A"acks'Against'The'DNS'

Dave'Piscitello'VP'Security'and'ICT'Coordina=on'27'June'2016'dave.piscitello@icann.org'

| 2

Introduction

•  VP'Security'and'ICT'Coordina=on,'ICANN'•  40'year'network'and'security'prac==oner'•  Roles'at'ICANN:'

•  Technology'Advisor'•  Threat'responder'•  Inves=gator'•  Researcher'

| 3

Part'1'

• How'does'the'DNS'work?'•  Overview'and'Examples'of'the'DNS'a"ack'landscape'

| 4

What Is The Domain Name System?

A'distributed'database'primarily'used'to'obtain'

'''the'IP'address,'a'number,'e.g.,'

''192.168.23.1'or'fe80::226:bbff:fe11:5b32'

'that'is'associated'with'a''

'

userYfriendly'name'(www.example.com)''!

'

| 5

The'formal'structure'of'the'DNS'database'is''an'inverted'tree'with'the'root'node'at'the'top'

'''''''''

' 5'

Each'node'has'a'label'

The'root'node'is'designated'using'a'termina=ng'�dot�'

3rdYlevel'node'

2ndYlevel'node' 2ndYlevel'node'

topYlevel'node'

3rdYlevel'node' 3rdYlevel'node'

2ndYlevel'node'

topYlevel'node'

2ndYlevel'node' 2ndYlevel'node'

topYlevel'node'

root'node'

The'DNS'is'a'public'name'space.'It'is'one'of'many!name'spaces'used'on'the'Internet.'

''''''''

'

Structure Of The Distributed DNS Database

| 6

Labels'And'Domain'Names'

Each'node'in'the'DNS'name'space'has'a'label'The'domain'name'of'a'node'is'a'list'of'the'labels'on'the'path'from'the'node'to'the'root'of'the'DNS'

6'

3rdYlevel'node'

2ndYlevel'node' 2ndYlevel'node'

topYlevel'node'

3rdYlevel'node' 3rdYlevel'node'

2ndYlevel'node'

topYlevel'node'

2ndYlevel'node' 2ndYlevel'node'

topYlevel'node'

root'node'

''''''

When'all'labels'are''present,'the'name'is'called'a''

FULLY%QUALIFIED%DOMAIN%NAME%(FQDN)%FQDNs'are'globally'unique'in'the'public'DNS'

'''

The'root'node''

�.”'Top'Level'Domain'

e.g.'COM'

2nd'Level'Domain'e.g.'

EXAMPLE'3rd'Level'Domain'

e.g.'WWW'

| 7

Opera=onal'Elements'Of'The'DNS'

•  Authorita=ve'Name'Servers'host'zone'data'–  The'set'of'“DNS'data”'that'the'registrant'publishes'

•  Recursive'Name'Resolvers'(“resolvers”)'–  Systems'that'find'answers'to'queries'for'DNS'data'

•  Caching'resolvers'–  Recursive'resolvers'that'find'and'store'answers''locally'for'“TTL”'period'of'=me''

•  Client'or'“stub”'resolvers'–  Sogware'in'applica=ons,'mobile'apps'or'opera=ng'systems'that'query'the'DNS'and'process'responses'

7'

| 8

DNS:'Internet’s'Directory'Assistance'

•  Client'“stub”'resolvers''ask'ques=ons'–  Sogware'in'applica=ons,'mobile'apps'or'opera=ng'systems'that'issue'DNS'queries'and'process'responses'

•  Recursive'name'resolvers'find'answers'to'queries'for'DNS'data'

8'

What'is'the'IPv6'address'for'

www.icann.org?'

dns1.icann.org

I’ll'find'that'answer'for'you'

My PC

| 9

The'Domain'Name''System'Is'“Directory'Assistance”'

How'does'a'resolver'find'the'IP'address'of'ICANN.ORG?'•  Resolvers'find'answers'by'asking'ques=ons'itera,vely'

9'

dns1.icann.org

m.root-servers.net Ask'root'name'servers'for''IPv6'address'of'ICANN.ORG'

Ask'a0.org.afiliasYnst.info''for'IPv6'address'of'

ICANN.ORG'

Here�s'a'list'of'ORG'TLD'name'servers.'''Ask'one'of'these.

Here�s'a'list'of'ICANN'name'servers.'''

Ask'one'of'these.

Ask'ns.icann.org'for''for'IPv6'address'of'

ICANN.ORG''

The'IPv6'adddress'of'www.icann.org'2001:500:88:200::7

a0.org.afilias-nst.info

ns.icann.org

| 10

What Is Caching?

•  Resolvers'may'cache'DNS'records'they'receive'from'other'name'servers'as'they'process'client'queries'–  Speeds'up'resolu=on'–  Saves'bandwidth'–  Responses'are'non2authorita9ve'

•  Are'cached'records'valid'forever?'– No.'The'=me'to'live'(TTL)'field'in'DNS'records'bounds'how'long'an'itera=ve'resolver'can'cache'that'par=cular'record'

10'

What'is'the'IPv6'address'of'

www.icann.org'

My local resolver

ICANN’s name server (authoritative)

www.icann.org'AAAA'2001:500:88:200::7'

I’ll'cache'this'response'

My PC

| 11

Summary

1 The DNS is a public, distributed database

2 The DNS allows us to use names rather than numbers to navigate the Internet

3 The operational elements of the DNS span from critical infrastructure to user devices

| 12

Agenda

•  How'does'the'DNS'work?'• A"acking'the'DNS'

| 13

Motives To Attack Or Exploit The DNS

Actors!have!specific!mo,ves!or!

incen,ves!to!a5ack!cri,cal!

cyber!infrastructures,!including!DNS!!

Where'are'cybercrime'and'espionage'in'this'diagram?'

| 14

DNS Attack Landscape Target% Authorita9ve%

Name%Server%Recursive%Resolver%

Stub%Resolver%

Access'bandwidth' ✔' ✔' ✔'Access'network'elements' ✔' ✔' ✔'NS'or'device:'

Hardware' ✔' ✔' ✔'OS'sogware'' ✔' ✔' ✔'Name'server'sogware' ✔' ✔'Cache' ✔' ✔'Applica=on'sogware' ✔'Administra=on' ✔' ✔' ✔'Configura=on' ✔' ✔' ✔'

| 15

Attacks Against Name Servers Or Recursors

•  “Exploit'to'fail”'Denial'of'Service'(DOS)'a"ack'•  “Exploit'to'own”'DOS'a"ack'•  Reflec=on'a"ack'•  Amplifica=on'a"ack'•  Distributed'DOS'a"ack'•  Cache'Poisoning'a"ack'•  Exhaus=on'a"ack'

Let’s!look!at!some!examples!

| 16

“Exploit To Fail” DOS Attack

•  Exploit'a'vulnerability'in'some'element'of'a'name'server'infrastructure'to'cause'interrup=on'of'name'resolu=on'service'

•  Example:'Malicious'DNS'message'injec=on'•  h"p://www.cvedetails.com/cve/CVEY2002Y0400/'

'Malformed'DNS'message,'e.g.,'CVEY2002Y0400'

A"acker' Name'Server'running'BIND'

Name'server'fails'when'it'processes'message'

| 17

“Exploit To Own” DOS Attack

•  Exploit'a'vulnerability'in'some'element'of'a'name'server'infrastructure'to'gain'system'administra=ve'privileges''

•  Example:'Arbitrary/remote'code'execu=on'•  h"p://www.kb.cert.org/vuls/id/844360'

Craged'DNS'Query,'e.g.,'VU#844360'

A"acker'Name'Server'running'BIND'

Message'causes'a'BUFFER!

OVERFLOW'A"acker'can'

execute'arbitrary'code'

| 18

Reflec=on'A"ack'

•  A"acker'spoofs'IP'address'of'targeted'host'

•  A"acker'sends'DNS'messages'to'recursor'

•  Recursor'sends'response'to'targeted'host'

•  Response'delivered'to'targeted'host'

A"acker' Open'Recursor'

DNS'Query'

Spoof'source'IP''of'target:'10.0.0.1'

Targeted'host''IP:'10.0.0.1'

| 19

Reflection And Amplification Attack •  A"acker'spoofs'

IP'address'of'targeted'host'

•  A"acker'sends'DNS'messages'to'recursor'that'elicits'a'LARGE'response'

•  Recursor'sends'LARGE'responses'to'targeted'host'

•  The'LARGE!responses'consume'target’s'resources'faster'

A"acker' Open'Recursor'

DNS'Query'

Spoof'source'IP''of'target:'10.0.0.1'

Targeted'host''IP:'10.0.0.1'

| 20

Distributed Reflection And Amplification Attack

•  Launch'reflec=on'and'amplifica=on'a"ack'from'1000s'of'origins'

•  Reflect'through'open'recursors'

•  Deliver'1000s'of'large'responses'to'target'

A"ackers' Open'Recursor'

All'sources'spoof'source''IP'of'target:'10.0.0.1'

Targeted'host''IP:'10.0.0.1'

DNS'Query'

DNS'Query'

DNS'Query'

| 21

Resource Depletion DOS Attack •  A"acker'sends'

flood'of'DNS'messages'over'TCP'from'spoofed'IP'address'of'target'

•  Name'server'allocates'resources'for'connec=ons'un=l'resources'are'exhausted'

•  Name'resolu=on'is'degraded'or'interrupted'

A"acker'Open'recursor'

TCP'SYN'

TCP'SYN'

Spoof'source'IP''of'target:'10.0.0.1'

Target'Host''IP:'10.0.0.1'

TCP'SYN'

| 22

Basic'Cache'Poisoning'

A"acker''– Launches'a'spam'campaign'where'spam'message'contains'h"p://loseweighqastnow.com'

– A"acker’s'name'server'will'respond'to'a'DNS'query'for'loseweightnow.com'with'malicious'data'about'ebay.com'

– Vulnerable'resolvers'add'malicious'data'to'local'caches'

– The'malicious'data'will'send'vic=ms'to'an'eBay'phishing'site'for'the'life=me'of'the'cached'entry'

22'

What'is'the'IPv4'address'for'loseweighqastnow.com'

My PC

My local resolver

ecrime name server

loseweighqastnow.com'IPv4'address'is'192.168.1.1''

ALSO%www.ebay.com*is*at*192.168.1.2'

I’ll'cache'this'response…'and'

update'www.ebay.com''

| 23

NXDOMAIN Cache Exhaustion

•  A"acker'floods'recursor'with'DNS'queries'for'nonYexistent'domain'names'

•  Recursor'a"empts'to'resolve'queries'and'adds'each'NXDOMAIN'answer'to'cache'

•  Recursor’s'cache'fills'with'useless'answers'•  Processing'of'legi=mate'DNS'queries'is'degraded'

A"acker' Recursor'Cache'fills'with'NXDOMAIN'answers'

DNS'query'for'nonYexistent'domain'DNS'query'for'nonYexistent'domain'DNS'query'for'nonYexistent'domain'

Phantom Domain Attack has similar effects

| 24

Attacks Against Stub Resolvers

•  Query'intercep=on'a"ack'•  DNS'Response'modifica=on''

– Also'called'Name'Error'resolu=on'

•  Configura=on'poisoning'a"ack'•  DNS'hostname'overflow'a"ack'

Let’s!look!at!some!examples'

| 25

Query Interception (DNS Hijacking)

6/27/16' 25'

•  A'man'in'the'middle'(MITM)'or'spoofing'a"ack'forwards'DNS'queries'to'a'name'server'that'returns'forge'responses'–  Can'be'done'using'a'DNS'proxy,'compromised'access'router'or'recursor,'ARP'poisoning,'or'evil'twin'Wifi'access'point'

Bank''Web''Site'Intended%path%for%online%banking%transac9ons%

Redirected%path%%Redire

cted%path%%

Fake'Bank''Web''Site'

Evil'Twin'AP'

A"acker’s'resolver'

Evil'twin'AP'or'compromised'router'

redirects'DNS'queries'to'a"acker’s'name'server'

A"acker’s'name'server'returns'fake'

bank'web'site'address'

| 26

Response Modification

•  Recursive'resolver'is'configured'to'return'IP'address'of'web,'payYperYclick,'or'search'page'when'it'receives'NXDOMAIN'response''

•  Also'used'by'ISPs'and'3rd'par=es'for'mone=zing'purposes'

example.com'Name'Server'

What'is'the'address'of'

ww.example.com?'

ww.example.com'does'not'exist'(NXDOMAIN)'

Address'of'ww.example.com'is'192.168.12.113'

Modified%response%path%%

192.168.12.113'

| 27

Configura=on'Poisoning:'DNSChanger'

A5acker'distributes'DNS'configura=on'altering'malware'via'•  Spam,'driveYby'download…'

DNSChanger!malware''•  Alters'DNS'configura=on'of'infected'PC'

•  Causes'all'requests'to'go'to'a'malicious'name'server'run'by'a"ackers'

•  A"acker'updates'malware'to'redirect'web'traffic'to'a'des=na=on'of'his'choosing' 27'Intended%path%to%local%recursive%resolver%

Your'recursive'resolver'is'

at'192.168.3.13'

DNSChanger'malware'

A"acker’s'resolver'sends'user'to'forged'web'sites'

192.168.3.13'

| 28

DNS Hostname Overflow Attack

•  A"acker'crags'response'message'containing''domain'name'>'255'bytes'

•  Vulnerable'client'queries'a"acker’s'name'server,'fails'to'check'hostname'length'in'response'

•  Buffer'overflow'allows'a'a"acker'to'gain'root'or'execute'arbitrary'commands'

A"acker’s'name'server'

A"acker’s'name'server'responds'with'hostname'>'

255'bytes'

DNS'query'

Client'induced'to'query'a"acker’s'name'server'(e.g.,'

spam,'URL)'

| 29

Domain Registration Hijacking

•  A"acker'compromises'registra=on'account,'e.g.,'–  Succeeds'with'brute'force,'social'engineering,'or'login'a"ack'–  Launches'a'registrar!impersona,on!phishing!a5ack!–  Compromise'gives'a"acker'administra=ve'control'over'

domains'registered'under'this'account''

•  A"acker'modifies/adds'name'server'record'for'domain''–  NS'record'that'is'published'in'TLD'zone''associates'domain’s'

name'server'with'IP'address'of'a"acker’s'host''

•  A"acker'publishes'“a"ack”'zone'data'''–  Resource'records'in'zone'data'support'phishing,'fraud,'or'

defacement'sites,'spam'mail'exchanges,'VoIP'servers…'Note:'An'a"acker'can'also'compromise'a'name'server'directly'

| 30

Summary

1 The'DNS'is'an'open'system'and'open!also!to!abuse!

2 The'DNS'is'a'cri=cal'Internet'database'and'thus'a'target'for'a"ack'

3 Any'element'of'the'DNS'may'be'exploited'to'facilitate'other'a"acks'

| 31

Reading List (Partial) Title% URL%

Top'10'DNS'a"acks' h"p://www.networkworld.com/ar=cle/2886283/security0/topY10YdnsYa"acksYlikelyYtoYinfiltrateYyourYnetwork.html'

Manage'your'domain'porqolio' h"p://securityskep=c.typepad.com/theYsecurityYskep=c/2014/01/avoidYrisksYmanageYyourYdomainYporqolio.html'

Securing'open'DNS'resolvers' h"p://www.gtri.com/securingYopenYdnsYresolversYagainstYdenialYofYserviceYa"acks/'

DNS'Tunneling' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsYtunnelingYv01.pdf'

DNS'cache'bus=ng' h"p://blog.cloudmark.com/2014/10/07/aYdnsYcacheYbus=ngYtechniqueYforYddosYstyleYa"acksYagainstYauthorita=veYnameYservers/'

DNS'Cache'Poisoning' h"p://www.securityskep=c.com/dnsYcacheYpoisoning.html'

Anatomy'of'a'DDOS'a"ack' h"p://www.securityskep=c.com/anatomyYofYdnsYddosYa"ack.html'

DNS'reflec=on'defense' h"ps://blogs.akamai.com/2013/06/dnsYreflec=onYdefense.html'

Protect'the'world'from'your'network' h"p://securityskep=c.typepad.com/theYsecurityYskep=c/2013/04/protec=ngYtheYworldYfromYyourYnetwork.html'

DNS'Traffic'Monitoring'Series' h"p://www.securityskep=c.com/2014/09/dnsYtrafficYmonitoringYseriesYatYdarkYreading.html'

Protect'your'DNS'servers'against'DDoS'a"acks'

h"p://www.gtcomm.net/blog/protec=ngYyourYdnsYserverYagainstYddosYa"acks/'

Fast'Flux'Botnet'Detec=on'in'Real=me' h"p://www.iis.sinica.edu.tw/~swc/pub/fast_flux_bot_detec=on.html'

DNS'resource'exhaus=on' h"ps://www.cloudmark.com/releases/docs/whitepapers/dnsYresourceYexhaus=onYv01.pdf'

| 32

My Contact Info: dave.piscitello@icann.org @securityskeptic www.securityskeptic.com about.me/davepiscitello

Thank You and Questions

Ques=ons?'

Contact'ICANN:'engagement@icann.org'@icann'icann.org'safe.mn/icannsecurityteam'