Increased DNS Forgery Resistance Through 0x20 Bit Encoding
advertisement
• INCREASED DNS FORGERY RESISTANCE THROUGH 0X20 BIT ENCODING DAVID DAGON MANOS ANTONAKAKIS PAUL VIXIE TATUYA JINMEI WENKE LEE P re s e nted by : Syed Nasir Mehdi P h D C o m pute r Sc i e n c e a n d E n g inee rin g B i o c om La b snasirmehdi@ hanyang.ac.kr 1 OUTLINE Introduction Background DNS Nomenclature DNS Poisoning Basic DNS Poisoning Model DNS Ox20 Bit Encoding Queries Analysis Ox20 Probing Related Work Future Work Conclusion 2 INTRODUCTION Main Goal: To make DNS queries more resistant to poisoning attacks: What it entails: Creation of DNS light-weight forgery -resistance technology How : Preservation of case encoding of DNS Queries by Authority Servers bit for-bit and upon return the verification of the same and caching by recursive server. Constraints: No Radical Changes. DNS Infrastructure should remain intact Protocol Stability. DNS Protocol should remain intact Backward Compatible. Other technologies that rely on existing DNS standards should remain intact Example: www.example.com, recursive DNS servers would instead query for wwW.eXamPLe.cOM 3 DNS OVERVIEW DNS Stub Resolver(Client) Resolver(Name Server) Recursive Resolver(NS Client) Authoritative Servers(SOA) Zone(.net, .org) Delegation Caching RR Root(13) WHOIS(Registrant,nameserver TTL) 4 DNS POISONING A t t a c ke r s c a n i te r a t i ve l y O b s e r ve c a c h e v a l u e s o v e r t i m e O R b e f o r c e d to d o l o o kup s G u e s s t h e 16 b i t I D - f i el d B i r t h d ay A t t ac k s Exploit weak random number generation. B e r s te i n s u g g e s t s U D P p o r t s + I D Kaminsky class(IN A answer+NS u p d a te ) N o o f g u e s s e s a t t a c ke r c a n m a ke . Po r t r a n d o m i z a t i o n to g r o w t h e key s p a c e . 5 DNS POISONING MODEL Definition 1: DNS ser ver is forger y resistant where TTL (caching period) ≫ △t, and the chance of an attack being successful within △t time is low. Assumption 1 . If attack is not 10% likely to succeed within Tmax, we deem the DNS ser ver is forger y resistant . 6 RTT DNSSEC DNS ser vers, King K a m i n s k y - c l a ss a d v o c a te t h e I m p o r t a nc e o f R T T. Calculate tA ,tB, tC and Then calculate RTT= tC-tB. Verify tC-tB ≈ tC −tA If domain cached, Avg response time<100ms If not cached, 400ms. Answer’s TTL (caching period) 7 RTT OBSERVATIONS Randomly select 5000 ser ver s, with hosts open recur sive . 8 RTT OBSERVATIONS α = N u m b e r o f D i f fe r e n t D N S I D s 2 ¹ 6 β = N u m b e r o f S o u rc e Po r t s ( c o n c e p t ua l l y 2 ¹ 6 ) γ = N u m b e r o f Po r t s ex c l ud e d 1 0 24 a s p e r ke r n e l r e s o u rc e s θ = N u m b e r o f a u t h o r i t y s e r v e r s a n d r e c u r s i ve I P s . a t t a c ke r h a s to s p o o f t h e c o r r ec t a u t h o r i t y s o u rc e a d d r e s s a p a r t f r o m q u e r y I D a n d port. Psuccess = 1 / α ∗ ( β − γ ) ∗ θ W i t h 3 a u t h o r i t y s e r v e r s , Psuccess = 1 / 2 ¹ 6 ∗ ( 2 ¹ 6 − 1 0 24 ) ∗ 3 ≈ 1 1 2 . 7 B Psuccess (n) = n / α ∗ ( β − γ ) ∗ θ O b s e r va t i o n s : 1. 2. not every recursive DNS server can implement port randomization, since it poses unique engineering challenges.+ sockets selection Some DNS servers are more important targets e.g ISP We t h e r e f o r e n e e d a d d i t i o n al D N S p r o te c t io n m e a s u r e s 9 RTT OBSERVATIONS C a c h e d Q u e r y Re s o l ve r - O R R T T: S OA - O R F i r s t Q u e r y : Re s o l v e r - S OA 10 DNS OX20 BIT ENCODING QUERIES 11 ANALYSIS 12 OX20 PROBING 13 PROBING.. 14 PROBING 15 MORE OBSERVATIONS 3 we e k s n o n s to p i n te rn et s c a n 7 5 m i llion n a m e s e r ver s 7 m i llion q ue ri es . 3 % w h o do n ’ t s uppo r t Un de r h i g h vo lumes t h ey ret urn i de n t ic al q ue ri es/s fo r s a me D o m a in D N S fi n g erpri nt ing s c a n s < 0 . 2 8 %, be h ave t h i s way, l o a d ba l a n cer s o r h a rdwa re a c c e l erator s 9 9 . 7 % s uppo r t 0 x 2 0 e n c o ding s c h e me w i t h o ut c h a n ging t h e i r c o de ba s e . 16 RELATED WORK TSIG or SIG(0) and TKEY for message integrity Domain Name System (DNS) Cookies” IETF draft on DNS forgery resilience discusses many aspects of DNS poisoning DoX, a peer-to-peer DNS replacement, motivated by DNS poisoning TCP SYN Cookies proposed by DJ Bernstein and Eric Schenk in 1996 as a means to stop resource exhaustion DDoS attacks on TCP stacks, Most related, similar the DNS encoding scheme 17 CONCLUSION Approach adopted 1. 2. 3. Require no radical changes to the DNS infrastructure ; Make no major changes to the existing protocol Be backwards compatible, so that even just a few DNS servers can elect to adopt it With small exceptions (≈ 0.3%) the world’s authority ser ver s appear to already preser ve the encoding scheme . DNS-0x20 encoding does not provide strong guarantees for transaction integrity, it just raises the bar. DNS messages can have an additional 1 2 -bits of state, perhaps a reason of slow adoption of other comprehensi ve DNS security schemes. 18 FUTURE WORK There may be key management issues to consider. Stateless encoding schemes for domain names using ox20 bitset of queries, Modifications and implementation for embedded devices Update deployed embedded DNS systems Policy options for DNS-0x20 recursive servers Capacity of the covert channel that DNS ox20 creates 19 ACKNOWLEDGEMENTS This material was based upon work supported in part by the National Science Foundation under Grant No. 0627477 and the Department of Homeland Security under Contract No. FA8750-08- 2-0141 . Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation and the Department of Homeland Security. 20
