Security for the internet s domain name system dns
Download
1 / 25

- PowerPoint PPT Presentation


  • 403 Views
  • Updated On :

Security for the Internet’s Domain Name System (DNS) Briefing for BITS 24 June 2005 Introduction Attacks via and against the DNS infrastructure are increasing Attacks are becoming costly and difficult to remedy Consumer confidence in Internet accuracy is decreasing

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - Antony


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Introduction l.jpg
Introduction

  • Attacks via and against the DNS infrastructure are increasing

    • Attacks are becoming costly and difficult to remedy

    • Consumer confidence in Internet accuracy is decreasing

  • The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness

    • It called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols

    • The DNSSEC Deployment Initiative is one of these partnerships


The department of homeland security dnssec deployment initiative l.jpg
The Department of Homeland Security DNSSEC Deployment Initiative

  • DHS Science and Technology (S&T) Directorate sponsors several Internet security initiatives including

    • DNS Security Extensions

    • Secure Protocols for the Routing Infrastructure

    • Protected Repository for the Defense of Infrastructure against Cyber Threats

  • DHS cannot secure the Internet

    • But is taking a leadership role in facilitating public-private partnerships that will result in a more secure Internet


Dnssec initiative activities l.jpg
DNSSEC Initiative Activities Initiative

  • Roadmap published in February 2005

    • http://www.dnssec-deployment.org/roadmap.php

  • Multiple workshops held world-wide

  • DNSSEC testbed developed by

    • http://www-x.antd.nist.gov/dnssec/

  • Formal publicity and awareness plan under development

  • Civilian government (.gov) developing policy and technical guidance for secure DNS operations and beginning deployment activities at all levels.

  • The “.us” and “.mil” zones are also on track for DNSSEC compliance


Background dns attacks l.jpg
Background: DNS Attacks Initiative

  • Financial/large enterprises are seeing a significant increase in online attacks for fraudulent purposes

    • Hijacking (virtual theft of domain names)

    • Phishing (look-alike fraudulent emails and web sites)

    • Pharming (phishing combined with DNS attacks)

  • Other attacks include DNS name mismatches or browser tricks aimed at careless users:

    • Names with international characters that look like Latin equivalents in browser URL windows, for example

      • http://www.paypаl.com

      • http://www.miсrоsоft.com

    • Name mismatch in e-commerce certificates



User easily misses dns name mismatch on the ssl certificate clicks ok l.jpg

www.robecodirect.nl Initiative

www.robecoadvies.nl

User Easily Misses DNS Name Mismatch on the SSL Certificate, Clicks “OK”


Breaking the back of the internet l.jpg
Breaking the Back of the Internet Initiative

  • Forged DNS data breaks most web applications

    • Genuine web sites can appear to be replaced with a false site without ever touching the original site

    • E-mail, b2b, backend applications can be re-routed or mis-delivered

    • Logins can be compromised through man in the middle attacks leading to identity theft

  • DNS attack tools are readily available on the Internet (for example, dsniff, dnshijack, and many more) and they are all FREE!

  • We’ll look at some real attacks in a moment…


Dns software is part of the problem l.jpg
DNS Software is Part of the Problem Initiative

  • There are many bugs in software and other issues underlying each specific attack

  • A protocol/infrastructure approach to DNS security is best:

    • Because it is infrastructural, it detects and addresses attacks independent of software holes

    • New bugs and holes will always arise, but with the right upfront work, the system is catching the attacks (and the bugs) before the damage mounts


Dns tutorial l.jpg

net. Initiative

com.

os.net.

money.net.

zone

kids.net.

corp.money.net.

hi.kids.net.

nt.os.net

bye.kids.net.

unix.os.net

dilbert.corp.money.net.

mac.os.net

market.corp.money.net.

DNS Tutorial

.

domain


Dns name resolution l.jpg
DNS Name Resolution Initiative

Root Server

TLD Server

Zone Server

Other Servers

  • Important “Other” servers include:

  • ISP

  • Enterprise

  • Hotel/travel

  • Public WLAN

"End" user

Local DNS Server


A simple dns attack l.jpg
A Simple DNS Attack Initiative

Easy to observe UDP DNS query sent while working in Airport Lounge’s Wireless LAN

First response wins. Second response is silently dropped on the floor.


Recent attacks barclay wildcard l.jpg
Recent Attacks: Barclay Wildcard Initiative

  • In this attack, a version of pharming, a user is presented with an encoded URL for a destination, which looks correct on common browsers

    • Is that a bug or a feature?

  • Even if users become weaned from reacting to pharming email, this URL might show correctly in dynamic click-ads

  • URL resolves to a redirector site in Russia


Url with encoded redirector l.jpg
URL with Encoded Redirector Initiative

  • http://barclays.co.uk|snc9d8ynusktl2wpqxzn1anes89gi8z.dvdlinKs.at/pgcgc3p/

  • Possible solutions:

    • “Fix” all browsers and people against these attacks (and each new one that gets invented)

    • Make the infrastructure generally robust against all redirection attacks

  • The second option is best


Barclay wildcard l.jpg
Barclay Wildcard Initiative

http://news.netcraft.com/archives/2005/03/07/

phishers_use_wildcard_dns_to_build_convincing_bait_urls.html


Recent attacks isp cache poisoning l.jpg
Recent Attacks: ISP Cache Poisoning Initiative

  • DNS cache poisoning is an old problem but seems to continue unabated

    • Symantec products found to be vulnerable in March 2005

    • Microsoft and BIND cache poisoning attacks in April 2005

    • DNS bots in May 2005

  • Details on a recent large DNS cache poisoning attack at http://isc.sans.org/presentations/dnspoisoning.php


Cache poisoning one method l.jpg
Cache Poisoning – One Method Initiative

  • Attacker floods local DNS server with hundreds of queries for www.cnn.com

  • Attacker then floods DNS server with hundreds of spoofed replies that appear to come from ns.cnn.com (CNN’s authoritative name server)

  • Local DNS server is now “poisoned” with false data


Cache poisoning another method l.jpg
Cache Poisoning – Another Method Initiative

  • Attacker sends a request to your local DNS asking it to resolve www.attacker.net

  • Your local DNS server queries ns.attacker.net for the data

  • ns.attacker.net replies, but also includes false information on www.cnn.com

  • Your DNS server caches the false data on www.cnn.com


Isp cache poisoning impacts l.jpg
ISP Cache Poisoning - Impacts Initiative

  • In March 2005 hundreds of DNS names were poisoned in a large attack, including

    • americanexpress.com, citicards.com, dhl-usa.com, fedex.com, walmart.com, sabre.com, and many more

    • Any of these may have had man-in-the-middle attacks such as stolen passwords or intercepted traffic

  • Lucrative spam, spyware and pay-per-click outcomes appear to be the motive


One defensive solution dnssec l.jpg
One Defensive Solution: DNSSEC Initiative

  • The DNS Security Extensions (DNSSEC) protocol provides a key ingredient in the defense against these attacks

  • Understanding these attacks and the risk-benefits of DNSSEC is critical

    • Taking action is similar to the run-up to Y2K

    • Except that we don’t have a firm deadline like December 31, 1999 to fix it

  • Requires cooperation between and among Internet users and service providers


What does dnssec do l.jpg
What Does DNSSEC Do? Initiative

  • Provides an approach so DNS users can:

    • Validate that data they receive came from the correct originator Source Authenticity

    • Validate that data they receive is the data the originator put into the DNS Data Integrity

  • This approach integrates with existing server infrastructure and user clients

  • Maximized benefit when application software can determine if DNS data was received with authenticity and integrity


Dnssec overview l.jpg
DNSSEC Overview Initiative

  • Each DNS zone signs their data with their private key

    • Signing should be done with zone data preparation

  • User queries are answered with:

    • the requested information

    • DNSSEC data for the requested information

  • Users authenticate responses with trusted key(s)

    • At least one trusted public key is pre-configured

    • Validation done with pre-configured key or keys learned via a sequence of queries to the DNS hierarchy

  • Enables and supports other security technologies


Dnssec risk cost points l.jpg
DNSSEC Risk-Cost Points Initiative

  • Attackers use DNS vectors to make money

    • Both the loss from the attack and the cost to the infrastructure can be significant

    • Cost to attacker is low or nothing, gain is high

  • Security always has costs

    • What is the risk-benefit?

    • Costs will include software, training, performance, and administrative relationships to zone operators


Stages for next steps and discussion l.jpg
Stages for Next Steps and Discussion Initiative

  • Risk (and cost) analysis CRITICAL!

  • Test and engineering

    • Discussions with many communities, including with the relevant Top Level Domain registries

  • Production

    • Including communication with zone providers, registrars, governing agencies, and software vendors

  • Leadership in the private and public sectors


Background information and contributors l.jpg
Background Information and Contributors Initiative

  • For lots of detailed information:

    • www.dnssec-deployment.org

    • www.dnssec.net

  • Authors of materials in this presentation (all from dnssec-deployment working group)

    • Amy Friedlander (Shinkuro)

    • Allison Mankin (Shinkuro)

    • Marcus Sachs (SRI)

    • Ed Lewis (Neustar)

    • Olaf Kolkman (Netlabs.nl)

    • Russ Mundy (Sparta)