12 tcp-dns
TRANSCRIPT
![Page 1: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/1.jpg)
Network Protocols and Vulnerabilities
John Mitchell
CS 155 Spring 2008
![Page 2: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/2.jpg)
Outline
Basic NetworkingNetwork attacks
Attacking host-to-host datagram protocols SYN flooding, TCP Spoofing, …
Attacking network infrastructure Routing Domain Name System
This lecture is about the way things work now and how they are not perfect. Next lecture – some security improvements (still not perfect)
![Page 3: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/3.jpg)
BackboneISP
ISP
Internet Infrastructure
Local and interdomain routing TCP/IP for routing, connections BGP for routing announcements
Domain Name System Find IP address from symbolic name (www.cs.stanford.edu)
![Page 4: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/4.jpg)
TCP Protocol Stack
Application
Transport
Network
Link
Application protocol
TCP protocol
IP protocol
Data
Link
IP
Network Access
IP protocol
Data
Link
Application
Transport
Network
Link
![Page 5: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/5.jpg)
Data Formats
Application
Transport (TCP, UDP)
Network (IP)
Link Layer
Application message - data
TCP data TCP data TCP data
TCP Header
dataTCPIP
IP Header
dataTCPIPETH ETF
Link (Ethernet) Header
Link (Ethernet) Trailer
segment
packet
frame
message
![Page 6: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/6.jpg)
Internet Protocol
Connectionless Unreliable Best effort
Transfer datagram Header Data
IP
Version Header LengthType of Service
Total LengthIdentification
Flags
Time to LiveProtocol
Header Checksum
Source Address of Originating Host
Destination Address of Target Host
Options
Padding
IP Data
Fragment Offset
![Page 7: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/7.jpg)
IP Routing
Internet routing uses numeric IP addressTypical route uses several hops
Meg
Tom
ISP
Office gateway
121.42.33.12132.14.11.51
SourceDestination
Packet
121.42.33.12
121.42.33.1
132.14.11.51
132.14.11.1
![Page 8: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/8.jpg)
IP Protocol Functions (Summary)
Routing IP host knows location of router (gateway) IP gateway must know route to other
networks
Fragmentation and reassembly If max-packet-size less than the user-data-
size
Error reporting ICMP packet to source if packet is dropped
![Page 9: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/9.jpg)
User Datagram Protocol
IP provides routing IP address gets datagram to a specific machine
UDP separates traffic by port Destination port number gets UDP datagram to
particular application process, e.g., 128.3.23.3, 53
Source port number provides return address
Minimal guarantees No acknowledgment No flow control No message continuation
UDP
![Page 10: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/10.jpg)
Transmission Control Protocol
Connection-oriented, preserves order Sender
Break data into packets Attach packet numbers
Receiver Acknowledge receipt; lost packets are resent Reassemble packets in correct order
TCP
Book Mail each page Reassemble book
19
5
1
1 1
![Page 11: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/11.jpg)
Internet Control Message Protocol
Provides feedback about network operation Error reporting Reachability testing Congestion Control
Example message types Destination unreachable Time-to-live exceeded Parameter problem Redirect to better gateway Echo/echo reply - reachability test Timestamp request/reply - measure transit delay
ICMP
![Page 12: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/12.jpg)
Basic Security Problems
Network packets pass by untrusted hosts Eavesdropping, packet sniffing (e.g.,
“ngrep”)
IP addresses are public Smurf
TCP connection requires state SYN flooding attack
TCP state can be easy to guess TCP spoofing attack
![Page 13: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/13.jpg)
Packet Sniffing
Promiscuous NIC reads all packets Read all unencrypted data (e.g., “ngrep”) ftp, telnet send passwords in clear!
Alice Bob
Eve
NetworkNetwork
Prevention: Encryption, improved routing (Another lecture: IPSEC)
Sweet Hall attack installed sniffer on local machine
![Page 14: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/14.jpg)
Smurf DoS Attack
Send ping request to broadcast addr (ICMP Echo Req) Lots of responses: Every host on target network generates a
ping reply (ICMP Echo Reply) to victim Ping reply stream can overload victimPrevention: reject external packets to broadcast address
gatewayDoSSource
DoSTarget
1 ICMP Echo ReqSrc: Dos TargetDest: brdct addr
3 ICMP Echo ReplyDest: Dos Target
![Page 15: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/15.jpg)
TCP Handshake
C S
SYNC
SYNS, ACKC+1
ACKS+1
Listening
Store data
Wait
Connected
![Page 16: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/16.jpg)
SYN Flooding
C S
SYNC1 Listening
Store dataSYNC2
SYNC3
SYNC4
SYNC5
![Page 17: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/17.jpg)
SYN Flooding
Attacker sends many connection requests Spoofed source addresses
Victim allocates resources for each request Connection requests exist until timeout Fixed bound on half-open connections
Resources exhausted requests rejected
![Page 18: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/18.jpg)
Protection against SYN Attacks
Client sends SYNServer responds to Client with SYN-ACK cookie sqn = f(src addr, src port, dest addr, dest port, rand) Normal TCP response but server does not save state
Honest client responds with ACK(sqn)Server checks response If matches SYN-ACK, establishes connection
“rand” is top 5 bits of 32-bit time counter Server checks client response against recent values
See http://cr.yp.to/syncookies.html
[Bernstein, Schenk]
![Page 19: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/19.jpg)
TCP Connection Spoofing
Each TCP connection has an associated state Client IP and port number; same for server Sequence numbers for client, server flows
Problem Easy to guess state
Port numbers are standard Sequence numbers often chosen in predictable
way
![Page 20: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/20.jpg)
IP Spoofing Attack
A, B trusted connection Send packets with
predictable seq numbers
E impersonates B to A Opens connection to A to
get initial seq number SYN-floods B’s queue Sends packets to A that
resemble B’s transmission E cannot receive, but may
execute commands on A
Server A
B
E
Attack can be blocked if E is outside firewall.
![Page 21: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/21.jpg)
TCP Sequence Numbers
Need high degree of unpredictability If attacker knows initial seq # and amount
of traffic sent, can estimate likely current values
Send a flood of packets with likely seq numbers
Attacker can inject packets into existing connection
Some implementations are vulnerable
![Page 22: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/22.jpg)
Recent DoS vulnerability [Watson’04]
Suppose attacker can guess seq. number for an existing connection: Attacker can send Reset packet to
close connection. Results in DoS. Naively, success prob. is 1/232 (32-bit seq. #’s). Most systems allow for a large window of
acceptable seq. #’s Much higher success probability.
Attack is most effective against long lived connections, e.g. BGP.
![Page 23: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/23.jpg)
Cryptographic network protection
Solutions above the transport layer Examples: SSL and SSH Protect against session hijacking and injected data Do not protect against denial-of-service attacks
caused by spoofed packets
Solutions at network layer Use cryptographically random ISNs [RFC 1948] More generally: IPsec Can protect against
session hijacking and injection of data denial-of-service attacks using session resets
![Page 24: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/24.jpg)
Wireless Threats
Passive Eavesdropping/Traffic Analysis Easy, most wireless NICs have promiscuous mode
Message Injection/Active Eavesdropping Easy, some techniques to gen. any packet with common
NIC
Message Deletion and Interception Possible, interfere packet reception with directional
antennas
Masquerading and Malicious AP Easy, MAC address forgeable and s/w available (HostAP)
Session HijackingMan-in-the-MiddleDenial-of-Service: cost related evaluation
![Page 25: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/25.jpg)
Evolution of Wireless Security
802.11 (Wired Equivalent Protocol) Authentication: Open system (SSID) and Shared Key Authorization: some vendors use MAC address filtering Confidentiality/Integrity: RC4 + CRC
WPA: Wi-Fi Protected Access Authentication: 802.1X Confidentiality/Integrity: TKIP Reuse legacy hardware, still problematic
IEEE 802.11i (Ratified 2004 ): WPA2 Mutual authentication Data confidentiality and integrity: CCMP Key management Availability
![Page 26: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/26.jpg)
What Went Wrong With WEP
No Key Management Long Lived keys Fix: Use 802.1X ( Standard for user, device authentication )
Crypto Issues RC4 cipher stream Key size: 40 bit keys Initialization Vector too small:24 bit Integrity Check Value based on CRC-32 Authentication messages can be forged
![Page 27: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/27.jpg)
Authentica-tion Server (RADIUS)No Key
Authenticator UnAuth/UnAssoc802.1X BlockedNo Key
SupplicantUnAuth/UnAssoc802.1X BlockedNo Key
SupplicantAuth/Assoc802.1X BlockedNo Key
Authenticator Auth/Assoc802.1X BlockedNo Key
Authentica-tion Server (RADIUS)No Key
802.11 Association
EAP/802.1X/RADIUS Authentication
SupplicantAuth/Assoc802.1X BlockedMSK
Authenticator Auth/Assoc802.1X BlockedNo Key
Authentica-tion Server (RADIUS)MSK
MSK
SupplicantAuth/Assoc802.1X BlockedPMK
Authenticator Auth/Assoc802.1X BlockedPMK
Authentica-tion Server (RADIUS)No Key
4-Way Handshake
SupplicantAuth/Assoc802.1X UnBlockedPTK/GTK
Authenticator Auth/Assoc802.1X UnBlockedPTK/GTK
Authentica-tion Server (RADIUS)No Key
Group Key Handshake
SupplicantAuth/Assoc802.1X UnBlockedNew GTK
Authenticator Auth/Assoc802.1X UnBlockedNew GTK
Authentica-tion Server (RADIUS)No Key
IEEE 802.11i - WPA2
Data Communication
SupplicantAuth/Assoc802.1X UnBlockedPTK/GTK
Authenticator Auth/Assoc802.1X UnBlockedPTK/GTK
Authentica-tion Server (RADIUS)No Key
![Page 28: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/28.jpg)
Security issues in development of 802.11i
ATTACKS SOLUTIONS
security rollback supplicant manually choose security; authenticator restrict pre-RSNA to only insensitive data.
reflection attack each participant plays the role of either authenti-cator or supplicant; if both, use different PMKs.
attack on Michael countermeasures
cease connections for a specific time instead of re-key and deauthentication; update TSC before MIC and after FCS, ICV are validated.
RSN IE poisoning Authenticate Beacon and Probe Response frame; Confirm RSN IE in an earlier stage; Relax the condition of RSN IE confirmation.
4-way handshake blocking
adopt random-drop queue, not so effective; authenticate Message 1, packet format modified; re-use supplicant nonce, eliminate memory DoS.
![Page 29: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/29.jpg)
TCP Congestion Control
If packets are lost, assume congestion Reduce transmission rate by half, repeat If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy
Source
Destination
![Page 30: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/30.jpg)
Competition
Amiable Alice yields to boisterous Bob Alice and Bob both experience packet loss Alice backs off Bob disobeys protocol, gets better results
Source A
Source B
Destination
Destination
![Page 31: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/31.jpg)
Routing Vulnerabilities
Source routing Sender can specify source routing Can direct response through compromised
host
Routing Information Protocol (RIP) Direct client traffic through compromised
host
Exterior gateway protocols Advertise false routes Send traffic through compromised hosts
![Page 32: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/32.jpg)
Source Routing Attacks
Attack Destination host may use reverse of source route
provided in TCP open request to return traffic Modify the source address of a packet Route traffic through machine controlled by attacker
Defenses Only accept source route if trusted gateways
listed in source routing info Gateway rejects external packets claiming to be
local Reject pre-authorized connections if source
routing info present
![Page 33: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/33.jpg)
Routing Table Update Protocols
Interior Gateway Protocols: IGPs distance vector type - each gateway keeps
track of its distance to all destinations Gateway-to-Gateway: GGP Routing Information Protocol: RIP
Exterior Gateway Protocol: EGP used for communication between different
autonomous systems
![Page 34: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/34.jpg)
Interdomain Routing
connected group of one or more Internet Protocol prefixes under a single routing policy (aka domain)
Interior Gateway Protocol
Exterior Gateway Protocol
Autonomous System
earthlink.net Stanford.edu
![Page 35: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/35.jpg)
BGP overview
Iterative path announcement Path announcements grow from destination
to source Packets flow in reverse direction
Protocol specification Announcements can be shortest path Nodes allowed to use other policies
E.g., “cold-potato routing” by smaller peer Not obligated to use path you announce
![Page 36: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/36.jpg)
BGP example [D.
Wetherall]
Transit: 2 provides transit for 7Algorithm seems to work OK in practice
BGP is does not respond well to frequent node outages
3 4
6 57
1
8 2
77
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 5
6 5
5
5
![Page 37: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/37.jpg)
Issues
Security problems Potential for disruptive attacks BGP packets are un-authenticated
Incentive for dishonesty ISP pays for some routes, others free
![Page 38: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/38.jpg)
Atlanta
St. LouisSanFrancisco
Denver
Cambridge
Washington, D.C.
Orlando
Chicago
Seattle
Los Angeles
Detroit
Houston
New York
PhoenixSan Diego
Austin
Philadelphia
Dallas
2
Kansas City
BGP Route InstabilityGood route from San Francisco to Cambridge, MA
![Page 39: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/39.jpg)
Atlanta
St. LouisSanFrancisco
Denver
Cambridge
Washington, D.C.
Orlando
Chicago
Seattle
Los Angeles
Detroit
Houston
New York
PhoenixSan Diego
Austin
Philadelphia
Dallas
2
Kansas City
BGP Route InstabilityIf Denver-Chicago goes down,route cancellation propagates to SF
![Page 40: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/40.jpg)
Atlanta
St. LouisSanFrancisco
Denver
Cambridge
Washington, D.C.
Orlando
Chicago
Seattle
Los Angeles
Detroit
Houston
New York
PhoenixSan Diego
Austin
Philadelphia
Dallas
2
Kansas City
BGP Route Instability
SF chooses next best route, whichmay include Denver-Chicago along a longer path
Route cancellation message through Seattle has not reached SF because this route to SF is longer
![Page 41: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/41.jpg)
Domain Name System
Hierarchical Name Space
root
edunetorg ukcom ca
wisc ucb stanford cmu mit
cs ee
www
DNS
![Page 42: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/42.jpg)
DNS Root Name Servers
Hierarchical service Root name servers
for top-level domains Authoritative name
servers for subdomains
Local name resolvers contact authoritative servers when they do not know a name
![Page 43: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/43.jpg)
DNS Lookup Example
ClientLocal DNS resolver
root & edu DNS server
stanford.edu DNS server
www.cs.stanford.edu
NS stanford.eduwww.cs.stanford.edu
NS cs.stanford.edu
www=IPaddrcs.stanford.edu
DNS server
![Page 44: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/44.jpg)
Caching
DNS responses are cached Quick response for repeated translations Useful for finding servers as well as addresses
NS records for domains
DNS negative queries are cached Save time for nonexistent sites, e.g. misspelling
Cached data periodically times out Lifetime (TTL) of data controlled by owner of data TTL passed with every record
Some funny stuff allowed by RFC Discuss cache poisoning in a few slides
![Page 45: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/45.jpg)
Lookup using cached DNS server
ClientLocal
DNS recursiveresolver
root & edu DNS server
stanford.edu DNS server
cs.stanford.eduDNS server
ftp.cs.stanford.edu
ftp=IPaddr
ftp.cs. stanford.edu
![Page 46: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/46.jpg)
DNS Implementation Vulnerabilities
DNS implementations have had same kinds of vulnerabilities as other software Reverse query buffer overrun in BIND
Releases 4.9 (4.9.7 prior) and Releases 8 (8.1.2 prior) gain root access abort DNS service
MS DNS for NT 4.0 (service pack 3 and prior) crashes on chargen stream telnet ntbox 19 | telnet ntbox 53
Moral Better software quality is important Defense in depth!
![Page 47: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/47.jpg)
Inherent DNS Vulnerabilities
Users/hosts typically trust the host-address mapping provided by DNSObvious problems
Interception of requests or compromise of DNS servers can result in incorrect or malicious responses
Solution – authenticated requests/responses
Some funny stuff allowed by RFC Name server may delegate name to another NS (this is
OK) If name is delegated, may also supply IP addr (this is
trouble)
![Page 48: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/48.jpg)
DNS cache poisoning
DNS resource records (see RFC 1034) An “A” record supplies a host IP address A “NS” record supplies name server for domain
Example www.evil.org NS ns.yahoo.com /delegate to yahoo ns.yahoo.com A 1.2.3.4 / address for yahoo
Result If resolver looks up www.evil.org, then evil name
server will give resolver address 1.2.3.4 for yahoo Lookup for yahoo through cache goes to 1.2.3.4
![Page 49: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/49.jpg)
Pharming
DNS poisoning attack (less common than phishing)
Change IP addresses to redirect URLs to fraudulent sites Potentially more dangerous than phishing attacks No email solicitation is required
DNS poisoning attacks have occurred: January 2005, the domain name for a large New York
ISP, Panix, was hijacked to a site in Australia. In November 2004, Google and Amazon users were sent
to Med Network Inc., an online pharmacy In March 2003, a group dubbed the "Freedom Cyber
Force Militia" hijacked visitors to the Al-Jazeera Web site and presented them with the message "God Bless Our Troops"
![Page 50: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/50.jpg)
DNS Rebinding Attack
Read permitted: it’s the “same origin”F
irewall www.evil.com
web server
ns.evil.com
DNS server
171.64.7.115
www.evil.com?
corporateweb server
171.64.7.115 TTL = 0
<iframe src="http://www.evil.com">
192.168.0.100
192.168.0.100
[DWF’96, R’01]
DNS-SEC cannot stop this attack
![Page 51: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/51.jpg)
DNS Rebinding Defenses
Browser mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS,
… Not consistently implemented in any browser
Server-side defenses Check Host header for unrecognized domains Authenticate users with something other than IP
Firewall defenses External names can’t resolve to internal addresses Protects browsers inside the organization
![Page 52: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/52.jpg)
Summary (I)
Eavesdropping Encryption, improved routing
Smurf Drop external packets to brdcst address
SYN Flooding SYN Cookies
IP spoofing Use less predictable sequence numbers
![Page 53: 12 tcp-dns](https://reader036.vdocuments.site/reader036/viewer/2022062405/55838ffdd8b42a8e0c8b51b2/html5/thumbnails/53.jpg)
Summary (II)
Source routing attacks Additional info in packets, tighter control over
routing
Interdomain routing Authenticate routing announcements Many other issues
DNS attacks Cache poisoning Pharming Rebinding