426_fall07_lect22
TRANSCRIPT
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 1/26
Computer SecurityCS 426Lecture 22
Denial of Service Attacksand DNS Security
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 2/26
CS426 Fall 2007/Lecture 22
• Readings o Counter Hack Reloaded Denial-of-Service Attacks
• DoS Attacks o SYN flooding o Smurf o DDoS
• DNS Security o DNS cache poisoning o Attack using reverse DNS
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 3/26
CS426 Fall 2007/Lecture 22
Categories of Denial-of-serviceAttacks
Stopping services Exhausting resources
Locally• Process killing • Process crashing • System
reconfiguration
• Spawning processesto fill the processtable
• Filling up the wholefile system
• Saturate commbandwidth
Remotely• Malformed packets tocrash buggy services
• Packet floods(Smurf, SYN flood,DDoS, etc)
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 4/26
TCP Handshake
C S
SYNC
SYNS,ACKC
ACKS
Listening
Store data
Wait
Connected
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 5/26
SYN Flooding
C S
SYNC
1
Listening
Store dataSYNC
2
SYNC
3
SYNC
4
SYNC
5
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 6/26
SYN Flooding
• Attacker sends many connection requests o Spoofed source addresses
• Victim allocates resources for each request o Connection requests exist until timeout o Fixed bound on half-open connections
• Resources exhausted requests rejected
S
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 7/26
Protection against SYN Attacks:SYN cookie
• Client sends SYN • Server responds to Client with SYN-ACK cookie
o sqn = f(src addr, src port, dest addr, dest port, secret) o Normal TCP response but server does not save state
• Honest client responds with ACK(sqn) • Server checks response
o If matches SYN-ACK, establishes connection “rand” is top 5 bits of 32-bit time counter
Server checks client response against recent values
See http://cr.yp.to/syncookies.html
[Bernstein, Schenk]
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 8/26
Smurf DoS Attack
• Send ping request to broadcast addr (ICMP Echo Req)• Lots of responses:
o Every host on target network generates a ping reply (ICMP Echo
Reply) to victim o Ping reply stream can overload victim
Prevention: reject external packets to broadcast address
gatewayDoS
Source
DoSTarget
1 ICMP Echo ReqSrc: Dos Target Dest: brdct addr
3 ICMP Echo ReplyDest: Dos Target
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 9/26
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 10/26
CS426 Fall 2007/Lecture 22
DDoS:
• Example: TFN2K tool o UDP floods, SYN floods, ICMP floods, Smurf o Cryptographic authentication for commands sent from
client (handler) to zombie o Use PING reply to communicate o spoof source addresses of all communications
makes tracing difficult
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 11/26
CS426 Fall 2007/Lecture 22
Hiding DDoS Attacks
• Reflection o Find big sites with lots of resources, send packets with
spoofed source address, response to victim PING => PING response
SYN => SYN-ACK
• Pulsing zombie floods o each zombie active briefly, then goes dormant;o zombies taking turns attacking o making tracing difficult
DNS
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 12/26
Domain Name System
• Hierarchical Name Space
root
edunetorg ukcom ca
wisc ucb stanford cmu mit
cs ee
www
DNS
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 13/26
DNS Root Name Servers
• Hierarchical service o Root name servers for
top-level domains o Authoritative name
servers for subdomains o Local name resolvers
contact authoritativeservers when they do notknow a name
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 14/26
DNS Lookup Example
ClientLocal DNSresolver
root & eduDNS server
stanford.eduDNS server
www.cs.stanford.edu
NS stanford.edu
www.cs.stanford.edu
NS cs.stanford.edu
www=IPaddr cs.stanford.edu DNS server
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 15/26
Caching
• DNS responses are cachedo Quick response for repeated translations o Useful for finding servers as well as addresses
NS records for domains
• Negative results are cached o Save time for nonexistent sites, e.g. misspelling
• Cached data periodically times out
Lookup using cached DNS
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 16/26
Lookup using cached DNSserver
ClientLocal
DNS recursive resolver
root & eduDNS server
stanford.eduDNS server
cs.stanford.edu DNS server
ftp.cs.stanford.edu
ftp=IPaddr
ftp.cs. stanford.edu
DNS Implementation
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 17/26
DNS ImplementationVulnerabilities
• DNS implementations have had same kinds ofvulnerabilities as other software o Reverse query buffer overrun in BIND Releases 4.9
(4.9.7 prior) and Releases 8 (8.1.2 prior)
gain root access abort DNS service
o MS DNS for NT 4.0 (service pack 3 and prior) crashes on CHARGEN stream telnet ntbox 19 | telnet ntbox 53
• Moral o Better software quality is important o Defense in depth!
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 18/26
Inherent DNS Vulnerabilities
• Users/hosts typically trust the host-addressmapping provided by DNS
• Obvious problemso Interception of requests or compromise of DNS
servers can result in incorrect or maliciousresponses
o Solution – authenticated requests/responses
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 19/26
DNS cache poisoning
• DNS resource records (see RFC 1034) o An “A” record supplies a host IP address o A “NS” record supplies name server for domain
• Example o www.evil.org NS ns.yahoo.com /delegate to yahoo o ns.yahoo.com A 1.2.3.4 / address for yahoo
• Result o If resolver looks up www.evil.org, then evil name
server will give resolver address 1.2.3.4 for yahoo
o Lookup yahoo through cache goes to 1.2.3.4
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 20/26
Pharming
• DNS poisoning attack (less common than phishing) o Change IP addresses to redirect URLs to fraudulent sites o Potentially more dangerous than phishing attacks o No email solicitation is required
• DNS poisoning attacks have occurred: o January 2005, the domain name for a large New York ISP, Panix,
was hijacked to a site in Australia.o In November 2004, Google and Amazon users were sent to Med
Network Inc., an online pharmacy o In March 2003, a group dubbed the "Freedom Cyber Force Militia"
hijacked visitors to the Al-Jazeera Web site and presented themwith the message "God Bless Our Troops"
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 21/26
Bellovin/Mockapetris Attack
• Trust relationships use symbolic addresses o /etc/hosts.equiv contains friend.stanford.edu
• Requests come with numeric source address o Use reverse DNS to find symbolic name o Decide access based on /etc/hosts.equiv, …
• Attack o Spoof reverse DNS to make host trust attacker
S
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 22/26
Reverse DNS
• Given numeric IP address, find symbolic addr • To find 222.33.44.3,
o Query 44.33.222.in-addr.arpa o Get list of symbolic addresses, e.g.,
1 server.small.com 2 boss.small.com 3 ws1.small.com 4 ws2.small.com
A k
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 23/26
Attack
• Gain control of DNS service for evil.org • Select target machine in good.net • Find trust relationships
o SNMP, finger can help find active sessions, etc. o Example: target trusts host1.good.net
• Connect o Attempt rlogin from coyote.evil.org o Target contacts reverse DNS server with IP addr o
Use modified reverse DNS to say“addr belongs to host1.good.net” o Target allows rlogin
D f i hi k
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 24/26
Defense against this attack
• Double-check reverse DNS o Modify rlogind, rshd to query DNS server o See if symbolic addr maps to numeric addr o But then must deal with DNS cache poisoning …
• Authenticate entries in DNS tables
S
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 25/26
Summary
• Smurf o Drop external packets to brdcst address
• SYN Flooding o SYN Cookies
• DNS attacks o Double-check reverse DNS o Authenticate entries in DNS tableso Do not trust addresses except from authoritative NS
C i Att ti
8/3/2019 426_Fall07_lect22
http://slidepdf.com/reader/full/426fall07lect22 26/26
Coming Attractions …
• November 13:o Firewalls and Network Intrusion
Detection Systems