thedns scareof 2008 - terena...9 draft-ietf-dnsext-forgery-resilience state of the game in 2008 an...
TRANSCRIPT
![Page 1: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/1.jpg)
Otmar Lendl18. September 2008
The DNS Scare of 2008
What was it all about and how didAustria react?
Otmar Lendl <[email protected]>
![Page 2: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/2.jpg)
2
Content
� The bug� Background on DNS forgeries� What was new
� Austria reacts to VU#800113� Patch statistics
� What are the long-term solutions?� Various ideas
![Page 3: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/3.jpg)
3
The DNS
� Global, distributed Database� Input: Domain name� Output: Resource Record Sets
� A, AAA IP addresses� MX Mail routing� CNAME Aliasing� NS Delegation� PTR, NAPTR, SRV, � RRSIG, DS, NSEC, NSEC3
� Transport: mainly UDP� Lot’s of caching
You all know that
You all know that
You all know that
You all know that alreayalreayalreayalreay …………
![Page 4: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/4.jpg)
4
The players
� Authoritative Nameservers� Recursive Nameservers� Stub Resolvers
stub Recursor
AuthAuth
AuthAuth
AuthAuth
AuthCache
![Page 5: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/5.jpg)
5
DNS Spoofing
Recursor
Auth
Query
Recursor
Auth
Answer
Attacker
Forged Answer
Tim
e
![Page 6: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/6.jpg)
6
Details: DNS Protocol
$ dig cert.at MX
[…]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8861
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;cert.at. IN MX
;; ANSWER SECTION:
cert.at. 7200 IN MX 100 nuwen.cert.at.
;; AUTHORITY SECTION:
cert.at. 6450 IN NS ns1 .cert.at.
cert.at. 6450 IN NS ns5 .univie.ac.at.
;; ADDITIONAL SECTION:
nuwen.cert.at. 7200 IN A 83. 136.33.135
![Page 7: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/7.jpg)
7
Security?
$ dig cert.at MX
[…]
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8861
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;cert.at. IN MX
;; ANSWER SECTION:
cert.at. 7200 IN MX 100 nuwen.cert.at.
;; AUTHORITY SECTION:
cert.at. 6450 IN NS ns1 .cert.at.
cert.at. 6450 IN NS ns5 .univie.ac.at.
;; ADDITIONAL SECTION:
nuwen.cert.at. 7200 IN A 83. 136.33.135
This is the safety net
16 bits of entropy might 16 bits of entropy might 16 bits of entropy might 16 bits of entropy might have been enough in have been enough in have been enough in have been enough in 1987, but not in 2008.1987, but not in 2008.1987, but not in 2008.1987, but not in 2008.
![Page 8: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/8.jpg)
8
Bailiwick checks
� Legitimate Servers can play games, too.
� What stops a server from adding?
� “in-bailiwick checks”: only accept what you were asking for. See RFC 2181 for details.
;; ADDITIONAL SECTION:
nuwen.cert.at. 7200 IN A 83. 136.33.135
;; ADDITIONAL SECTION:
nuwen.cert.at. 7200 IN A 83. 136.33.135
xxx. 50000 IN NS ns1 .cert.at.
xxx. 50000 IN NS ns2 .cert.at.
![Page 9: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/9.jpg)
9
draft-ietf-dnsext-forgery-resilience
� State of the game in 2008� An attack needs to match
1. The question section of the reply packet is equivalent to that of a question packet currently waiting for a response
2. The ID field of the reply packet matches that of the question packet
3. The response comes from the same network address the question was sent to
4. The response comes in on the same network address, including port number, as the question was sent from
� Calculations on forgery success probabilities
![Page 10: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/10.jpg)
10
Attacks on the ID
� A good PRNG is needed� Older Bind versions simply incremented� Good entropy isn’t that easy
� Avoid multiple outstanding requests for the same question� n queries * m forgeries give good odds for
the attacker.
![Page 11: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/11.jpg)
11
TTL to the rescue?
� How often can an attack take place?� Forcing a query helps the attacker.� One attack per TTL
� “The calculations above indicate the relative ease with which DNS data can be spoofed. For example, using the formula derived earlier on an RRSet with a 3600 second TTL, an attacker sending 7000 fake response packets/s (a rate of 4.5Mb/s), stands a 10% chance of spoofing a record in the first 24 hours, which rises to 50% after a week.”
![Page 12: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/12.jpg)
12
Summary pre-Kaminsky
� Entropy from ID (16) and server (2) is barely enough.
� Recommendations:� Use Source Port Randomization to get
another 15 bits.� Make sure you don’t mess up the entropy
![Page 13: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/13.jpg)
13
July 8th, 2008: VU#800113
� Dire Warning� Insufficient entropy in ID� Multiple outstanding requests� Fixed source port
� Recommendation� Update� Implement Source Port Randomization� Restrict Recursion� Filter spoofed IP traffic
![Page 14: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/14.jpg)
14
What happened?
� RFC 3833, 2.3 proved to be right� “Perhaps the most interesting class of DNS-
specific threats are the name chaining attacks. These are a subset of a larger class of name-based attacks, sometimes called "cache poisoning" attacks.“
� The TTL wall had been broken.� Idea: don’t attack the Domain itself, go for
random hostnames within the target domain.○ A way to initiate recursion is needed.
![Page 15: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/15.jpg)
15
Example 1
;; QUESTION SECTION:
;345678.example.org. IN A
;; ANSWER SECTION:
345678.example.org. 3600 IN A 192.0.2.1
;; AUTHORITY SECTION:
example.org. 3600 IN NS evil1.example.net .
example.org. 3600 IN NS evil2.example.net .
Source: IETF namedroppers list. (P. Koch, T. Finch)
![Page 16: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/16.jpg)
16
Example 2
;; QUESTION SECTION:
;345678.example.org. IN A
;; ANSWER SECTION:
345678.example.org. A 192.0.2.1
;; AUTHORITY SECTION:
example.org. NS 345678.example.org.
![Page 17: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/17.jpg)
17
Example 3
;; QUESTION SECTION:
;345678.www.example.org. A
;; AUTHORITY SECTION:
www.example.org. NS evil1.example.net.
www.example.org. NS evil2.example.net.
![Page 18: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/18.jpg)
18
Example 4
;; QUESTION SECTION:
;345678.www.example.org. A
;; AUTHORITY SECTION:
www.example.org. NS evil.example.net.
;; ADDITIONAL SECTION:
evil.example.net. A 192.0.2.53
![Page 19: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/19.jpg)
19
Example 5
;; QUESTION SECTION:
;345678.example.org. IN A
;; ANSWER SECTION:
345678.example.org. CNAME www.example.org.
www.example.org. A 192.0.2.80 ; evil
![Page 20: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/20.jpg)
20
Potential Damage
� Man-in-the-middle *everything*� Phishing� Email hijacking
� DoS� Password reset emails� What about SSL?
� CA email-loop � CA whois lookup
![Page 21: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/21.jpg)
21
CERT.at Reaction
� Warnings on all channels� Wait a second …
� the patch changes the query pattern� resolver in Austria query for domains under
.at� we have query-logs of the .at nameservers � important resolvers ask for a lot of domains
We can monitor the patching progressWe can monitor the patching progressWe can monitor the patching progressWe can monitor the patching progress
![Page 22: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/22.jpg)
22
Scoring Resolvers
![Page 23: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/23.jpg)
23
Data set
� Query log of one server in Austria� ~ 10M queries / day (from Austrian IP space)� from ~ 13.000 IP addresses� ~2000 of which sent more than 100 queries� Known domain catchers / registrars excluded� Data starts with July 4th, i.e. before the
announcements
Thanks to Markus Heimhilcher from the .at nameserver management team!
![Page 24: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/24.jpg)
24
Before ..
0
200
400
600
800
1000
1200
1400
0.05 0.15 0.25 0.35 0.45 0.55 0.65 0.75 0.85 0.95
score
coun
t
![Page 25: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/25.jpg)
25
Patching by Server
0%
20%
40%
60%
80%
100%
04.07 .200806.07 .200808.07 .200810.07 .200812.07 .200814.07 .200816.07 .200818.07 .200820.07 .200822.07 .200824.07 .200826.07 .200828.07 .200830.07 .200801.08 .200803.08 .200805.08 .2008
0.95
0.85
0.75
0.65
0.55
0.45
0.35
0.25
0.15
0.05
Announcement
Exploit published
![Page 26: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/26.jpg)
26
Long Term
0%
20%
40%
60%
80%
100%
04 .07 .200811 .07 .2 00818 .07 .200825 .07 .200801 .08 .200808 .08 .200815 .08 .200822 .08 .200829 .08 .200805 .09 .200812 .09 .200819 .09 .2008
0.95
0.85
0.75
0.65
0.55
0.45
0.35
0.25
0.15
0.05
![Page 27: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/27.jpg)
27
By request, not by server:
0%
20%
40%
60%
80%
100%
04.07
.2008
11.07
.2008
18.07
.2008
25.07
.2008
01.08
.2008
08.08
.2008
15.08
.2008
22.08
.2008
29.08
.2008
05.09
.2008
12.09
.2008
19.09
.2008
0.95
0.85
0.75
0.65
0.55
0.45
0.35
0.25
0.15
0.05
![Page 28: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/28.jpg)
28
Absolute numbers
0
2.000.000
4.000.000
6.000.000
8.000.000
10.000.000
12.000.000
04.07 .2008
11.07 .2008
18.07 .2008
25.07 .2008
01.08 .2008
08.08 .2008
15.08 .2008
22.08 .2008
29.08 .2008
05.09 .2008
12.09 .2008
19.09 .2008
0.95
0.85
0.75
0.65
0.55
0.45
0.35
0.25
0.15
0.05
Looks like a number of ISPs reworked their DNS setup over the summer.
![Page 29: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/29.jpg)
29
Whither DNS?
� Source Port Randomization is a stopgap.
� Brings the time to exploit down from “oh sh*t, we’re f***ed” to “not really secure”
� So: what is the outlook? What can be done?
![Page 30: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/30.jpg)
30
Categories
1. Get more entropy2. Changing resolver behavior3. Cooperation from both sides4. Changing the protocol5. Agile defenses
� See namedroppers list archive� draft-wijngaards-dnsext-resolver-side-
mitigation-00
![Page 31: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/31.jpg)
31
More Entropy
� QID� Source port� Source Address
� IPv6!� Destination Address� 0x20
� Case is preserved, but not relevant
![Page 32: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/32.jpg)
32
Resolver behavior
� Repeated Queries� Same server� Different servers
� Use TCP� Time spaced� New rules on how to trust information
� Never cache glue� Be careful when overwriting the cache� i.e. update the RFC 2181 rules
![Page 33: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/33.jpg)
33
Cooperation
� TSIG� SIG(0)� IPsec
� DNSSEC
![Page 34: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/34.jpg)
34
Protocol Changes
� More Entropy� EDNS ECHO
○ draft-hubert-ulevitch-edns-ping-00� Query name hacks
○ Prefixes / Postfixes○ http://www.jhsoft.com/dns-xqid.htm○ http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg015
55.html� QCount > 1� DNS Cookies
○ draft-eastlake-dnsext-cookies� More Crypto
� http://dnscurve.org/
All need protection against down-grade attacks
![Page 35: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/35.jpg)
35
Agile Defense
� Some of the mitigation strategies carry a cost, thus:
1. Try to notice an attack� Many mismatches� Timing
2. React� Refuse to cache� Fallback to TCP� Multiple queries
![Page 36: TheDNS Scareof 2008 - TERENA...9 draft-ietf-dnsext-forgery-resilience State of the game in 2008 An attack needs to match 1. The question section of the reply packet is equivalent to](https://reader034.vdocuments.site/reader034/viewer/2022050209/5f5be397cd879b31642456a7/html5/thumbnails/36.jpg)
36
Summary
� The DNS Scare was justified.� Patching is progressing slowly.� We’re far from a long-term solution
� Low-impact patches?� DNSSEC?
Questions ?