426_fall07_lect22

8/3/2019 426_Fall07_lect22

http://slidepdf.com/reader/full/426fall07lect22 1/26

Computer SecurityCS 426Lecture 22

Denial of Service Attacksand DNS Security

8/3/2019 426_Fall07_lect22


CS426 Fall 2007/Lecture 22

• Readings o Counter Hack Reloaded Denial-of-Service Attacks

• DoS Attacks o SYN flooding o Smurf o DDoS

• DNS Security o DNS cache poisoning o Attack using reverse DNS

8/3/2019 426_Fall07_lect22



Categories of Denial-of-serviceAttacks

Stopping services Exhausting resources

Locally• Process killing • Process crashing • System

reconfiguration

• Spawning processesto fill the processtable

• Filling up the wholefile system

• Saturate commbandwidth

Remotely• Malformed packets tocrash buggy services

• Packet floods(Smurf, SYN flood,DDoS, etc)

8/3/2019 426_Fall07_lect22


TCP Handshake

C S

SYNC

SYNS,ACKC

ACKS

Listening

Store data

Wait

Connected

8/3/2019 426_Fall07_lect22


SYN Flooding

C S

SYNC

1

Listening

Store dataSYNC

2

SYNC

3

SYNC

4

SYNC

5

8/3/2019 426_Fall07_lect22


SYN Flooding

• Attacker sends many connection requests o Spoofed source addresses

• Victim allocates resources for each request o Connection requests exist until timeout o Fixed bound on half-open connections

• Resources exhausted requests rejected

S

8/3/2019 426_Fall07_lect22


Protection against SYN Attacks:SYN cookie

• Client sends SYN • Server responds to Client with SYN-ACK cookie

o sqn = f(src addr, src port, dest addr, dest port, secret) o Normal TCP response but server does not save state

• Honest client responds with ACK(sqn) • Server checks response

o If matches SYN-ACK, establishes connection “rand” is top 5 bits of 32-bit time counter

Server checks client response against recent values

See http://cr.yp.to/syncookies.html

[Bernstein, Schenk]

8/3/2019 426_Fall07_lect22


Smurf DoS Attack

• Send ping request to broadcast addr (ICMP Echo Req)• Lots of responses:

o Every host on target network generates a ping reply (ICMP Echo

Reply) to victim o Ping reply stream can overload victim

Prevention: reject external packets to broadcast address

gatewayDoS

Source

DoSTarget

1 ICMP Echo ReqSrc: Dos Target Dest: brdct addr

3 ICMP Echo ReplyDest: Dos Target

8/3/2019 426_Fall07_lect22


8/3/2019 426_Fall07_lect22



DDoS:

• Example: TFN2K tool o UDP floods, SYN floods, ICMP floods, Smurf o Cryptographic authentication for commands sent from

client (handler) to zombie o Use PING reply to communicate o spoof source addresses of all communications

makes tracing difficult

8/3/2019 426_Fall07_lect22



Hiding DDoS Attacks

• Reflection o Find big sites with lots of resources, send packets with

spoofed source address, response to victim PING => PING response

SYN => SYN-ACK

• Pulsing zombie floods o each zombie active briefly, then goes dormant;o zombies taking turns attacking o making tracing difficult

DNS

8/3/2019 426_Fall07_lect22


Domain Name System

• Hierarchical Name Space

root

edunetorg ukcom ca

wisc ucb stanford cmu mit

cs ee

www

DNS

8/3/2019 426_Fall07_lect22


DNS Root Name Servers

• Hierarchical service o Root name servers for

top-level domains o Authoritative name

servers for subdomains o Local name resolvers

contact authoritativeservers when they do notknow a name

8/3/2019 426_Fall07_lect22


DNS Lookup Example

ClientLocal DNSresolver

root & eduDNS server

stanford.eduDNS server

www.cs.stanford.edu

NS stanford.edu

www.cs.stanford.edu

NS cs.stanford.edu

www=IPaddr cs.stanford.edu DNS server

8/3/2019 426_Fall07_lect22


Caching

• DNS responses are cachedo Quick response for repeated translations o Useful for finding servers as well as addresses

NS records for domains

• Negative results are cached o Save time for nonexistent sites, e.g. misspelling

• Cached data periodically times out

Lookup using cached DNS

8/3/2019 426_Fall07_lect22


Lookup using cached DNSserver

ClientLocal

DNS recursive resolver

root & eduDNS server

stanford.eduDNS server

cs.stanford.edu DNS server

ftp.cs.stanford.edu

ftp=IPaddr

ftp.cs. stanford.edu

DNS Implementation

8/3/2019 426_Fall07_lect22


DNS ImplementationVulnerabilities

• DNS implementations have had same kinds ofvulnerabilities as other software o Reverse query buffer overrun in BIND Releases 4.9

(4.9.7 prior) and Releases 8 (8.1.2 prior)

gain root access abort DNS service

o MS DNS for NT 4.0 (service pack 3 and prior) crashes on CHARGEN stream telnet ntbox 19 | telnet ntbox 53

• Moral o Better software quality is important o Defense in depth!

8/3/2019 426_Fall07_lect22


Inherent DNS Vulnerabilities

• Users/hosts typically trust the host-addressmapping provided by DNS

• Obvious problemso Interception of requests or compromise of DNS

servers can result in incorrect or maliciousresponses

o Solution – authenticated requests/responses

8/3/2019 426_Fall07_lect22


DNS cache poisoning

• DNS resource records (see RFC 1034) o An “A” record supplies a host IP address o A “NS” record supplies name server for domain

• Example o www.evil.org NS ns.yahoo.com /delegate to yahoo o ns.yahoo.com A 1.2.3.4 / address for yahoo

• Result o If resolver looks up www.evil.org, then evil name

server will give resolver address 1.2.3.4 for yahoo

o Lookup yahoo through cache goes to 1.2.3.4

8/3/2019 426_Fall07_lect22


Pharming

• DNS poisoning attack (less common than phishing) o Change IP addresses to redirect URLs to fraudulent sites o Potentially more dangerous than phishing attacks o No email solicitation is required

• DNS poisoning attacks have occurred: o January 2005, the domain name for a large New York ISP, Panix,

was hijacked to a site in Australia.o In November 2004, Google and Amazon users were sent to Med

Network Inc., an online pharmacy o In March 2003, a group dubbed the "Freedom Cyber Force Militia"

hijacked visitors to the Al-Jazeera Web site and presented themwith the message "God Bless Our Troops"

8/3/2019 426_Fall07_lect22


Bellovin/Mockapetris Attack

• Trust relationships use symbolic addresses o /etc/hosts.equiv contains friend.stanford.edu

• Requests come with numeric source address o Use reverse DNS to find symbolic name o Decide access based on /etc/hosts.equiv, …

• Attack o Spoof reverse DNS to make host trust attacker

S

8/3/2019 426_Fall07_lect22


Reverse DNS

• Given numeric IP address, find symbolic addr • To find 222.33.44.3,

o Query 44.33.222.in-addr.arpa o Get list of symbolic addresses, e.g.,

1 server.small.com 2 boss.small.com 3 ws1.small.com 4 ws2.small.com

A k

8/3/2019 426_Fall07_lect22


Attack

• Gain control of DNS service for evil.org • Select target machine in good.net • Find trust relationships

o SNMP, finger can help find active sessions, etc. o Example: target trusts host1.good.net

• Connect o Attempt rlogin from coyote.evil.org o Target contacts reverse DNS server with IP addr o

Use modified reverse DNS to say“addr belongs to host1.good.net” o Target allows rlogin

D f i hi k

8/3/2019 426_Fall07_lect22


Defense against this attack

• Double-check reverse DNS o Modify rlogind, rshd to query DNS server o See if symbolic addr maps to numeric addr o But then must deal with DNS cache poisoning …

• Authenticate entries in DNS tables

S

8/3/2019 426_Fall07_lect22


Summary

• Smurf o Drop external packets to brdcst address

• SYN Flooding o SYN Cookies

• DNS attacks o Double-check reverse DNS o Authenticate entries in DNS tableso Do not trust addresses except from authoritative NS

C i Att ti

8/3/2019 426_Fall07_lect22


Coming Attractions …

• November 13:o Firewalls and Network Intrusion

Detection Systems

426_fall07_lect22

Documents