Increased DNS Forgery Resistance Through 0x20 Bit Encoding

Report
•
INCREASED DNS
FORGERY RESISTANCE
THROUGH 0X20 BIT
ENCODING
DAVID DAGON
MANOS ANTONAKAKIS
PAUL VIXIE
TATUYA JINMEI
WENKE LEE
P re s e nted by :
Syed Nasir
Mehdi
P h D C o m pute r
Sc i e n c e a n d
E n g inee rin g
B i o c om La b
snasirmehdi@
hanyang.ac.kr
1
OUTLINE











Introduction
Background
DNS Nomenclature
DNS Poisoning
Basic DNS Poisoning Model
DNS Ox20 Bit Encoding Queries
Analysis
Ox20 Probing
Related Work
Future Work
Conclusion
2
INTRODUCTION
 Main Goal: To make DNS queries more resistant to poisoning
attacks:
 What it entails: Creation of DNS light-weight forgery -resistance
technology
 How :
 Preservation of case encoding of DNS Queries by Authority Servers bit for-bit and upon return the verification of the same and caching by
recursive server.
 Constraints:
 No Radical Changes. DNS Infrastructure should remain intact
 Protocol Stability. DNS Protocol should remain intact
 Backward Compatible. Other technologies that rely on existing DNS standards
should remain intact
 Example: www.example.com, recursive DNS servers would
instead query for wwW.eXamPLe.cOM
3
DNS OVERVIEW
 DNS
 Stub Resolver(Client)
 Resolver(Name Server)
 Recursive Resolver(NS Client)
 Authoritative Servers(SOA)
 Zone(.net, .org)
 Delegation
 Caching
 RR
 Root(13)
 WHOIS(Registrant,nameserver
TTL)
4
DNS POISONING
 A t t a c ke r s c a n i te r a t i ve l y
O b s e r ve c a c h e v a l u e s o v e r t i m e
 O R b e f o r c e d to d o l o o kup s
 G u e s s t h e 16 b i t I D - f i el d
 B i r t h d ay A t t ac k s
 Exploit weak random number
generation.
 B e r s te i n s u g g e s t s U D P p o r t s + I D
 Kaminsky class(IN A answer+NS
u p d a te )
 N o o f g u e s s e s a t t a c ke r
c a n m a ke .
 Po r t r a n d o m i z a t i o n to
g r o w t h e key s p a c e .
5
DNS POISONING MODEL
Definition 1: DNS ser ver is
forger y resistant where TTL
(caching period) ≫ △t, and
the chance of an attack
being successful within △t
time is low.
Assumption 1 . If attack is
not 10% likely to succeed
within Tmax, we deem the
DNS ser ver is forger y
resistant .
6
RTT
 DNSSEC DNS ser vers, King
K a m i n s k y - c l a ss a d v o c a te t h e
I m p o r t a nc e o f R T T.
 Calculate tA ,tB, tC and
Then calculate RTT= tC-tB.
Verify tC-tB ≈ tC −tA
 If domain cached,
Avg response time<100ms
 If not cached, 400ms.
 Answer’s TTL
(caching period)
7
RTT OBSERVATIONS
 Randomly select 5000 ser ver s,
with hosts open recur sive .
8
RTT OBSERVATIONS
 α = N u m b e r o f D i f fe r e n t D N S I D s 2 ¹ 6
 β = N u m b e r o f S o u rc e Po r t s ( c o n c e p t ua l l y 2 ¹ 6 )
 γ = N u m b e r o f Po r t s ex c l ud e d 1 0 24 a s p e r ke r n e l r e s o u rc e s
 θ = N u m b e r o f a u t h o r i t y s e r v e r s a n d r e c u r s i ve I P s .
 a t t a c ke r h a s to s p o o f t h e c o r r ec t a u t h o r i t y s o u rc e a d d r e s s a p a r t f r o m q u e r y I D a n d
port.
 Psuccess = 1 / α ∗ ( β − γ ) ∗ θ
 W i t h 3 a u t h o r i t y s e r v e r s , Psuccess = 1 / 2 ¹ 6 ∗ ( 2 ¹ 6 − 1 0 24 ) ∗ 3 ≈ 1 1 2 . 7 B
 Psuccess (n) = n / α ∗ ( β − γ ) ∗ θ
 O b s e r va t i o n s :
1.
2.
not every recursive DNS server can implement port randomization, since it poses unique
engineering challenges.+ sockets selection
Some DNS servers are more important targets e.g ISP
 We t h e r e f o r e n e e d a d d i t i o n al D N S p r o te c t io n m e a s u r e s
9
RTT OBSERVATIONS
 C a c h e d Q u e r y Re s o l ve r - O R
 R T T: S OA - O R
 F i r s t Q u e r y : Re s o l v e r - S OA
10
DNS OX20 BIT ENCODING QUERIES
11
ANALYSIS
12
OX20 PROBING
13
PROBING..
14
PROBING
15
MORE OBSERVATIONS
 3 we e k s n o n s to p
i n te rn et s c a n
 7 5 m i llion n a m e s e r ver s
 7 m i llion q ue ri es
 . 3 % w h o do n ’ t s uppo r t
 Un de r h i g h vo lumes
t h ey ret urn i de n t ic al
q ue ri es/s fo r s a me
D o m a in
 D N S fi n g erpri nt ing s c a n s
< 0 . 2 8 %, be h ave t h i s way,
l o a d ba l a n cer s o r h a rdwa re
a c c e l erator s
 9 9 . 7 % s uppo r t 0 x 2 0
e n c o ding s c h e me w i t h o ut
c h a n ging
t h e i r c o de ba s e .
16
RELATED WORK
 TSIG or SIG(0) and TKEY for message integrity
 Domain Name System (DNS) Cookies”
 IETF draft on DNS forgery resilience discusses many aspects
of DNS poisoning
 DoX, a peer-to-peer DNS replacement, motivated by DNS
poisoning
 TCP SYN Cookies proposed by DJ Bernstein and Eric Schenk in
1996 as a means to stop resource exhaustion DDoS attacks
on TCP stacks, Most related, similar the DNS encoding
scheme
17
CONCLUSION
 Approach adopted
1.
2.
3.
Require no radical changes to the DNS infrastructure ;
Make no major changes to the existing protocol
Be backwards compatible, so that even just a few DNS servers can elect
to adopt it
 With small exceptions (≈ 0.3%) the world’s authority ser ver s appear to
already preser ve the encoding scheme .
 DNS-0x20 encoding does not provide strong guarantees for transaction
integrity, it just raises the bar.
 DNS messages can have an additional 1 2 -bits of state, perhaps a reason of
slow adoption of other comprehensi ve DNS security schemes.
18
FUTURE WORK
 There may be key management issues to consider.
 Stateless encoding schemes for domain names using ox20
bitset of queries,
 Modifications and implementation for embedded devices
 Update deployed embedded DNS systems
 Policy options for DNS-0x20 recursive servers
 Capacity of the covert channel that DNS ox20 creates
19
ACKNOWLEDGEMENTS
 This material was based upon work supported in part by the
National Science Foundation under Grant No. 0627477 and
the Department of Homeland Security under Contract No.
FA8750-08- 2-0141 . Any opinions, findings, and conclusions or
recommendations expressed in this material are those of the
authors and do not necessarily reflect the views of the
National Science Foundation and the Department of
Homeland Security.
20

похожие документы