Professional Documents
Culture Documents
COUNTERMEASURES,RECOMMENDATIONS
GROUP 3
Introduction
Then the limited length combined with a weak validation procedure in UDP makes
attack supplanting Ips possible with relative ease.
THIS IS THE GENERIC DNS MESSAGE FORMAT
SECTION DESCRIPTION
HEADER Contains information about the type of message. Includes fields
giving information about the number of entries in other sections of
the message.
QUESTION Contains one or more requests for information (queries) sent to the DNS
server.
ANSWER Contains one or more records responding to the query or queries
AUTHORITY Contains one or more records indicating the authoritative server for the
domain in question.
ADDITIONAL Records with additional information not essential for responding to the
query
NB: Depending on the type of message one or more sections may be null. The HEADER is always
present, as it contains important information about the message contents.
Cont. …
3. Unnecessary recurssivness.
Not all name servers need to be recursive
Authoritative servers not need to be recursive
Recursive is complex and burdens servers
Additional function means more potential vulnerability
DNS threats
1. Denial of Service (DoS) attacks are most likely to have widespread effects on the
stability of the Internet.
A DoS attack could be against a single domain name, against the root servers that glue
together the Internet’s DNS, or against any part of the infrastructure in between.
The impact of DoS would vary with the target. For example, without the root servers, the
Internet would effectively stop to function, although not immediately.
The main strategy for repelling a DoS attack is overprovisioning, ensuring that the target
has more resources available than the attacker can consume.
DNS operators who understand the critical nature of the service they provide have
designed the DNS very carefully, hardening systems against attacks, and using large-scale
replication technology to help ensure survival in the face of a DoS attack.
Cont.…
2. Data Corruption: attacks can be used to redirect Internet users to forged information
resources.
When successful, they may result in theft, fraud, misdirection and expose a user to
significant risks, and in general reduce confidence and trust in the Internet.
DNSSEC, extends the DNS to help prevent many data corruption attacks.
When fully in place, DNSSEC will significantly reduce the risk of data corruption.
Cont.…
3. Information Exposure: is the most vague of the threats to the DNS.
can be damaging to some individuals and organizations, and can threaten the trust the
people have placed in the Internet.
Information exposure can be minimized by securing the network paths used for DNS
and access control restrictions.
The DNS itself has also been used as a vector for attack. While threats to the Internet
from the DNS have less impact on its resilience, stability and security, DNS operators
are taking these threats seriously.
Many have put into place policies and procedures intended to minimize this type of
threat.
Attacks on DNS
1. Cache poisoning
Cache poisoning can be achieved by changing or adding a record to a name server’s cache.
An attacker can use this technique to change A record to an IP address under his control, thus
redirecting traffic to himself.
What makes this technique very effective is the heavy use of forwarders.
Forwarders are name servers that a resolver forwards its incoming requests to. Thus if a record is
poisoned in a forwarder, all resolvers that forward to it will also be poisoned.
Cont.…
2. DNS forgery
DNS forgery is an attack in which the attacker forges a reply to a DNS query.
This is done by beating the reply from the real server back to the client. This scenario is of Particular
importance when it comes to wireless networks.
Every DNS query and reply contains a 16-bit ID number. The number in the reply must match the
number in the query.
Without this keeping of state, an attacker could keep a victim with reply packets for a domain the
attacker knows the victim will look up, i.e. google.com.
When a query was made, the victim would accept one of the flooded reply packets instead.
The ID numbers make this harder, as the attacker has to match the ID number of the reply with the
query. In a wireless network, where all traffic is seen by all nodes, DNS forgery is a big issue.
The attacker could then simply intercept all DNS queries on the network, and send back forged
replies to the victims he or she wants to attack.
This won’t work on a wired network though. On a wired network, the attack will need to calculate or
predict the ID numbers of queries.
Cont.…
3. Denial of service:
(DoS) attacks are attempts to make a given service impossible or very hard to access.
Attacks sometimes use brute force (saturating servers by flooding them with
simultaneous queries) or go for a more understated approach by exhausting a rare
resource on the server.
Attacks made against the DNS root system in February 2007 were mainly DoS
attacks.
4. Distributed denial of service
(DDoS) attacks are an elaborate form of DoS that involve thousands of computers
generally as part of a botnet or robot network:
a network of zombie computers that the attacker commandeers/hijacks from their
unwitting/unaware owners by spreading malware from one machine to another.
Cont.…
5. Reflected attacks
Send thousands of requests with the victim’s name as the source address. When recipients
answer, all replies come together on the official sender, whose infrastructures are then affected.
6. Fast flux:
In addition to falsifying their IP address, attackers can hide their identity by using this
technique, which relies on fast-changing location-related information to hide where the attack
is coming from.
Variants exist, such as single flux (constantly changing the address of the web server) and
double flux (constantly changing the address of the web server and the names of the DNS
servers).
Recommendations for the mitigation of attacks
1. Use DNSSEC
DNSSEC is a set of extensions to the DNS that provide authentication and integrity
checking of DNS data.
Authentication ensures that zone administrator can provide authoritative information for any
particular DNS domain,
while integrity checking ensures that information in the DNS cannot be modifid (accidentally or
maliciously) while in transit or in storage.
DNSSEC requires both compliant DNS servers and security-aware DNS resolvers.
DNS servers compliant with DNSSEC must support the additional types of DNS records needed for
DNSSEC.
Security-aware DNS resolvers must be able to detect the new DNSSEC extensions, and must check
DNS data for authentication and data integrity.
Cont.…
DNSSEC was designed to provide a strong cryptographic signature of DNS data that security-
aware (DNSSEC compliant) resolvers can verify to ensure data received over the network
hasn’t been modified since the data was signed.
DNSSEC-signed DNS data can be retrieved from anywhere, regardless of any insecurities in
the networks over which the DNS may travel or intermediate systems in which the data may
reside.
Any modification of the DNS data from what was originally signed at the authoritative source
can be detected, thereby allowing a security-aware DNS resolver to discard corrupt or
unauthorized data.
Cont.…