Increased DNS Forgery Resistance Through 0x20 Bit Encoding
Download
Report
Transcript Increased DNS Forgery Resistance Through 0x20 Bit Encoding
•
INCREASED DNS
FORGERY RESISTANCE
THROUGH 0X20 BIT
ENCODING
DAVID DAGON
MANOS ANTONAKAKIS
PAUL VIXIE
TATUYA JINMEI
WENKE LEE
P re s e nted by :
Syed Nasir
Mehdi
P h D C o m pute r
Sc i e n c e a n d
E n g inee rin g
B i o c om La b
snasirmehdi@
hanyang.ac.kr
1
OUTLINE
Introduction
Background
DNS Nomenclature
DNS Poisoning
Basic DNS Poisoning Model
DNS Ox20 Bit Encoding Queries
Analysis
Ox20 Probing
Related Work
Future Work
Conclusion
2
INTRODUCTION
Main Goal: To make DNS queries more resistant to poisoning
attacks:
What it entails: Creation of DNS light-weight forgery -resistance
technology
How :
Preservation of case encoding of DNS Queries by Authority Servers bit for-bit and upon return the verification of the same and caching by
recursive server.
Constraints:
No Radical Changes. DNS Infrastructure should remain intact
Protocol Stability. DNS Protocol should remain intact
Backward Compatible. Other technologies that rely on existing DNS standards
should remain intact
Example: www.example.com, recursive DNS servers would
instead query for wwW.eXamPLe.cOM
3
DNS OVERVIEW
DNS
Stub Resolver(Client)
Resolver(Name Server)
Recursive Resolver(NS Client)
Authoritative Servers(SOA)
Zone(.net, .org)
Delegation
Caching
RR
Root(13)
WHOIS(Registrant,nameserver
TTL)
4
DNS POISONING
A t t a c ke r s c a n i te r a t i ve l y
O b s e r ve c a c h e v a l u e s o v e r t i m e
O R b e f o r c e d to d o l o o kup s
G u e s s t h e 16 b i t I D - f i el d
B i r t h d ay A t t ac k s
Exploit weak random number
generation.
B e r s te i n s u g g e s t s U D P p o r t s + I D
Kaminsky class(IN A answer+NS
u p d a te )
N o o f g u e s s e s a t t a c ke r
c a n m a ke .
Po r t r a n d o m i z a t i o n to
g r o w t h e key s p a c e .
5
DNS POISONING MODEL
Definition 1: DNS ser ver is
forger y resistant where TTL
(caching period) ≫ △t, and
the chance of an attack
being successful within △t
time is low.
Assumption 1 . If attack is
not 10% likely to succeed
within Tmax, we deem the
DNS ser ver is forger y
resistant .
6
RTT
DNSSEC DNS ser vers, King
K a m i n s k y - c l a ss a d v o c a te t h e
I m p o r t a nc e o f R T T.
Calculate tA ,tB, tC and
Then calculate RTT= tC-tB.
Verify tC-tB ≈ tC −tA
If domain cached,
Avg response time<100ms
If not cached, 400ms.
Answer’s TTL
(caching period)
7
RTT OBSERVATIONS
Randomly select 5000 ser ver s,
with hosts open recur sive .
8
RTT OBSERVATIONS
α = N u m b e r o f D i f fe r e n t D N S I D s 2 ¹ 6
β = N u m b e r o f S o u rc e Po r t s ( c o n c e p t ua l l y 2 ¹ 6 )
γ = N u m b e r o f Po r t s ex c l ud e d 1 0 24 a s p e r ke r n e l r e s o u rc e s
θ = N u m b e r o f a u t h o r i t y s e r v e r s a n d r e c u r s i ve I P s .
a t t a c ke r h a s to s p o o f t h e c o r r ec t a u t h o r i t y s o u rc e a d d r e s s a p a r t f r o m q u e r y I D a n d
port.
Psuccess = 1 / α ∗ ( β − γ ) ∗ θ
W i t h 3 a u t h o r i t y s e r v e r s , Psuccess = 1 / 2 ¹ 6 ∗ ( 2 ¹ 6 − 1 0 24 ) ∗ 3 ≈ 1 1 2 . 7 B
Psuccess (n) = n / α ∗ ( β − γ ) ∗ θ
O b s e r va t i o n s :
1.
2.
not every recursive DNS server can implement port randomization, since it poses unique
engineering challenges.+ sockets selection
Some DNS servers are more important targets e.g ISP
We t h e r e f o r e n e e d a d d i t i o n al D N S p r o te c t io n m e a s u r e s
9
RTT OBSERVATIONS
C a c h e d Q u e r y Re s o l ve r - O R
R T T: S OA - O R
F i r s t Q u e r y : Re s o l v e r - S OA
10
DNS OX20 BIT ENCODING QUERIES
11
ANALYSIS
12
OX20 PROBING
13
PROBING..
14
PROBING
15
MORE OBSERVATIONS
3 we e k s n o n s to p
i n te rn et s c a n
7 5 m i llion n a m e s e r ver s
7 m i llion q ue ri es
. 3 % w h o do n ’ t s uppo r t
Un de r h i g h vo lumes
t h ey ret urn i de n t ic al
q ue ri es/s fo r s a me
D o m a in
D N S fi n g erpri nt ing s c a n s
< 0 . 2 8 %, be h ave t h i s way,
l o a d ba l a n cer s o r h a rdwa re
a c c e l erator s
9 9 . 7 % s uppo r t 0 x 2 0
e n c o ding s c h e me w i t h o ut
c h a n ging
t h e i r c o de ba s e .
16
RELATED WORK
TSIG or SIG(0) and TKEY for message integrity
Domain Name System (DNS) Cookies”
IETF draft on DNS forgery resilience discusses many aspects
of DNS poisoning
DoX, a peer-to-peer DNS replacement, motivated by DNS
poisoning
TCP SYN Cookies proposed by DJ Bernstein and Eric Schenk in
1996 as a means to stop resource exhaustion DDoS attacks
on TCP stacks, Most related, similar the DNS encoding
scheme
17
CONCLUSION
Approach adopted
1.
2.
3.
Require no radical changes to the DNS infrastructure ;
Make no major changes to the existing protocol
Be backwards compatible, so that even just a few DNS servers can elect
to adopt it
With small exceptions (≈ 0.3%) the world’s authority ser ver s appear to
already preser ve the encoding scheme .
DNS-0x20 encoding does not provide strong guarantees for transaction
integrity, it just raises the bar.
DNS messages can have an additional 1 2 -bits of state, perhaps a reason of
slow adoption of other comprehensi ve DNS security schemes.
18
FUTURE WORK
There may be key management issues to consider.
Stateless encoding schemes for domain names using ox20
bitset of queries,
Modifications and implementation for embedded devices
Update deployed embedded DNS systems
Policy options for DNS-0x20 recursive servers
Capacity of the covert channel that DNS ox20 creates
19
ACKNOWLEDGEMENTS
This material was based upon work supported in part by the
National Science Foundation under Grant No. 0627477 and
the Department of Homeland Security under Contract No.
FA8750-08- 2-0141 . Any opinions, findings, and conclusions or
recommendations expressed in this material are those of the
authors and do not necessarily reflect the views of the
National Science Foundation and the Department of
Homeland Security.
20