dns fragmentation attacks - the dangers of not validating dnssec
Post on 30-May-2015
1.358 Views
Preview:
DESCRIPTION
TRANSCRIPT
©!Men!&!Mice!!http://menandmice.com!
DNS!Cache!Spoofing
"Fragmentation!Considered!Poisonous"May!2012-August!2013
1Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNS!cache!poisoning!through!fragmentation
• A!new!attack!presented!at!IETF!87!in!Berlin!August!2013
• works!with!any!large!DNS!responses!that!might!be!fragmented!on!the!transport!path!(large!TXT!record!sets!-!SPF!etc)
• works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or!incorrectly!deployed:
• works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non-DNSSEC!resolvers
• according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are!fairly!common
2Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack!(1)
resolving!DNS!Server
“mybank.com”authoritative!DNS
Servers
Cache
evil!resolver
unsuspectingresolver
evil!web-server
HTTPrequest
Webpage!with!that!triggers!DNS!requests!with!large!DNS!answers
local network, behind Firewall an NAT
3Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack!(2)
resolving!DNS!Server
“mybank.com”authoritative!DNS
Servers
Cache
evil!resolver
unsuspectingresolver
evil!web-server
DNS!lookup!for!the!domain!
name
DNS!lookups!will!be!send!to!
the!authoritative!DNS!Servers
local network, behind Firewall an NAT
4Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack!(3)
resolving!DNS!Server
“mybank.com”authoritative!DNS
Servers
Cache
evil!resolver
unsuspectingresolver
evil!web-server
Answer!with!Fragment!part!
1
local network, behind Firewall an NAT
5Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack!(4)
resolving!DNS!Server
“mybank.com”authoritative!DNS
Servers
Cache
evil!resolver
unsuspectingresolver
evil!web-server
Answer!with!good!fragment!
part!2
Attacker!will!swamp
caching!DNS!Serverwith!fake!fragment!
No.!2!packets
Fake!responsewill!be!cached
local network, behind Firewall an NAT
6Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack!(5)
resolving!DNS!Server
“mybank.com”authoritative!DNS
Servers
Cache
evil!resolver
unsuspectingresolver
evil!web-server
Client!is!connecting!to!a!
“pharming”!website
request!for!www.mybank.com./A!RR
false!answer!from!poisoned!cache
HTTPrequest
local network, behind Firewall an NAT
7Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack
•Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache
;; ANSWER SECTION:mybank.com. 120 IN SPF "v=spf1, a:192.0.2.10, 192.0.2.22 ..."
;; AUTHORITY SECTION:mybank.com. 86400 IN NS ns1.mybank.com.mybank.com. 86400 IN NS ns2.mybank.com. ;; ADDITIONAL SECTION:ns1.mybank.com. 604800 IN A 192.0.2.20ns2.mybank.com. 604800 IN A 192.0.2.30
high!TTL!for!maximum!damage
Here!is!the!fake!data
Fragment 1
Fragment 2
large!RRset!causing!fragmentation
8Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack
•some!operating!systems!(Windows,!FreeBSD)!use!sequential!Fragment-IDs
•next!Fragment!ID!to!be!used!can!be!inferred!by!the!attacker
9Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Fragmentation!attack
•How!to!guard!against!fragmentation!attacks:
•deploy!DNSSEC!in!a!non-permissive!mode!(full!validation)
•deploy!IPv6!(UDP!Fragmentation!works!differently!in!IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not!possible!in!IPv6!networks)
10Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!to!the!rescue!...
11Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
References
•IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and!Implications,!or:!DNSSEC,!the!time!has!come!http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf
•DNS-OARC!Presentation!Oct!2013:https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1
12Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
DNSSEC!validation
13Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!in!DNS!Messages
00 0102 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Identification!(ID)QR Opcode
AA
TC
RD
RA Z
AD
CD RCode
Total!Number!of!Question!Resource!Records Total!Number!of!Answer!Resource!Records
Total!Number!of!Authority!Resource!Records Total!Number!of!Additional!Resource!Records
Question!Resource!Records
Answer!Resource!Records
Authority!Resource!Records
Additional!Resource!Records
AD!=!Authenticated!Data
CD!=!Checking!disabled
EDNS:!!!EDNS:!version:!0,!!!!flags:!do;!!!!udp:!4096
14Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!in!DNS!Messages
•DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK
•this!client!can!handle!DNSSEC!records
•in!addition,!each!client!signaling!“DNSSEC!OK”!also!signals!that!it!can!handle!UDP!DNS!responses!larger!512!byte
15Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!in!DNS!Messages
•AD!Flag:
•a!validating!resolver!signaling!to!the!client
•that!it!has!successfully!validated!the!DNSSEC!data
•invalid!DNSSEC!data!will!not!be!send!to!a!downstream!resolver!(client),!instead!the!resolver!will!send!a!SERVFAIL!error!condition
16Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!in!DNS!Messages
•CD!Flag:
•an!Application!can!signal!to!the!resolving!DNS!Server!that!it!will!validate!the!DNSSEC!information
•the!resolving!DNS!Server!does!not!need!to!validate!itself,!but!is!free!to!do!so
17Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
dig ripe.net +dnssec; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec ;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;ripe.net. IN A
;; ANSWER SECTION:ripe.net. 172800 IN A 193.0.6.139ripe.net. 172800 IN RRSIGA 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=
;; AUTHORITY SECTION:ripe.net. 172800 IN NS sns-pb.isc.org.ripe.net. 172800 IN NS sunic.sunet.se.ripe.net. 172800 IN NS ns-pri.ripe.net.ripe.net. 172800 IN NS ns3.nic.fr.ripe.net. 172800 IN RRSIGNS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=
;; ADDITIONAL SECTION:ns-pri.ripe.net. 172800 IN A 193.0.0.195ns-pri.ripe.net. 172800 IN AAAA 2001:610:240:0:53::3ns-pri.ripe.net. 172800 IN RRSIGA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=ns-pri.ripe.net. 172800 IN RRSIGAAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=
;; Query time: 454 msec;; SERVER: 192.0.2.10#53(192.0.2.10);; WHEN: Sat Oct 9 22:39:45 2010;; MSG SIZE rcvd: 870
EDNS0!information!
including!the!DO!flag
AD!flag:!secure!answer
18Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!capable!DNS!resolver!/!caching!server
•BIND!9!(starting!with!BIND!9.6-ESV):!http://www.isc.org
•unbound:!http://unbound.net
•PowerDNS!recursor:!http://www.powerdns.com
•Windows!2012!DNS:!http://technet.microsoft.com/en-us/library/hh831667.aspx
19Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
http://dnssec-or-not.org
20Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
http://dnssectest.sidn.nl
21Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
dnssec-tools.org
•A!collection!of!useful!tools!for!DNSSEC!deployment(!http://dnssec-tools.org!)
•DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are!DNSSEC!enbled
22Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC-check
23Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!validation!in!Web-Browser
•DNSSEC!Add-On!for!Firefox
Google!Chrome!and!Microsoft!Internet!Explorer
(http://www.dnssec-validator.cz/)!
•go!to!http://www.root-dnssec.org!or!http://www.ripe.netand!you!should!see!a!nice!green!key!icon!in!the!URL!bar!telling!you!that!this!DNS!information!was!DNSSEC!validated.
24Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
DNSSEC!validation!in!Windows!2012
25Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
DNSSEC!validation!in!Microsoft!DNS!Server!2012
•The!DNS!Server!in!Windows!2012!now!supports!all!bits!and!pieces!necessary!to!validate!DNSSEC!signatures!and!keys!in!the!Internet!(including!SHA256!and!NSEC3).
•Windows!2008!only!supports!SHA1!and!NSEC,!and!was!not!able!to!validate!the!Internet!root!zone
26Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
DNSSEC!validation
•DNSSEC!validation!can!be!enabled!in!the!DNS!Servers!global!properties!(Advanced!-!enable!DNSSEC!validation!for!remote!responses)
27Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
enabling!DNSSEC!using!'dnscmd'
• it!is!possible!to!enable!DNSSEC!validation!from!the!commandline!using!the!command!
dnscmd /RetrieveRootTrustAnchors
• This!command!will!first!fetch!the!delegation!signer!(DS-record)!using!https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).!
• The!server!will!then!fetch!the!public!key!signing!key!from!the!root!zone!during!an!active!refresh!cycle!(RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record.
28Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
enabling!DNSSEC!using!'dnscmd'
29Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
A!DNSSEC!validating!caching!only!configuration!for!BIND!9
30Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!validation!with!BIND!9
• build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server:
• BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011
• BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors)
• BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,!but!validation!is!disabled!by!default
• BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,!DNSSEC!validation!enabled!by!default
31Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
getting!the!root-anchor
•for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as!the!root-anchor
•the!DNSKEY!record!can!be!retrieved!using!dig:
dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key
digcommand
"."!is!the!domain!name!
of!the!root!zone
we!want!the!DNSKEY!record
we!send!the!query!to!one!of!the!root!
servers
we!send!an!iterative!query!
(polite)
we!only!want!the!KSK!
(Flag!257)
we!write!the!result!in!this!
file
32Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Verifying!the!root!zones!key
•We!should!never!blindly!trust!cryptographic!keys!published!on!websites!or!slides
•nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure!channel!(plain!DNS)
•we!need!to!verify!the!key!material
•IANA!published!the!DS!(delegation!signer!fingerprint)!on!an!HTTPS!secured!website
33Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
http://data.iana.org/root-anchors/
root!DS!fingerprint
34Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Verifying!the!root!zone!key
•we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256!hash-fingeprint!from!the!downloaded!root-zone!DNSKEY
dnssec-dsfromkey -2 root.key. IN DS 19036 8 2 ( 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5 )
• if!we!compare!the!computed!hash!with!the!one!from!the!website,!they!both!match
• the!downloaded!DNSKEY!record!is!valid
35Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!setup!(BIND!9.6-ESV)
• In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the!"trusted-keys"!statement!in!the!"named.conf"!file:
trusted-keys {"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";
};
36Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
DNSSEC!setup!(BIND!9.7.0+)
• Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated!updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS!Security!(DNSSEC)!Trust!Anchors)
managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";};
37Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
general!setup
options { recursion yes; allow-recursion { mynetworks; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; querylog no; recursive-clients 2000; tcp-clients 200; max-cache-size 2147483648; // 2GB};
38Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
DNSSEC!maintenance!with!BIND!9!“rndc”
•rndc!secroots:!dump!information!about!the!current!active!DNSSEC!trust!anchors!into!the!file!“named.secroots”.!
bash-3.2# rndc secroots bash-3.2# more named.secroots22-Nov-2013 07:48:31.775
Start view _default
./RSASHA256/19036 ; managed
. 168851 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256; key id = 19036
root!zone!trust!anchor!key!ID
trust!anchor!will!be!updated!according!to!
RFC!5011
KEY!ID!19036:current!KSK!of!the!root!zone
39Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
BIND!9!controlling!DNSSEC!validation
•validation!on:!enable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server!(globally):!
bash# rndc validation on
•validation!off:!disable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server
bash# rndc validation off
40Monday 9 December 13
©!Men!&!Mice!!http://menandmice,com!
References
•Deploying!DNSSEC!(whitepaper!by!SurfNet):http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html
•A!BIND!9!configuration!template!for!a!validating,!caching-only!DNS!Server:https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98;
•Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,!Solaris:http://support.menandmice.com/download/bind/
•Windows!2012!Server:!Enabling!DNSSEC!validation:http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation
41Monday 9 December 13
©!Men!&!Mice!!http://menandmice.com!
Thank!you!
E-Mail:training@menandmice.com
42Monday 9 December 13
top related