This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: CS 161 Computer Security Spring 2010 Paxson/Wagner Discussion 5 1. DNS Recall that in a blind DNS spoofing attack, the attacker tries to guess the identification number of the DNS request sent by the victim. (a) In a blind spoofing attack, the attacker must know when a DNS request is about to be made by the victim so that he can respond with his attack responses. How might the attacker know when the victim is about to make a DNS request? (b) What can an attacker do if he successfully gets a victim to believe his bogus DNS mapping? (c) How can an attacker avoid having to carry out this attack for every request made by the victim? Answer: (a) Lure a victim to your web site, which contains a link (or many links) to the site whose DNS record you would like to attack (e.g., google.com ). When you see that a victim has contacted your site, you know they are about to make a DNS request for google.com , so you initiate the attack at this point. (b) He is in control of the content of any request made to a hostname whose DNS record has been success- fully spoofed. For example, if the attacker managed to get the victim to accept a bogus DNS record for google.com , then any subsequent request to google.com will actually go to a domain of the attacker’s choosing. He might get you to reveal your password to the fake google.com at that point. (c) DNS records are cached, so the attacker might set a long TTL (time-to-live) so that the bogus DNS record will live in the cache for a long time. The attack will succeed for as long as the bogus DNS record lives in the cache. 2. Firewall Misconfigurations Suppose you had a ruleset that looked like this: 1 drop tcp 10.1.1.0/25:* *:* 2 allow udp *:* 192.168.1.0/24:* 3 drop tcp 10.1.1.128/25:* *:* 4 drop udp 172.16.1.0/24:* 192.168.1.0/24:* 5 allow tcp 10.1.1.0/24:* *:* 6 drop udp 10.1.1.0/24:* 192.168.0.0/16:* 7 allow udp 172.16.1.0/24:* *:* Which rules contradict one another? Can you find more than one example? Hint: (Hint: Look for when all the packets one rule intends to deny (accept) gets accepted (denied) by a preceding rule?) CS 161, Spring 2010, Discussion 5 1 Answer: Rules 2 and 4. All packets to 192.168.1.0/24 are accepted by rule 2, but rules 4 seeks to deny the subset of packets from 172.16.1.0/24 to 192.168.1.0/24. This is called shadowing....
View Full Document
- Spring '10
- Computer Security, Transmission Control Protocol, Regular expression, NIDS, bogus DNS record, DNS request, closing script tag