fsec_20120919_dns cyber weapon of mass destruction_bojanzdrnja

8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja

1/17

DNSDNSDNSDNS Cyber Weapon ofCyber Weapon ofCyber Weapon ofCyber Weapon ofMass DestructionMass DestructionMass DestructionMass DestructionDNSDNSDNSDNS Cyber Weapon ofCyber Weapon ofCyber Weapon ofCyber Weapon ofMass DestructionMass DestructionMass DestructionMass Destruction

Bojan drnja, CISSP, GCIA, GCIBojan!"drnja#infi$o!%r

IN&IG' IS %ttp())***!infi$o!%r


2/17

A$endaA$endaA$endaA$enda

DNS and its critica+ity

DNS as a *eapon

Denia+ of Serice attac-sCoert data transfer

o* to i.proe DNS security/


3/17


4/17

Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1

'ri$ina+ specification +i.ited DNS 7DPpac-ets to @9> bytes

If +ar$er use 3CPBut *it% 3CP *e cannot spoof pac-ets

8&C >E9 5Ftension Mec%anis.s forDNS 05DNS:1

Si$na+i6ed by an 'P3 pseudo88 in t%eadditiona+ data section

i!e! ar( ! 'P3 7DPsi6e


5/17

Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS

DNS is a critica+ part of t%e Internet 0a$ain1We cannot +ie *it%out it

And t%e attac-ers +oe it7DP data$ra.s

3%e $odA-in$ %as betrayed a fata+ f+a*( ubris!

5asy to taunt, easy to tric-!7DP can be easi+y spoofed

Any ISPs doin$ e$ress fi+terin$/ 3%ou$%t not!

Set SourceIP to t%at of t%e tar$et

Set DestinationIP of 0a1 DNS serer

Set DestinationPort to @;

&ire a reuest J for$et


6/17


3%is a++o*s us to be a+.ost anony.ous

But proides anot%er $oa+ for an attac-er(

A.p+ificationIdea is ery si.p+e 0S.urf+i-e attac-s1

Send a 0re+atie+y s.a++1 DNS uery

Get a 0+ar$e1 DNS rep+ySpoof t%e senderKs IP address


7/17


Wait, *%at about 5DNS:/Send a s.a++ DNS uery 0L: bytes1

Get a +ar$e DNS rep+y 0L Mbit of ueries $enerates 9>: Mbit of responses

W%at can t%e attac-ers use/'pen reso+ersPerfect

Get t%e. to cac%e a +ar$e response 0.aybe eenattac-er $enerated1&ire at *i++

Any DNS serer rea++y

As +on$ as t%e response is +ar$e enou$%


8/17


Best 0or *orst, dependin$ on P'1 recordsto use

&ind +ar$e 3O3 recordsAttac-ers often use 3O3, een $enerate t%eir o*n

Abuse DNSS5CGood for a.p+ification due to +ar$e records for

DNS5Q or 88SIG resource records?uite often isc!or$ $ets pic-ed

Is it difficu+t to find open reso+ers/

7nfortunate+y notSo.e researc% says t%at t%ere are .ore t%an@::,::: open reso+ers on t%e Internet


9/17


o* can *e protect ourse+es/Difficu+t

Ma-e sure you %ae your upstrea. ISPscontacts %andy

In e.er$encies b+oc- responses *it% sourceport @;

3%is *i++ b+oc- your +e$iti.ate DNS responses as *e++

W%at if t%ey use us as a ref+ector/Do not run an open reso+er

See Pau+ iFieKs 8esponse 8ate Ri.itin$patc%es for BIND H

Not in standard BIND re+eases yet

Aai+ab+e at %ttp())***!redbarn!or$)dns)rate+i.its


10/17

DNS for coert trafficDNS for coert trafficDNS for coert trafficDNS for coert traffic

3unne+in$ traffic oer DNS is an o+d and*e++ -no*n tec%niue

'ften used to escape fro. *a++ed $ardensI!e! %ote+ or airport net*or-s

8euires a specia+ DNS c+ient and sererSi.p+e operation

5ncode sent data in ueries5ncode receied data in responses

Poor .anKs &i+e 3ransfer ia DNS by

o%annes # Internet Stor. Center(%ttp())isc!sans!edu)diary!%t.+/storyid9:;:


11/17

DNS for CJC trafficDNS for CJC trafficDNS for CJC trafficDNS for CJC traffic

Seera+ botnets use DNS forco..unication to CJC serers

DNS is a+*ays a++o*ed( perfectDNS is rare+y .onitored( perfect

&eederbot botnet

7ses DNS 3O3 resource records for datatransfer8ep+y pay+oad $ets 8C< encrypted

A C8C;> %eader is added

3%e *%o+e pac-a$e is no* Base< encoded3%is for.s t%e DNS 3O3 response


12/17

DNS for CJC trafficDNS for CJC trafficDNS for CJC trafficDNS for CJC traffic

3%e Morto *or. uses DNS for CJC traffictoo

Got fa.ous because it is an 8DP *or.A+so interestin$ because it saes encryptedpay+oad in re$istry

No fi+es

Si.i+ar+y to &eederbot uses 3O3 resourcerecords for co..unication

We can eFpect .ore in t%e future

'r funny conceptssuc% as usin$ 3*itteras CJC


13/17

W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/

We s%ou+d *or- on i.p+e.entin$ DNSS5Ceep in .ind t%at it %as not%in$ to do *it%described attac-s

It just .a-es sure t%at you $ot t%e ri$%tans*ers

!%r is sti++ not si$ned

So.e statistics(;9@ 3RDs in t%e root 6one in tota+ today

HH 3RDs are si$ned

Ma-e sure you are not runnin$ an openreso+er3%ey rea++y create prob+e.s


14/17


&or co.panies( i.p+e.ent proper DNSarc%itecture

8e.e.ber t%at DNS is a critica+ part of yourinfrastructure

7se a sp+it DNS setup('ne eFterna+ DNS serer serin$ on+y your pub+ic DNS

6ones'ne interna+ DNS serer

3%is one neer issues reuests direct+y but insteadfor*ards t%e. to t%e eFterna+ serer for reso+ution

eep your DNS serers up to date


15/17


I.p+e.ent adanced features t%at BINDsupports(

DNS 8esponse Po+icy "ones 08P"1A++o* you to tri$$er po+icy by uery na.es, addressesin responses or na.e of aut%oritatie serers

8esponse po+icy can cause seera+ actions

Wit% DNS 8P" you can 2poison4 do.ain na.esor IP addressesA*eso.e for preentin$ your c+ient .ac%ines fro.contactin$ -no*n CJC serers

Can be used to create *a++ed $ardensMore infor.ation at%ttps())-b!isc!or$)cate$ory)99:):)9:)Soft*areProducts)BINDH)&eatures)DNS8P")


16/17


Monitor DNS3oo often DNS is not .onitored at a++

Many, .any benefits of .onitorin$ DNSIdentify interna+ c+ients *%ic% are reso+in$-no*n bad na.es +i-e CJC serers

3%ese are potentia++y infected

Identify spa..in$ .ac%ines

5ar+y *arnin$ syste. for p%is%in$

7ti+i6e passie DNS featuresSee .y paper 2Passie .onitorin$ of DNSano.a+ies4 at%ttp())***!caida!or$)pub+ications)papers)>

::E)dnsTano.a+ies)dnsTano.a+ies!pdf


17/17

3%an- you for3%an- you for3%an- you for3%an- you for

your attentionyour attentionyour attentionyour attention

fsec_20120919_dns cyber weapon of mass destruction_bojanzdrnja

Documents