PGIS 205 Intrusion Detection Systems

Intrusion Detection Systems Lecture #5

Internet Attacks Network Based Intrusion Detection

Outline • • • • • •

ARP Attacks IP Attacks ICMP Attacks UDP Attacks TCP Attacks DNS Attacks

12/8/2017

Hitesh Mohapatra Ph.D NIDS

2

Address Resolution Protocol (ARP) • ARP is a protocol used by the network layer to map Internet Protocol (IP) addresses to Media Access Control (MAC)/ Physical /Ethernet hardware addresses that are used by the data link layer • When sending an IP packet, Ethernet uses the ARP to resolve IP addresses into MAC addresses • An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the IP for communication (32-bits) • An IP address is usually assigned by the network administrator or Internet Service Provider (ISP) either statically at the beginning or dynamically each time a connection is established to a network

12/8/2017


3

IP Address and MAC Address

12/8/2017


4

Address Resolution Protocol (ARP) • A MAC address is a permanent hexadecimal string of numbers and letters like 00-0F-B5-45-96-A4 (48-bits) • MAC addresses are most often assigned by the manufacturer of a Network Interface Card (NIC) and are stored in its hardware • Address resolution refers to the process of dynamically finding a MAC address of a computer on a network • ARP provides a dynamic mapping between the two different forms of addresses: the 32-bit IP address and the 48-bit hardware address

12/8/2017


5

Address Resolution Protocol (ARP) • Once the destination’s MAC address is determined, the IP Packet can be encapsulated into an Ethernet frame and transmitted to the destination host • There is a one-to-one mapping between the set of IP addresses and the set of Ethernet addresses

12/8/2017


6

Address Resolution Protocol (ARP) • The working of ARP is based on the following 4 types of messages: – ARP Request: The initiating device first sends an ARP request broadcast message on the local subnet – ARP Reply: • The destination host sends an ARP reply in response to the request broadcast message giving its MAC address to the source host • All the other computers ignore this request except the destination host with the given IP address

– RARP Request: Known as Reverse ARP request, this requests the IP address of a known MAC address – RARP Reply: The response gives the IP address from a requested hardware address 12/8/2017


7

Working of ARP • To illustrate how ARP works, consider two nodes, X and Y • If node X wishes to communicate with Y, node X first broadcasts an ARP request for node Y's hardware address • The ARP request contains X's IP and hardware addresses, and Y's IP address • When Y receives the ARP request, it places an entry for X in its ARP cache (which is used to map quickly from IP address to hardware address), then responds directly to X with an ARP response containing Y's hardware address • When node X receives Y's ARP response, it places an entry for Y in its ARP cache • Once an ARP cache entry exists at X for Y, node X is able to send packets directly to Y without using ARP 12/8/2017


8

Illustration of ARP Request and ARP Reply Messages

12/8/2017


9

ARP Caching • Sending an ARP request/reply for each IP datagram/packet is inefficient, hosts maintain a cache (ARP Cache) of current entries (IP to MAC address mappings) • The ARP cache takes the form of a table containing the mappings of all the MAC and IP address for the computers/network devices that this host has already communicated with • Each device on the network manages its own ARP cache table • The system will use this information when initiating a conversation with another system • If the destination MAC address is not in the cache table, the source system will use ARP to determine the MAC address of the destination system 12/8/2017


10

Types of ARP Cache • There are two different ways that cache entries can be put into the ARP cache: – Static ARP Cache: • These are hardware/IP address pairs that are manually added to the cache table for a device and are kept in the cache on a permanent basis

– Dynamic ARP Cache: • These are hardware/IP address pairs that are added to a cache table automatically as a result of successfully completed past ARP mappings • An ARP entry (IP address link to Ethernet MAC ) is kept on the cache for some period of time, as long as it is being used 12/8/2017


11

ARP Cache Table

12/8/2017


12

Vulnerabilities of ARP • A major flaw in the ARP is lack of authentication. As ARP does not authenticate requests or replies, ARP Requests and Replies can be forged • ARP is Stateless: Systems update their cache when receiving an ARP reply, regardless of whether they have actually sent a ARP request or not • According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its ARP cache with the information

12/8/2017


13

Exploitation of Vulnerabilities in ARP • The goal of the ARP attack is to associate the attacker's MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker • The attacker could then choose to: – Inspect the packets and then forward the traffic to the actual destination (interception) – A forged ARP Request or Reply can be used to update the ARP cache of a system with a forged entry (ARP cache poisoning) – Modify the data before forwarding it (man-in-the-middle attack) – Launch a Denial-of-Service attack by causing some/all of the packets on the network to be dropped 12/8/2017


14

ARP Cache Poisoning • “ARP cache poisoning is the act of introducing a spurious IP-to-Ethernet address mapping in another host’s ARP cache by a malicious host on the LAN” • The result of ARP cache poisoning is that the IP traffic intended for one host is diverted to a different host • When a malicious host uses another host’s IP address and sends out a broadcast request, the genuine host caches the new IP-to-Ethernet address mapping, thus causing ARP Cache poisoning 12/8/2017


15

Poisoned ARP Cache

12/8/2017


16

Man-In-The-Middle Attacks • One of the most prevalent network attacks used against individuals and large organizations are "Man-in-the-middle attack" (MITM attack) • MITM attack refers to the type of attack where the attacker intrudes into the communication channel between the endpoints on a network to inject false information, modify information or intercept the data transfer going between the two parties • MITM attacks are mainly intended for eavesdropping sensitive and valuable information

12/8/2017


17

Man-In-The-Middle Attacks • The attacker tries to come in between the network endpoints, and proxy all the communications among them • Once the trial is successful, further attacks to be launched may include: – Sniffing the passing packets – Hijacking already authenticated sessions – Injecting packets or commands to the server – Sending the forged responses to the victim client • The end result is that the attacking host can not only intercept sensitive data but can also inject and manipulate data stream to gain further control of its victims

12/8/2017


18

MITM Attack Objectives • To gain access to the client's messages and modify them before finally transmitting them to the server end • Other objectives of MITM can be to: – Mislead the communicators at the client or server end, to intercept relevant information (E.g., identity, address, password, or any other confidential information for malicious purposes) – Manipulate data/transactions

12/8/2017


19

Man-In-The-Middle Attacks

12/8/2017


20

Outline • • • • • •


12/8/2017


21

Internet Protocol (IP) • Internet Protocol (IP) is responsible for the transmission of packets between network end points • IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size • Every network has a largest size of IP datagram that can be transmitted, called Maximum Transmission Unit (MTU) • IP includes the support for fragmentation of larger packets into smaller packets when the original packet is too large as well as reassembly of the smaller packets to reconstitute the original datagram 12/8/2017


22

IP Fragmentation and Reassembly

12/8/2017


23

IP Fragmentation and Reassembly • IP datagrams are encapsulated in data link frames and the larger IP datagrams are forced to be split into packets of smaller size • Three fields in the IP header are used to implement fragmentation and reassembly – "Identification", "Flags" and "Fragment Offset" fields

12/8/2017


24

IP Header

12/8/2017


25

Fields in IP Header for Fragmentation and Reassembly • Identification (16 bits) – "Identification field" uniquely identifies the fragments of a particular datagram – The source system sets this field to a unique value that must be unique for that source-destination pair and protocol for the life time of the datagram on the internet

• Flags (3 bits) – This field says if the datagram is a part of a fragmented data frame or not

12/8/2017


26

Fields in IP Header for Fragmentation and Reassembly

12/8/2017


27

Fields in IP Header for Fragmentation and Reassembly • Fragment Offset (13 bits) – Fragment offset specifies the fragment's position within the original Datagram, measured in 8-byte units – Every fragment except the last must contain a multiple of 8 bytes of data – The last fragment tells the receiving station to start reassembling the data if all fragments have been received

• The receiver will reassemble the data from fragments with the same identification field

12/8/2017


28

IP Attacks • IP fragment overlap (Teardrop Attack) – A teardrop attack is a denial of service (DoS) attack conducted by targeting IP fragmentation and reassembly – The attack occurs when two fragments within the same IP datagram have offsets that indicate that they overlap each other – This attack causes fragmented packets to overlap one another on the host receipt – The host attempts to reconstruct the original datagram but fails resulting in a DoS attack 12/8/2017


29

IP Attacks – Teardrop Attack

12/8/2017


30

IP Attacks • IP Spoofing – In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system – Any host can send packets pretending to be from any IP address – The attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network – The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system 12/8/2017


31

IP Attacks • IP Spoofing – DoS – Denial of Service (DoS) attacks are aimed at preventing clients from accessing a service – IP Spoofing can be used to create DoS attacks – The attacker spoofs a large number of requests from various IP addresses to fill a services queue – With the service queue filled, legitimate users cannot use the service

12/8/2017


32

IP Spoofing – DoS Attack Server Flood of Requests from Attacker

Service Requests

Interweb

Service Requests

Fake IPs

Attacker 12/8/2017

Server queue full, legitimate requests get dropped

Legitimate Users Hitesh Mohapatra Ph.D NIDS

33

Outline • • • • • •


12/8/2017


34

Internet Control Message Protocol (ICMP) • Internet Control Message Protocol (ICMP) is one of the core protocols used for reporting network error conditions like a requested service is not available or a host or router could not be reached • ICMP is heavily used by routers, as well as clients and servers (network endpoints) to determine network errors and availability, as well as performance statistics through various types of ICMP Packets • There is no validation checks on the received ICMP error messages, which leads to a variety of attacks • ICMP attacks can result in a DoS, allow the attacker to intercept packets or redirect network traffic towards external hosts on a path of his/her choice 12/8/2017


35

ICMP Message Format • Each ICMP message contains three fields that define its purpose and provide a checksum (4 bytes) • They are TYPE, CODE, and CHECKSUM fields – TYPE field identifies the type of ICMP message – CODE field provides further information about the associated TYPE field – CHECKSUM provides a method for determining the integrity of the message

12/8/2017


36

ICMP Sweep • One of the most common technique for discovering the range of hosts which are alive in the target’s environment is to perform a ICMP sweep of the entire target’s network range • ICMP sweep involves sending a series of ICMP request packets to the target network range and from the list of ICMP replies infer whether certain hosts are alive and connected to the target’s network for further probing • An attacker then can direct a more focused attack toward live hosts only • This can be implemented by a very simple command ping or traceroute or by using automated scanning tools 12/8/2017


37

Types of ICMP Attacks • • • •

ICMP Packet Magnification/ICMP Smurf Ping of Death ICMP PING Flood Attack ICMP Redirect Attack

12/8/2017


38

ICMP Packet Magnification/ICMP Smurf Attack • The Smurf Attack is a DoS attack in which large amounts of ICMP echo request packets are broadcast to a intermediary computer network • The target system's (victim's) spoofed source IP address is broadcast to a intermediary computer network using an IP Broadcast address • This causes all the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a DoS to legitimate traffic • The three parties involved in this type of DoS attack include the following: – Hacker (Instigator of the attack) – Intermediary Network used to amplify the attack (Amplifier) – Victim (Target of attack) 12/8/2017


39

ICMP Packet Magnification/ICMP Smurf Attack • The attack usually works in the following simple steps: – Hacker identifies a victim IP address – Hacker identifies an intermediary site that will amplify the attack – Hacker sends a large amount of ICMP traffic (ICMP Echo Request packets) at the broadcast address of the intermediary sites – These packets have the source IP address spoofed to point towards the victim – All the hosts which are alive on the LAN each pick up a copy of the ICMP Echo Request datagram and sends an ICMP Echo Reply datagram back to what they think is the source – If many hosts are alive on the LAN, the amplification factor can be considerably high 12/8/2017


40

ICMP Smurf Attack

12/8/2017


41

Ping of Death • An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size allowed by the IP protocol • Since the received ICMP echo request packet is larger than the allowed IP packet size, it's fragmented • The target can't reassemble the packets, so the OS crashes or reboots • Ping of death attacks are dangerous because the identity of the attacker sending the oversized packet could be easily spoofed and the attacker don’t need to know anything about the machine they are attacking except for its IP address

12/8/2017


42

ICMP PING Flood Attack • A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim/target system with ICMP Echo Request (ping) packets so that it can't respond to legitimate traffic • This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies • Ping require the user to be privileged (super user) in order to specify the flood option • Super users can send hundred or more packets per second using -f option of ping • The attacker expects that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth 12/8/2017


43

ICMP Redirect Attack • ICMP redirects are used by routers/gateways to specify better routing paths out of one network or redirect a source host to use a different gateway that may be closer to the destination • ICMP redirects affect the way packets are routed to destinations • It is legitimately used by routers to tell hosts that the host is using a non-optimal route to a particular destination • The wrong router/gateway sends the host back an ICMP Redirect packet that tells the host what the correct route should be and the host then should redirect it's forwarding accordingly after receiving the redirect message

12/8/2017


44

ICMP Redirect Attack • Through ICMP redirects, a host can find out which networks can be accessed from the local network and which are the routers to be used for each such network • The security problem comes from the fact that an attacker can forge ICMP redirect packets in order to redirect traffic to himself • The attack can be launched by altering host's routing tables and possibly subverting the security of the host by diverting traffic to flow via a path the network manager didn't intend 12/8/2017


45

ICMP Redirect Attack • ICMP Redirects also may be employed for DoS attacks, where a host is sent to a route where it loses its connectivity or is sent an ICMP Network Unreachable packet telling it that it can no longer access a particular network • ICMP redirects may also be used to set up Man-in-theMiddle attacks or amplify SMURF or FRAGGLE attacks • Due to the security risks involved in, it is a recommended to deny all ICMP redirect requests received by Disabling ICMP redirect messages from all public interfaces 12/8/2017


46

Man-in-the-Middle Attacks by ICMP Redirect

12/8/2017


47

Man-in-the-Middle Attacks by ICMP Redirect

12/8/2017


48

Outline • • • • • •


12/8/2017


49

User Datagram Protocol (UDP) • User Datagram Protocol (UDP) is a protocol used for transport of data across an Internet Protocol (IP) based network • UDP does not perform handshaking as TCP does or check for errors, or even to see if the transmitted data was received, so it is referred to as an unreliable, connectionless protocol • UDP skips the handshaking and is focused on pure transmission, thus it has lower overhead and is thus faster than TCP • Primarily used for broadcasting messages over a network

12/8/2017


50

UDP Datagram Format • Source Port Number: It is assigned by the local computer when it transmits data to a remote machine • Destination Port Number: This field identifies the receiver's port • Length: Field that specifies the length in bytes of the entire datagram – header and data • Checksum: This field is used for error-checking of the header and data

12/8/2017


51

UDP Fraggle Attack • Similar to the ICMP Smurf attack • A UDP fraggle attack is a type of DoS attack where an attacker sends a large amount of UDP echo traffic (UDP Echo request packets ) to IP broadcast addresses, all of it having a spoofed source address • Fraggle attack uses UDP Echo packets in the same way as the ICMP Echo packets are used in Smurf attack • All computers reply (amplification) with UDP Echo reply packets • Source IP was spoofed, so victim is overwhelmed creating a DoS to legitimate traffic 12/8/2017


52

UDP Flood Attack • A UDP flood attack is a DoS attack using the UDP • This attack is possible when an attacker sends a UDP packet to a random port on the victim system • When the victim system receives a UDP packet it will: – Check for the application listening at that port – Determines that no application listens at that port – Replies with an “Destination Unreachable” packet to the forged source address • Ultimately, the host sends out so many packets that the system becomes flooded, and thus unattainable (DoS) to other clients

12/8/2017


53

UDP Ping Pong • The ping pong attack takes advantage of UDP services that respond whenever a packet is sent to them • A hacker can spoof an IP packet from one of these services sent to another service and the two services will start sending traffic at each other (Ping Pong effect) • This consumes machine resources and network bandwidth 12/8/2017


54

Outline • • • • • •


12/8/2017


55

Transmission Control Protocol (TCP) • TCP is a connection-oriented protocol used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet • TCP is responsible for ensuring that a message is divided into packets for efficient routing through the Internet and IP manages the reassembling the packets back into the complete message at the other end

12/8/2017


56

TCP Header

12/8/2017


57

TCP Attacks • • • • •

TCP SYN Flooding TCP Session Hijacking TCP RST Attacks TCP Port Scanning TCP Sequence Prediction Attack

12/8/2017


58

TCP Syn Flooding (Syn Flood Attack) • A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources so as to make the system unresponsive to legitimate traffic

12/8/2017


59

TCP Three-Way Handshake • When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which runs like this: – The client requests a connection by sending a SYN message to the server – The server acknowledges this request by sending SYN-ACK back to the client – The client responds with an ACK, and the connection is established

• This is called the TCP three-way handshake • Once the connection is established, the session remains open until one of the machines sends a RST (reset) or FIN (finish) 12/8/2017


60

Normal Connection Between a User and a Server

User Server

12/8/2017


61

TCP Syn Flooding • An attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection • Those SYN packets usually use spoofed IP addresses • The victim has to keep the half-opened connections in its memory for certain amount of time until no new connections can be made, resulting in a DoS to the legitimate traffic • If there are so many of these malicious packets, the victim quickly runs out of memory 12/8/2017


62

Syn Flood Attack

Attacker

Server

The attacker sends several packets but does not send the "ACK" back to the server. The connections are half-opened and consume server resources. A legitimate user, tries to connect but the server refuses to open a connection resulting in a DoS

User

12/8/2017


63

TCP Session Hijacking • Session hijack attacks are defined as taking over an active TCP/IP communication session without anyone’s permission or knowledge • An active session between a client and a server is diverted by an intruder who pretends to be the “legitimate” client • The intruder communicates with the server and keeps the legitimate client inactive • When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to the resources as the compromised user 12/8/2017


64

Types of Session Hijacking • There are three types of session hijacking attacks: – Active Session Hijack Attack – Passive Session Hijack Attack – Hybrid Session Hijack Attack

12/8/2017


65

Active Session Hijack Attack • The attacker will take over the clients’ position in the communication exchange between the client and the server by making the client offline

12/8/2017


66

Passive Session Hijack Attack • Passive attacks keeps the client online and provides the attacker the ability to monitor network traffic and potentially discover valuable data or passwords

12/8/2017


67

Hybrid Session Hijack Attack • This attack is a combination of the active and passive attacks, which allow the attacker to listen to network traffic until something of interest is found • The attacker can then modify the attack by removing the client computer from the session (making it offline) and assuming its identity

12/8/2017


68

TCP Session Hijacking • The most common method of session hijacking is called IP spoofing, when an attacker uses sourcerouted IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users • This type of attack is possible because authentication is done only at the start of a TCP session

12/8/2017


69

TCP RST Attacks • TCP reset attack also known as "forged TCP resets", "spoofed TCP reset packets" • There are stream of packets in a TCP connection, each containing a TCP header • Each of these headers contains a bit known as the "reset" (RST) flag – Aborts a connection in response to an error • In most packets this bit is set to 0 and has no effect, however if this bit is set to 1, it indicates to the receiving computer that kill the TCP connection instantly

12/8/2017


70

TCP RST Attacks • It is possible for a attacker to monitor the TCP packets on the connection, and then send a "forged" packet containing a TCP reset to one or both the endpoints • Every field in the TCP header must be set to a convincing forged value which indicate that it came from a genuine host, not from the intruder • Properly formatted forged TCP resets can be a very effective way to close any active TCP connection 12/8/2017


71

TCP Port Scanning • A port scan can be defined as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability (method of discovering exploitable communication channels) • By port scanning the attacker finds which ports are available (i.e., being listened to by a service) • A port scan consists of sending a message to each port, one at a time 12/8/2017


72

TCP Port Scanning • The kind of response received indicates whether the port is used and can therefore be probed further for weakness • The result of a scan on a port is usually generalized into one of three categories: – Open or Accepted: The host sent a reply indicating that a service is listening on the port – Closed or Denied or Not Listening: The host sent a reply indicating that connections are denied to the port – Filtered, Dropped or Blocked: There was no reply from the host 12/8/2017


73

Port Scanning Techniques • TCP SYN scan: – Send a SYN packet (Initiates a connection) and wait for a response – SYN-ACK indicates the port is listening and a RST is indicative of a non-listener port – If a SYN-ACK is received, attacker immediately send a RST packet to close the connection

• TCP connect() scan: – The connect() system call can be used to open a connection to every interesting port on the target machine – If the port is listening, connect() will succeed, otherwise the port isn't reachable – One strong advantage to this technique is that user don't need any special privileges 12/8/2017


74

Port Scanning Techniques • FIN Scan: – A FIN, or "Finish", is a TCP packet used to indicate that the sending entity will no longer use the session to send or receive data – These are called "stealth" scans because they send a single frame to a TCP port without any normal TCP handshaking – An attacker uses a TCP FIN scan to determine if ports are closed on the target machine – If a RST packet is received, the port is considered close

12/8/2017


75

Port Scanning Techniques • Xmas Tree Scan: – The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set – This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte, much like the lights of a Christmas tree

12/8/2017


76

Port Scanning Techniques • NULL Scan: – Null scan is accomplished by sending TCP segments with no flags set in the packet header – An attacker uses a TCP NULL scan to determine if ports are closed on the target machine – If a port is closed, a RST frame is returned

12/8/2017


77

Port Scanning Techniques • The response of a null scan to an open port is “no response”

12/8/2017


78

TCP Sequence Prediction Attack • When two hosts need to transfer data using the TCP protocol, the first host that initiated the connection, generates a 32-bit Initial Sequence Number (ISN) • This sequence number is included on each transmitted packet and acknowledged by the opposite host as an acknowledgement number to inform the sending host that the transmitted data was received successfully • A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection

12/8/2017


79

TCP Sequence Prediction Attack • The root of this security problem starts with the way the ISN is generated • Every operating system uses its own algorithm to generate an ISN for every new connection • Hacker tries to figure out which algorithm is used by the specific operating system to generate the ISN that will allow him to predict future ISNs which will be generated by the source host • If the attack is successful, – Hacker will be able to send counterfeit packets to the receiving host which will seem to originate from the source host – Can cause premature closure of an existing TCP connection by the injection of packets with the FIN bit set 12/8/2017


80

TCP Sequence Prediction Attack • If an attacker can find out current sequence number that is being used by an existing TCP connection, it can inject a valid TCP segment into the existing TCP connection – If the attacker is within the same LAN, it can sniff the sequence number (Attacker listens to the conversation occurring between the trusted hosts, and then issue counterfeit packets using the same source IP address) – If the attacker is not within the same LAN, it has to guess/predict the sequence number

12/8/2017


81

Outline • • • • • •


12/8/2017


82

Domain Name Service (DNS) • Domain Name Service (DNS) is a hierarchical distributed naming system for computers, services or any resource connected to the Internet or a private network • DNS automatically converts the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites • DNS translates a human readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes • DNS implements a distributed database to store this name and address information for all public hosts on the Internet

12/8/2017


83

Unrelated Data Attack • To improve performance, DNS servers can send back more information than what the client has asked for to avoid another likely DNS lookup • In the older version of DNS servers, the validity of the extra information is not verified • The hacker will answer and add in the answer anything he wants to be cached in the victim DNS’ cache. In this way, he can poison the cache of the remote DNS server • The problem has been fixed in BIND (most widely used DNS S/W on the Internet), by forbidding anything that is not related to the original request to be cached 12/8/2017


84

Unrelated Data Attack

12/8/2017


85

Related Data Attack • The process is the same as the unrelated data attack • The hacker has to make the “extra” information related to the original query – MX: mail server for a domain – CNAME: canonical name for an alias – NS: DNS servers for a domain

• The above information is “related” to the original request, but they can point to totally different information the hacker wants to be cached • The problem has also been fixed in BIND, by rejecting all the “out of zone” information 12/8/2017


86

DNS Cache Poisoning • To improve efficiency, DNS servers typically store results in a cache to speed further lookups • DNS spoofing is malicious cache poisoning where forged data is placed in the cache of the domain name servers • If the forged data gets into the cache, it will affect future lookups • One successful cache poisoning attack can therefore affect many users 12/8/2017


87

DNS Cache Poisoning

12/8/2017


88

DNS Spoofing • DNS spoofing is a term referring to the action of answering a DNS request that was intended for another server • The hacker “spoofs” the DNS server’s answer by answering what he wants for a specific request • For instance, attacker tries to make the www.mybank.com DNS to answer with the IP of the hacker’s computer • The hacker will try to impersonate the DNS reply so that the “Client Misdirection” occurs, but without touching the DNS cache of the impersonated DNS 12/8/2017


89

DNS Spoofing

12/8/2017


90

DNS ID Hacking • It is not enough to spoof a DNS reply as uses ID number to identify queries and answer • The hacker needs to find the ID the client is waiting for (DNS ID Hacking) • DNS ID hacking is a necessary technique for a hacker to succeed in impersonating a DNS server (this is the basis of DNS spoofing)

12/8/2017


91

DNS ID Hacking

DNS ID Hacking

12/8/2017


92