6) γ = Number of Ports excluded 1024 as per kernel resources θ = Number of authority servers and recursive IPs. attacker has to spoof the correct authority source address apart from
query ID and port. = 1/ α ∗ (β − γ) ∗ θ With 3 authority servers, =1/ 2¹6 ∗ (2¹6 − 1024) ∗ 3≈1 12.7B = n/α ∗ (β − γ) ∗ θ Observations:
1. not every recursive DNS server can implement port randomization, since it poses unique engineering challenges.+ sockets selection
2. Some DNS servers are more important targets e.g ISP We therefore need addit ional DNS protection measures
RTT OBSERVATIONS
successP
successP
(n) successP
10
Cached Query Resolver-OR RTT: SOA-OR First Query: Resolver-SOA
RTT OBSERVATIONS
11
DNS OX20 BIT ENCODING QUERIES
12
ANALYSIS
13
OX20 PROBING
14
PROBING..
15
PROBING
16
3 weeks non stop internet scan 75 mill ion name servers 7 mill ion queries .3% who don’t support Under high volumes they return identicalqueries/s for same Domain DNS fi ngerprinting scans<0.28%, behave this way,load balancers or hardware accelerators 99.7% support 0x20 encoding scheme withoutchanging their code base.
MORE OBSERVATIONS
17
TSIG or SIG(0) and TKEY for message integrityDomain Name System (DNS) Cookies” IETF draft on DNS forgery resilience discusses many
aspects of DNS poisoningDoX, a peer-to-peer DNS replacement, motivated by
DNS poisoningTCP SYN Cookies proposed by DJ Bernstein and Eric
Schenk in 1996 as a means to stop resource exhaustion DDoS attacks on TCP stacks, Most related, similar the DNS encoding scheme
RELATED WORK
18
Approach adopted1. Require no radical changes to the DNS infrastructure;2. Make no major changes to the existing protocol3. Be backwards compatible, so that even just a few DNS servers
can elect to adopt it With small exceptions (≈ 0.3%) the world’s authority servers
appear to already preserve the encoding scheme. DNS-0x20 encoding does not provide strong guarantees for
transaction integrity, it just raises the bar. DNS messages can have an additional 12-bits of state, perhaps a
reason of slow adoption of other comprehensive DNS security schemes.
CONCLUSION
19
There may be key management issues to consider. Stateless encoding schemes for domain names using
ox20 bitset of queries, Modifications and implementation for embedded
devicesUpdate deployed embedded DNS systemsPolicy options for DNS-0x20 recursive servers Capacity of the covert channel that DNS ox20 creates
FUTURE WORK
20
This material was based upon work supported in part by the National Science Foundation under Grant No. 0627477 and the Department of Homeland Security under Contract No. FA8750-08- 2-0141. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation and the Department of Homeland Security.
ACKNOWLEDGEMENTS
Recommended