1 / 9

DNS Cache Poisoning

DNS Cache Poisoning. History. 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized, easily guessable 2002 – BIND sends multiple recursive queries simultaneously, birthday paradox 2003 – BIND PRNG not very random.

jed
Download Presentation

DNS Cache Poisoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Cache Poisoning

  2. History • 1993 – DNS protocol allowed attacker to inject false data which was then cached • 1997 – BIND 16-bit transaction ids not randomized, easily guessable • 2002 – BIND sends multiple recursive queries simultaneously, birthday paradox • 2003 – BIND PRNG not very random

  3. Basic DNS • Client queries local nameserver • Local nameserver queries root nameserver for authoritative nameservers for some domain • Local nameserver queries authoritative nameserver • Returns result to client

  4. Problem • DNS request sends transaction Id • DNS will accepts any reply containing transaction and assuming remote IP and TCP/UDP ports match • Transaction Ids are only 16-bits

  5. Birthday Attack • BIND sends multiple queries for the same domain name • Possible to flood BIND with replies using randomly generated transaction Ids • If you guess correctly, then BIND will accept your reply • ~50% with 300 packets, • ~100% with 700 packets

  6. TCP/UDP port • BIND reused same source TCP/UDP port • Made it easy for attacker to “guess” the destination TCP/UDP port for the false reply • Newer versions randomize source ports

  7. Phase Space Analysis • Determine how random PRNG is • BIND 8.4.3 – predict next transaction id with only 3 previous ids • BIND 9 – better, but still predictable (~20% with 5000 spoofed replies)

  8. Why DNS Cache Poisoning? • Redirect traffic • MITM attacks

  9. Defenses • Upgrade to BIND 9.x • Split-split DNS • Internal DNS performs recursive queries for users, and cannot be accessed from outside • External DNS does not do recursive queries • Makes it harder for attacker to guess what transaction Ids your external DNS will use

More Related