dns-bgp - university of wisconsin–madisonpages.cs.wisc.edu/~ace/media/lectures/dns-bgp.pdf · -...
TRANSCRIPT
todayDomain name system (DNS)
CIDR
Border Gateway Protocol
dns
Whichoneiseasiertoremember?
54.239.25.208172.111.64.12474.125.193.1623.235.40.6517.172.100.13128.105.123.66
IPaddresses
www.amazon.comtheverge.com
googlemail-smtp.l.google.comhosted-cdn.statuspage.iop05-calendars.icloud.com
print-gw.cs.wisc.edu
DomainName
DomainNameSystem(DNS)translatesdomainnames->IPaddresses
Hierarchicaldomainnamespace
cs ece
www
ICANN(InternetCorporationforAssignedNamesandNumbers)
rootnameserversandauthoritativenameservers
Zone:subtree
SecondLeveldomainswisc umich pepperdine
TopLeveldomains(TLD)org net edu com io ca
root
NameServers
[http://en.wikipedia.org/wiki/File:An_example_of_theoretical_DNS_recursion.svg]
Authoritative name serversProgrammedbyanoriginalsourceRecursivelyhuntsdownananswer
Recurser
Caching
• DNSserverswillcacheresponses– Bothnegativeandpositiveresponses
– Speedsupqueries
– Entriesexpireperiodically.Time-to-live(TTL)setbydataowner
ExampleDNSquerytypes
A IPv4address
AAAA IPv6address
NS nameserver
TXT humanreadabletext
MX mailexchange
DNSpacketonwire
QueryIDis16-bitrandomvalue
QueryfromresolvertoNS
Response contains IP addr of next NS server (called “glue”)
Response ignored if unrecognized QueryID
bailiwickchecking:responseiscachedifitiswithinthesamedomainofquery(i.e.a.comcannotsetNSforb.com)
DNSSecurity
• Whatsecuritychecksareinplace?– RandomqueryID’stolinkresponsestoqueries
– Bailiwickchecking(sanitycheckonresponse)
• Noauthentication
• Manythingstrusthostname↔IPmapping– Browsersame-originpolicy
– URLaddressbar
– Everyapplicationthataccessestheinternet
DNSsec• AuthenticatedDNSprotocol• UsedbyTLDs:)
• Butnooneelse:(
[https://www.huque.com/app/dnsstat/]retrieved:April6,2016
Whatareobviousproblems?
• Corruptednameservers
• Intercept&manipulaterequests(on-pathactiveattacker)
• Otherobviousproblems?
DNScachepoisoning
Internet
VictimDNSserver
Clientsbankofamerica.com10.1.1.1
Attackersite10.9.9.99
Howmightanattackerdothis?Whatsecurityfeaturesmustanattackerovercome?
.comNS
• Packetspoofing• GuessUDPport• GuessQID
AssumepredictableUDPportAssumeSRCportspoofing
think-pair-share
Anotheridea:-PoisoncacheforNSrecordinstead-Nowcantakeoverallofsecondleveldomain
Howmanytriesdoesthisrequire?- Try256differentQIDs- Goodchanceofsuccess
Defenses
• QueryIDsizeisfixedat16bits• RepeateachquerywithfreshQueryID
– Doublesthespace
• RandomizeUDPports• DNSsec
– CryptographicallysignDNSresponses,verifyviachainoftrustfromrootsondown
• Otherproblems?
Phishingiscommonproblem
• Typosquatting:• www.LansdEnd.com• www.goggle.com• secure.bank0fAmerica.com• wíkipedia.org
• Phishingattacks– Trickusersintothinkingamaliciousdomainnameistherealone
ip routing
CIDRaddressing
backbone
ISP1 ISP2
Prefixesusedtosetuphierarchicalrouting: -Anorganizationassigneda.b.c.d/x -Itmanagesaddressesprefixedbya.b.c.d/x
…1111001
10110…1110000
5.6.7.8
10110…1111000
…1111011
10110…1100011
Classlessinter-domainrouting(CIDR)
Network prefix MSBs Host address
x LSBs
Routing
AS att.net
ASwisc.edu
AScharter.net
Autonomoussystems(AS)areorganizationalbuildingblocks -CollectionofIPprefixesundersingleroutingpolicy -wisc.eduWithinAS,mightuseRIP(RoutingInformationProtocol)BetweenAS,useBGP(BorderGatewayProtocol)
…1111001
10110…1110000
5.6.7.8
10110…1111000
…1111011
10110…1100011
ASCategories
• Stub:connectedtoonlyonotherAS
• Multi-homed:connectedtomultipleotherAS
• Transit:routestrafficthroughit'sASforotherAS's
3 4
6 57
1
8 2
BGPandrouting
defense.gov
wisc.edu charter.net
BGP(exteriorBGP)OSPFwithinAS’s(Openshortest-pathfirst)
BorderGatewayProtocol(BGP)
• Policy-basedrouting– AScansetpolicyabouthowtoroute
• economic,security,politicalconsiderations
• BGProutersuseTCPconnectionstotransmitroutinginformation
• Iterativeannouncementofroutes
BGPexample
• 2,7,3,6areTransitAS• 8,1areStubAS• 4,5multihomedAS• AlgorithmseemstoworkOKinpractice
– BGPdoesnotrespondwelltofrequentnodeoutages
3 4
6 57
1
8 27
7
2 7
2 7
2 7
3 2 7
6 2 7
2 6 52 6 5
2 6 5
3 2 6 5
7 2 6 56 5
5
5
[D.Wetherall]
• 2008:PakistanattemptstoblockYouTube– youtubeis208.65.152.0/22– youtube.com = 208.65.153.238
• PakistanISPadvertises208.65.153.0/24viaBGP– morespecific,prefixhijacking
• Internetthinksyoutube.comisinPakistan
• Outageresolvedin2hours…
IPhijacking
• BGPunauthenticated– Anyonecanadvertiseanyroutes
– Falserouteswillbepropagated
• ThisallowsIPhijacking– ASannouncesitoriginatesaprefixitshouldn’t
– ASannouncesithasshorterpathtoaprefix
– ASannouncesmorespecificprefix
recapDNS / DNS insecurity / DNS cache poisoning / Typosquatting
CIDR, BGP / IP route hijacking
Exit slips / 1 thing you learned / 1 thing you didn't understand