defcon 19 dinaburg bit squatting
TRANSCRIPT
BITSQUATTING
DNS HIJACKING WITHOUT EXPLOITATION
ARTEM DINABURG DEFCON 19
About Me
J
The Problem
Affected PlaHorms
Low Skill
Cheap
Bitsquatting Like typosquaPng, but for bits
TyposquaPng
There are
1500 daily DNS requests per person.
Humans type
3 of them.
1 0
0 1
01100011 01101110 01101110
01100011 01101111 01101110
01100011011011100110111000101110011000110110111101101101
01100011011011110110111000101110011000110110111101101101
C N N . C O M
C O N . C O M
Heat
CAUSES OF BIT-‐ERRORS:
iPhone OperaXng Temperature
0
20
40
60
80
100
120 Tempe
rature (F)
Las Vegas Montreal iPhone
CAUSES OF BIT-‐ERRORS:
Electrical Problems
CAUSES OF BIT-‐ERRORS:
Defects
CAUSES OF BIT-‐ERRORS:
Cosmic Rays
1.0
0.1 -
S 0.01
0.001
-
Cosmic SER
To -/ ' I
J ' 1
k Memory , / y) 1 fails \ / ' 1 (scale right) / / 1
°^ Chip radioactivity (scale left)
1000
100
I - 10
- 1
- 0.1
1985 1986 1987 Date
10000 -
2 -
4 -
1/4 —I—
5X lOX Fail rate »-
Cosmic ray flux —^
1/2
M
Z-- Underground: _ / 7 zero fails in 9 ' five months
Memory SER and LSI chip radioactivity This figure shows a specific memory module SER from 1985 to 1987. By the end ol 1986 the fail rate was about a factor of five larger than the pre\ lou.s baseline. By early 1987 the problem was a source of serious concern, but the cause was unknown. By May 1987, it was clearly established that the fail rate was isolated to newly manufactured memories. By measuring chips manufactured weekly over the previous two years, a historical record of the radioactive contamination was created. Chip radioactivity was determined to be negligible before 1986, and then increasing by up to 1000 times by May 1987. Once the contamination source was identified and eliminated, no further contamination was found in the semiconductor factory. All chips started after May 22. 1987, were found to be clear of any contamination
Shown is a summary of the results for the testing of vanous memory chips at different altitudes. The solid Une is the prediction of Ziegler in 1984. The small circles are test results for a 4Kb SRAM bipolar LSI memory chip, and the triangles are for DRAM chips. The ordinate shows the altitude of the city for the altitude experiments, or the shielding for the attenuation experiments. The abscissa shows the change in fail rate, with unity being sea level. The SRAM and DRAM results scaled identically with altitude, with the Leadville fail rate being 13 times the sea-level rate. When the chips were tested under concrete shielding, the attenuation of fail rate scaled exponentially with concrete thickness. The final tests, underground below Kansas City, continued for ten months, and showed zero fails during this period (figure drawn five months into the underground experiment). From J. F. Ziegler, H. P. Muhlfeld, C. J. Montrose, H. W. Curtis, and T. J. O'Gorman, IBM internal reports, 1989.
Several months passed, with widespread testing of manufacturing materials and tools, but no radioactive contamination was discovered. All memory chips in the manufacturing hnes were spot-screened for radioactivity, but they were clean. The radioactivity reappeared in the manufacturing plant in early December 1987, mildly contaminating several hundred wafers, then disappeared again. A search of all the materials used in the fabrication of these chips found no source of the radioactivity. With further screening, and a lot of luck, a new and unused bottle of nitric acid was identified by J. Hannah as radioactive. One surprising aspect of this discovery was that, of twelve bottles in the single lot of acid, only one
was contaminated. Since all screening of materials assumed lot-sized homogeneity, this discovery of a single bad sample in a large lot probably explained why previous scans of the manufacturing line had been negative. The unopened bottle of radioactive nitric acid led investigators back to a supplier's factory, and it was found that the radioactivity was being injected by a bottle-cleaning machine for semiconductor-grade acid bottles.'* This bottle cleaner used radioactive Po '̂" material to ionize an air jet which was used to dislodge electrostatic dust inside the bottles after washing. The jets were leaking radioactivity
" J. Hannah, IBM internal report, 1987. ' J. F. Ziegler, T. H. Zabel, and J. Hannah, IBM internal report, 1 13
IBM J. RES. DEVELOP. VOL. 40 NO. 1 JANUARY 1996 J. F. ZIEGLER ET AL.
IBM Journal of Research and Development, vol. 40, no. 1, page 13
Lets talk about DRAM
1 10 100 1000 10000 100000
"ultra low" failure rates
160GBits of DRAM
1Gbit 0.25 micron
256MBytes
32 Gbits of DRAM (Cray YMP-‐8)
Mfg 1, 1GB DIMM
Mfg 1, 2GB DIMM
Mfg 1, 4GB DIMM
Mfg 2, 1GB DIMM
Mfg 2, 2GB DIMM
Mfg 3, 1GB DIMM
Mfg 4, 1GB DIMM
Mfg 5, 2GB DIMM
Mfg 6, 2GB DIMM
Mfg 6, 4GB DIMM
Micron EsXmate (256 Mbytes)
Nite Hawk
some 0.13 micron
SRAM and DRAM
Failures in Test (FIT, Logarithmic Scale)
DRAM Failure Rates
For a PC with 4GiB of DRAM, error esDmates range from
to
.
600 PiB
Experiment: Step 1 ikamai.net aeazon.com a-‐azon.com amazgn.com
microsmft.com micrgsoft.com miarosoft.com iicrosoft.com microsnft.com mhcrosoft.com eicrosoft.com mic2osoft.com micro3oft.com doublechick.net do5bleclick.net doubleslick.net
li6e.com 0mdn.net 2-‐dn.net 2edn.net 2ldn.net 2mfn.net 2mln.net 2odn.net 6mdn.net fbbdn.net fbgdn.net gbcdn.net fjcdn.net dbcdn.net
roop-‐servers.net gmaml.com
Experiment, Step 2
!
"!"#$%&'()(*+,&($
!-#$%&.()(*+,&($/01,/12,'3',/44!-#$%&'()(*+,&($/01,/12,'3',/44
N
Experiment, Step 3
!
" !"#$%$&##'%()(&*+,-$./01*+*2,)0*.
&##'%()($343$56#$76859
N
0
200
400
600
800
1000
1200
1400
1600
1800
26-‐Sep
-‐10
3-‐Oct-‐10
10-‐Oct-‐10
17-‐Oct-‐10
24-‐Oct-‐10
31-‐Oct-‐10
7-‐Nov-‐10
14-‐Nov-‐10
21-‐Nov-‐10
28-‐Nov-‐10
5-‐De
c-‐10
12-‐Dec-‐10
19-‐Dec-‐10
26-‐Dec-‐10
2-‐Jan-‐11
9-‐Jan-‐11
16-‐Ja
n-‐11
23-‐Ja
n-‐11
30-‐Ja
n-‐11
6-‐Feb-‐11
13-‐Feb
-‐11
20-‐Feb
-‐11
27-‐Feb
-‐11
6-‐Mar-‐11
13-‐M
ar-‐11
20-‐M
ar-‐11
27-‐M
ar-‐11
3-‐Ap
r-‐11
10-‐Apr-‐11
17-‐Apr-‐11
24-‐Apr-‐11
1-‐May-‐11
Uniqu
e IPs
Date
Traffic Volume (Unique IPs) A
B C
Event A
!"#$%&#'()*""+,
-*./+''0'1!!"#$%&'()'#*!+,',&-2
3+45+6.%78%9'0(%-*.645#.%6+')+':
!;
N
Event B
!"#$%&#'()*""+,
-*./+''0'1!"#$%&'()*($+!,-(-'.2
3+45+6.%78%9'0(%-*.645#.%6+')+':
!;
N
Event C !"#!"#$%&'#'()
$%&'())*)+!"#!"#$!&'#'()
!+#!"#$%&'#'()*+,#*,-#$.$#*//
!+#!"#$%&'#'()*+,#*,-#$.$#*//
,(-.(/&#!0#
!
!
"
#
$
%
&
69.171.163.0/24
N
0
20
40
60
80
100
120
26-‐Sep
-‐10
3-‐Oct-‐10
10-‐Oct-‐10
17-‐Oct-‐10
24-‐Oct-‐10
31-‐Oct-‐10
7-‐Nov-‐10
14-‐Nov-‐10
21-‐Nov-‐10
28-‐Nov-‐10
5-‐De
c-‐10
12-‐Dec-‐10
19-‐Dec-‐10
26-‐Dec-‐10
2-‐Jan-‐11
9-‐Jan-‐11
16-‐Ja
n-‐11
23-‐Ja
n-‐11
30-‐Ja
n-‐11
6-‐Feb-‐11
13-‐Feb
-‐11
20-‐Feb
-‐11
27-‐Feb
-‐11
6-‐Mar-‐11
13-‐M
ar-‐11
20-‐M
ar-‐11
27-‐M
ar-‐11
3-‐Ap
r-‐11
10-‐Apr-‐11
17-‐Apr-‐11
24-‐Apr-‐11
1-‐May-‐11
Uniqu
e IPs
Date
Traffic Volume, No Outliers
OS StaXsXcs
89%
2% 3% <1%
5%
1%
Bitsquats
85%
8%
3% 1% 2% 1%
Wikipedia
Windows Mac iPhone Linux Other Android
Bitsquat Popularity
0 500 1000 1500 2000 2500 3000 3500 4000
kbdn.net gbcdn.net lcdn.net
mic2osom.com 2mdn.net
doubleslick.net iicrosom.com
microsmm.com kcdn.net msn.com
do5bleclick.net 2-‐dn.net
amazgn.com 0mdn.net
aeazon.com a-‐azon.com
2mln.net s-‐msn.com
Unique IPs
Bitsqu
at Dom
ain
Visitors by Country (bitsquats of Microsoft.com)
CN
BR
US GB
IL
IT
DE
RU
IN JP FR TR UA
EG
CO CA PH KR
TH PL LI MX ES TW PS
Where Bit-‐errors Happen
DNS DNS
DB
DNS Path
Content Path
Bit-‐errors on the DNS Path
!"#!""#!$%
$%&'())*)+!"#!!"#!$%
!+#!""#!$%&'(#&()#*+*#&,,
,-.#/#0..1/232#-$./01!""#!$%
!
!
"
#$
%
& N
Bit-‐errors on the Content Path
!"#$%&''
()*+",,-,./#%0,"123!!!"#!$"#%&455536
789%4%:99;4<5<%'%()*+#!$"#%&
!
!
"
#
$ N
Domain in HTTP Host Header
96%
3% 1%
Bitsquat Original Other
MiXgaXons
ECC ON EVERYTHING
MiXgaXons
MiXgaXons
-‐ Ronald Reagan
QuesXons?
Image ApribuXon
• Slide 3: Earth. NASA • Slide 4: Logos © their respecXve owners • Slide 5: Childrens Blocks. Flickr User: lobo235 • Slide 6: Dollar bills. Flickr User: Images_of_Money • Slide 10: HAL 9000 © Warner Brothers Pictures • Slide 14: Heat Lamp. “Using memory errors to apack a virtual machine” by
Govindavajhala and Appel, IEEE S&P 2003 • Slide 15: Desert Sun. Flickr User: Steve & Jemma Copley • Slide 17: Backup Power. David Robinson. Flickr User: dgrobinson • Slide 18: Fake Capacitor. Found on Internet, likely from chinauser.cn • Slide 19: Homunculus Nebula. NASA • Slide 21: DRAM. Self • Slide 22: SAS Drive. Self • Slide 24: BSOD. Wayne Williamson. Flickr User: ka3vo • Slide 25: Blue Marble. NASA