plnog14: dns, czyli co nowego w świecie dns-ozaurów - adam obszyński
TRANSCRIPT
2 | © 2015 All Rights Reserved.
Agent’a
W poprzednich odcinkach.Czyli jak to dawniej bywało.
Sekcja „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.Nowożytne bakterie i wirusy.
Jej wysokość popularność.Nowe domeny i ciekawe kolizje.
3 | © 2015 All Rights Reserved.
Agent’a
W poprzednich odcinkach.Czyli jak to dawniej bywało.
Sekcja KJU aka „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.Nowożytne bakterie i wirusy.
Jej wysokość popularność.Nowe domeny i ciekawe kolizje.
4 | © 2015 All Rights Reserved.
History – a very short one
• 1971 - /etc/hosts & FTP…
• 1983 – DNS has been introduced
• 1996 – DNS NOTIFY & IXFR – The Second Generation
• 1997 - Dynamic Updates in the DNS – 3rd Generation
• Google.com registered!
• Then DNSSEC era begins…
5 | © 2015 All Rights Reserved.
Agent’a
W poprzednich odcinkach.Czyli jak to dawniej bywało.
Sekcja „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.Nowożytne bakterie i wirusy.
Jej wysokość popularność.Nowe domeny i ciekawe kolizje.
6 | © 2015 All Rights Reserved.
Cookies
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
7 | © 2015 All Rights Reserved.
DNS Cookieshttp://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-00 od Listopad 2006
8 | © 2015 All Rights Reserved.
DNS Cookies
• Provides weak authentication of queries and responses. Weak brother
of TSIG.
• No protection against “in-line” attackers. No protection against anyone
who can see the plain text queries and responses.
• Requires no setup or configuration, just protocol behavior.
• Intended to great reduce
Forged source IP address traffic amplification DOS attacks.
Forged source IP address recursive server work load DOS attacks.
Forged source IP address reply cache poisoning attacks.
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
9 | © 2015 All Rights Reserved.
DNS COOKIE Option
• A new Option to the OPT-RR
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION-CODE TBD | OPTION-LENGTH = 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Resolver Cookie upper half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Resolver Cookie lower half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Server Cookie upper half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Server Cookie lower half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
10 | © 2015 All Rights Reserved.
Resolver & Server views
Resolver:
Resolver puts a COOKIE in queries with
- A Resolver Cookie that varies with server
– Truncated HMAC(server-IP-address, resolver secret)
- The resolver cached Server Cookie for that Cookie if it has one
Resolver ignores all replies that do not have the correct Resolver Cookie
Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie
Server:
Server puts a COOKIE in replies with
- A Server Cookie that varies with resolver
– Truncated HMAC(resolver-IP-address, server secret)
- The Resolver Cookie if there was one in the corresponding query
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
11 | © 2015 All Rights Reserved.
Example
Resolver Server
Query: RC:123, SC:???,E:0
ErrReply: RC:123, SC:789, E:BadC
Query: RC:123, SC:789,E:0
AnsReply: RC:123, SC:789,E:0
SC:789RC:123
RC:123
ForgedReply: RC:???, SC:???,E:0
ForgedQuery: RC:XYZ, SC:???,E:0
ErrReply: RC:XYZ, SC:789, E:BadC RC:XYZ
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html
12 | © 2015 All Rights Reserved.
DNSSEC & DANE::SMIME
https://tools.ietf.org/html/draft-ietf-dane-smime-07
Given that the DNS administrator for a domain name is authorized to give identifying information about the zone, it makes sense to allow that administrator to also make an authoritative binding between email messages purporting to come from the domain name and a certificate that might be used by someone authorized to send mail from those servers. The easiest way to do this is to use the DNS.
The SMIMEA DNS resource record (RR) is used to associate an end entity certificate or public key with the associated email address, thus forming a "SMIMEA certificate association".
16 | © 2015 All Rights Reserved.
DNSSEC & DANE::SMIME
Testy:
DANE / TLS:
https://www.had-pilot.com/dane/danelaw.html
SMIME & DANE:
https://dane.sys4.de/smtp/mail.unitybox.de
17 | © 2015 All Rights Reserved.
Agent’a
W poprzednich odcinkach.Czyli jak to dawniej bywało.
Sekcja KJU aka „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.Nowożytne bakterie i wirusy.
Jej wysokość popularność.Nowe domeny i ciekawe kolizje.
18 | © 2015 All Rights Reserved.
Evolution of DNS DDoS Attacks
• DNS based DDoS attacks are constantly evolving
• Get registrar
account access
• Change NS + add
nice TTL ;-)
• “Phantom”
domains don’t
respond
• Servers keeps
waiting
• Misbehaving domains
lock-up DNS resolvers
with open connections
• Resource exhaustion
• Botnets launch
attacks on one
specific target
• Target domain
DDoS’d, resolver
resources
exhausted
• Uses randomly
generated strings
• Exhausts limit on
outstanding DNS
queries
Registrar / NIC
Phantom Domain
Random Sub-
domain / NXD
CPE Botnet
Based
Domain Lock-up
19 | © 2015 All Rights Reserved.
.MYNIC Registrar case
By Hasnul Hasan
ICANN 49
+
Monitor YOUR
delegations
….
from outside ;-)
20 | © 2015 All Rights Reserved.
Basic NXDOMAIN Attack
• The attacker sends a flood of queries to
a DNS server to resolve a non-existent
domain/domain name.
• The recursive server tries to locate this
non-existing domain by carrying out
multiple domain name queries but does
not find it.
• In the process, its cache is filled up with
NXDOMAIN results.
Impact:
• Slower DNS server response time for
legitimate requests
• DNS server also spends valuable
resources as it keeps trying to repeat
the recursive query to get a resolution
result.
21 | © 2015 All Rights Reserved.
Random Subdomain Attack (Slow Drip)
• Infected clients create queries by
prepending randomly generated
subdomain strings to the victim’s
domain. E.g. xyz4433.plnog.pl
• Each client may only send a
small volume of these queries to
the DNS recursive server1
• Harder to detect
• Multiple of these infected clients
send such requests
Impact
• Responses may never come
back from these non-existing
subdomains2
• DNS recursive server waits for
responses, outstanding query
limit exhausted
• Target domain’s auth server
experiences DDoS
How the attack works
Victim Domain
e.g. plnog.pl
Bot/bad clients
Queries with random
strings prefixed to victim's
domain
e.g. xyz4433.plnog.pl
Flood of queries
for non-existent
subdomains
DNS recursive
Servers (ISP)
DDoS on
target victim
Resource
exhaustion
on recursive
servers
22 | © 2015 All Rights Reserved.
Domain Lock-up Attack
• Resolvers and domains are setup by attackers to establish TCP-based
connections with DNS resolvers
• When DNS resolver requests a response, these domains send “junk”
or random packets to keep them engaged
• They also are deliberately slow to respond to requests keeping the
resolvers engaged. This effectively locks up the DNS server resources.
Impact
• DNS resolver establishing these connections with the misbehaving
domains exhausts its resources
23 | © 2015 All Rights Reserved.
Botnet Based Attacks from CPE Devices
• Random Subdomain attacks that use botnets to target all traffic to
one site or domain
• Attack involves compromised devices like CPE switches, routers
• Supplied by ISPs
• Supplied by Customer
• These malware infected CPE devices form botnet to send multiple
DDoS traffic to say xyz123.plnog.pl
Impact
• Victim domain experiences DDoS
• DNS resolver resources exhausted
• When CPE devices are compromised,
many other bad things can happen like
• SSL proxy – login credentials theft etc.
• Launch point for attacks against Customer PCs
and environments, i.e. expanding the compromise
24 | © 2015 All Rights Reserved.
Phantom Domain Attack
• “Phantom” domains are setup as part of
attack
• DNS resolver tries to resolve multiple
domains that are phantom domains
• These phantom domains may not send
responses or they will be slow
Impact
• Server consumes resources while waiting
for responses, eventually leading to
degraded performance or failure
• Too many outstanding queries
25 | © 2015 All Rights Reserved.
Newest Attacks – What You can do?
#1 Upstream delays
• For traffic to “slow” servers and zones (NS)
Any server that exceeded the limit of responsiveness should
sent fewer queries
#2 Recursive timeout
• Timeout for recursive name lookup should be lowered to free up
DNS resolver resources
• Prevents maxing out on the number of outstanding DNS queries
#3 Dynamic Limiting of Bad Clients
• If a client generates too many costly responses (NXDOMAIN,
NXRRset, ServFail)
Drop or limit it’s traffic
#4 Block or Blacklist
• You have to wait for user call or observe syslog
26 | © 2015 All Rights Reserved.
Eliminate open resolvers ;-)
https://dnsscan.shadowserver.org/
28 | © 2015 All Rights Reserved.
SPAM/Attacks with Domains less then 24h old
Henry Stern, Farsight | ICANN50 | London
29 | © 2015 All Rights Reserved.
Agent’a
W poprzednich odcinkach.Czyli jak to dawniej bywało.
Sekcja KJU aka „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.Nowożytne bakterie i wirusy.
Jej wysokość popularność.Nowe domeny i ciekawe kolizje.
30 | © 2015 All Rights Reserved.
DNS - Collision with Roaming Leak
Search List or Split Brain DNS + New TLD == Leak Issue
www.firma.exampleInternal DNS,
AD, etc.New TLDs
!!!
collision
!!!
collision
New & nice Loopback address: 127.0.53.53
Encourages to “look this up”
https://icann.org/namecollisionhttps://newgtlds.icann.org/newgtlds.csv