© at&t inc detection of dns traffic anomalies anestis karasaridis, phd,cissp

© AT&T Inc

Detection of DNS Traffic Anomalies

Anestis Karasaridis, PhD,CISSP

Detection of DNS Traffic Anomalies4/25/2006

© AT&T Inc

Overview

DNS - Protocol and Applications

Vulnerabilities and common attacks

Monitoring, Detection, Protection


© AT&T Inc

Protocol Overview

DNS is the white pages of the Internet allowing to map hostnames/domains to IP addresses (and vice versa)

Facilitates the communication of devices over the Internet

Based on Standards (RFCs 1034, 1035-> STD13, Updated by a number of RFCs)

A Distributed and hierarchical database

IP at Layer 3, uses UDP or TCP for Layer 4.

Managed by different organizations coordinated by the Internet Consortium of Assigned Names and Numbers (ICANN)


© AT&T Inc

Applications Overview

Network Infrastructure Service: Used by almost all applications where two devices need to be connected remotely:

Web Email FTP P2P Streaming …many others

Its use has been expanded to create overlay networks (Content Distribution Networks) that are used to distribute load and improve latency.

Emerging Applications: VoIP (ENUM Protocol), Spam Control (SPF Protocol), RFID


© AT&T Inc

Example use of DNS:

The user types the following URL to his/her browser: http://www.ieee.org

The browser process generates a DNS request to a configured local DNS server (usually throught DHCP) in which it asks the IP address of the server able to serve the webpage. If the local server does not know the answer, it makes the same request to an upstream server. When the IP address is found it is returned to the local server and the browser process. The browser then makes the request for the page directly to the IP address that was returned

A user prepares and send email to [email protected] The mail application sends the email first to a local repository (email relay).

The repository then has to figure where to send the email to reach yahoo.com. The relay server makes a DNS query to find the Mail Exchange record for yahoo.com. When it gets the answer from DNS with the IP address of yahoo’s mail server, it proceeds to sending the email to the recipient’s server.


© AT&T Inc

DNS Hierarchy

DNS is organized in domains which are subdivided to subdomains etc. Top domain is the “Root” (.) and the domains below are called Top Level Domains (TLDs). Top level domains are (com, gov, edu, net, biz, info, us, etc.)


© AT&T Inc

Distributed Architecture

Various domains and subdomains contain partial DNS information. If the information is not available the database contains pointers (delegation) to other servers that may contain the requested information.

Different parts of the domain space are managed by different entities. The set of domains/subdomains that are managed by a single entity are called zones


© AT&T Inc

Example of domains and zones

The US domain has NJ, DC, MD, MA and VA as its subdomains. Since the information in all these subdomains is usually unmanageable the DNS information is usually spit in the different subdomains. The US zone contains delegation points for the subdomains that it does not manage.

US

nj va dc ma md

US zone

US domain


© AT&T Inc

Example of Name Resolution using the hierarchical and distributed nature of DNS

© AT&T Inc

Security Vulnerabilities


© AT&T Inc

DNS Protocol Security vulnerabilities

• DNS is an open protocol.

• ASCII protocol with no encryption

• DNS is widely implemented and deployed using BIND which is open source and has many known security holes

• Uses a very rudimentary authentication mechanism which is based only on the SIP, port and transaction ID, therefore easily trusts source of information

• Caching allows to bypass authoritative records and to store unreliable information in many locations in the internet

• Heavy reliance on the network makes it vulnerable to network outages


© AT&T Inc

DNS Vulnerabilities due to Poor Planning

Single point of failure issues Running registered authoritative DNS servers on a single

subnet can cause severe application outages if the gateway/router connecting this subnet goes down

Running the DNS servers in a single geographical area Running DNS servers on a single OS

Poor capacity planning or lack of load balancing

Poor disaster recovery planning, e.g. during power outages, earthquakes etc.

Failure to upgrade or patch DNS implementation

Misconfiguration


© AT&T Inc

Common DNS Attacks

(D)DoS

Cache poisoning

Tunneling Buffer overflows

Zone transfer hijacking

Dynamic update corruption

Unauthorized registry changes


© AT&T Inc

DoS attacks

One or more attackers controlling one or more devices launch an avalanche of messages to one or more DNS servers

If the sources are distributed, such an attack is difficult to control and trace

DNS responses are larger than requests and can be used to magnify attacks using spoofed source IP addresses. The attackers use source IP address the address of the target and send multiple DNS requests to a DNS server


© AT&T Inc

Wide-scale DoS attack to Root Servers

On Oct 21, 2002 a wide scale attack was launched to the 13 IP addresses of the Root servers using ICMP echo reply messages

According to Keynote Systems 7 of the 13 Root servers were severely slowed down during the attack.


© AT&T Inc

Examples of anomalies: Large volumes from a single source

Number of requests/replies to/from MIS DNS server per address (10/21, 14hr)

0

500

1000

1500

2000

2500

3000

IP Addresses

Nu

mb

er o

f R

equ

est/

Rep

lies

Unusually large number of requests


© AT&T Inc

Cache poisoning

Alteration of the contents of the DNS cache

Query sent to a local DNS server. Local starts a recursive search. Fake response is sent from the attacker before the valid server responds. Local DNS returns the fake response to the resolver and caches the forged mapping

Can lead to a denial of service or to redirection to an evil site (that collects for example private information)


© AT&T Inc

DNS spoofing/cache poisoning

Client

resolver

Local DNS server

Attacker

1. DNS request

2.Spoofed reply

3. True reply

4. ICMP port unreachable


© AT&T Inc

Cache Poisoning- another variation

Attacker directs local dns server to a controlled DNS server, which returns bogus info. Local DNS server does not properly check and caches bogus info

LaptopBad guy's DNS server

Local DNS Server

4. Query www.dod.gov

3. Returns real along withspoof info

2. Query is forwarded to bad guy's DNS server

1. Send a q

uery t

hat needs to

be

resolved to

his D

NS server

5. Return spoof address whichpoints to bad guy's server

Bad guy'sterminal


© AT&T Inc

Detection of brute force cache poisoning attacks

For each DNS flow, identify if the packets in the flow are requests or responses (based on port numbers).

If the packets in the flow record are requests, combine the flow with a thread (a group of objects such as flows with similar characteristics) of request flows that have the same destination IP (DIP) and the same bytes-per-packet ratio (BPR), if the flow arrives within a small time interval (e.g., 1sec) after the last flow in the thread. If the thread exceeds a certain number of flows (e.g., 50), summarize the information in the flow records and provide an alert that repeated requests took place.


© AT&T Inc

Detection of brute force cache poisoning attacks (cont’d)

If the flow record contains response packets, combine the incoming flow with similar flows by DIP, BPR, DPORT and SIP in the event that the flow arrives within a small time interval (e.g., 1 sec) since the arrival of the last flow in the same thread. Examine if the number of such flows exceeds a threshold (e.g., 50). If the threshold is exceeded, examine all the request threads for the same DIP and see if they have a BPR such that

BPR_{response} > BPR_{request}+BPR_{THR},

where BPR_{THR} the minimum number of additional bytes (set at 16) required to construct a response for a given request Also, examine if the response thread starts within the time limits of the request thread. If all the above conditions are true, summarize the flows and generate an alarm for cache-poisoning attack. If the number of responses in the thread is larger than a threshold, but it is not within the time frame of a request thread or it cannot be matched to a request thread because the BPR condition (see above) is not met, then the algorithm produces an alarm for repeated responses.

Empty and restart request and response threads when flows come much later (e.g., more than 1 sec later) or earlier than the last flow in the thread.

Periodically (e.g., every 500,000 input flows) clean up threads to free up memory


© AT&T Inc

Cache Poisoning Example

Type Src IP Dest IPPkts Bytes Stime Etime Sport Dport Prot

2 20.20.20.30 5.10.15.20 1 90 77 77 53 51453 17

1 20.30.10.5 5.10.15.20 1 70 78 78 14414 53 17

2 20.20.20.30 5.10.15.20 1 90 78 78 53 51453 17

1 100.50.25.25 5.10.15.20 1 70 79 79 50235 53 17

1 200.100.50.25 5.10.15.20 1 70 79 79 65164 53 17

1 50.100.150.200 5.10.15.20 1 70 79 79 61480 53 17

1 10.20.30.40 5.10.15.20 1 70 79 79 10105 53 17


© AT&T Inc

Alerting for Cache Poisoning Attacks

Repeated Requests:dip=5.10.15.20,

number=307,bpr=70,link=SiteA,

sip=var,sport=var,

start_time=Wed Oct 22 13:57:58 2005,

end_time=Wed Oct 22 14:00:38 2005

Suspicious Responses:dip=5.10.15.20,


sip=20.20.20.30,dport:51453,


end_time=Wed Oct 22 14:05:00 2005

Repeated Responses:dip=5.10.15.20,


sip=20.20.20.30,dport:51453,


end_time=Wed Oct 22 14:05:00 2005


© AT&T Inc

Tunneling Anomaly Detection

• DNS is used to tunnel traffic in and out of firewalls and IDSs

Viruses Botnet control Streaming audio

• Protocol specification should be taken into account


© AT&T Inc

Tunneling Anomaly detection- Abnormal packet sizes

Requests typically should not exceed 312 bytes (including TCP and IP headers)

UDP responses typically do not exceed 512 bytes

Calculate histograms of request/response packet sizes. Track and detect changes in the frequencies of non-conforming packets sizes


© AT&T Inc

Example of anomalies: Large DNS Requests

DNS Request (UDP) size histogram

0.00

2.00

4.00

6.00

8.00

10.00

12.00

0 100 200 300 400 500 600

Request size (bytes)

Pro

bab

ilit

y (%

) Not complying with the protocol

•Large requests appeared interestingly among other normal size requests

•In one case they were sent periodically between a single pair of hosts


© AT&T Inc

Example anomalies: Large DNS responses

DNS Response (UDP) size histogram

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

0 500 1000 1500

Response size (bytes)

Pro

bab

ilit

y (%

)

Non complying response sizes


© AT&T Inc

Example anomalies: Increase in large request packet size frequencies

Ratio of Non-compliant DNS Request Byte Sizes

0.00

1.00

2.00

3.00

4.00

22-Sep 24-Sep 26-Sep 28-Sep 30-Sep 2-Oct 4-Oct 6-Oct 8-Oct

Date

Per

cen

t o

f n

on

-co

mp

lian

t re

qu

est

pac

ket

size

s

attga05511 n54ny01668ra


© AT&T Inc

Track and detect packet size anomalies

Built a baseline histogram of packet sizes

Calculate current histogram

Calculate difference between current and baseline histograms. KL distance (also known as Relative Entropy) is one example:

pi are the current frequencies and qi are the baseline frequencies

i

iiir qppE )/log(


© AT&T Inc

Track and detect packet size anomalies (cont’d)

Baseline should be adaptive to variations in traffic

It should be updated when there are small changes that are benign

It should not include data that generate alarms


© AT&T Inc

Example of detection of tunneling Sinit virus propagated using port 53 traffic

Sophisticated p2p-type of propagation using custom protocol

Cross Entropy vs. Self-Entropy (NY 01668ra circuit)

0

1

2

3

4

5

6

Self Entropy Cross Entropy Diff Threshold


© AT&T Inc

Summary DNS is ubiquitus and expanding to new

applications and technologies

Many vulnerabilities exist due to poor design, configuration or software holes

Monitoring revealed wide-scale events before public reports

DNSSEC is an attempt to address some of security issues

© at&t inc detection of dns traffic anomalies anestis karasaridis, phd,cissp

Documents

dns hierarchy dns

dns vulnerabilities

dns request

dns query

encryption dns

overview dns protocol

protocol overview dns

partial dns information