2.17.network-control.v1

2.17.network-control.v1 - Network Attacks / Control CS 161...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Network Attacks / Control CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 17, 2010
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Focus of Today’s Lecture • Finish discussion of DNS attacks • Begin discussion of approaches for controlling network traffic: – Firewalls: restricting allowed communication – NATs: Network Address Translators
Background image of page 2
DNS Blind Spoofng, con ʼ t Additional information (variable # of resource records) Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) # Authority RRs # Additional RRs Identification Flags # Questions # Answer RRs 16 bits 16 bits Attacker can send lots of replies, not just one … However : once reply from legit server arrives (with correct Identification), it’s cached and no more opportunity to poison it. Victim is innoculated! Once we randomize the Identification, attacker has a 1/65536 chance of guessing it correctly. Are we pretty much safe? Unless attacker can send 1000s of replies before legit arrives, we’re likely safe - phew! ?
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 DNS Blind Spoofng (Kaminsky 2008) • Two key ideas: Spoof uses Additional field (rather than Answer) Attacker can get around caching of legit replies by generating a series of different name lookups: <img src="http://random1.google.com" …> <img src="http://random2.google.com" …> <img src="http://random3.google.com" …> ... <img src="http://randomN.google.com" …>
Background image of page 4
5 ;; QUESTION SECTION: ;randomk.google.com. IN A ;; ANSWER SECTION: randomk.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Kaminsky Blind Spoofng, con ʼ t For each lookup of randomk.google.com , attacker returns a bunch of records like this, each with a different Identifier Once they win the race, not only have they poisoned mail.google.com but also the cached NS record for google.com ’s name server - so any future X .google.com lookups go through the attacker’s machine
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 ;; QUESTION SECTION: ;randomk.google.com. IN A ;; ANSWER SECTION: randomk.google.com 21600 IN A doesn’t matter ;; AUTHORITY SECTION: google.com. 11088 IN NS mail.google.com ;; ADDITIONAL SECTION: mail.google.com 126738 IN A 6.6.6.6 Kaminsky Blind Spoofng, con ʼ t For each lookup of randomk.google.com , attacker returns a bunch of records like this, each with a different Identifier Once they win the race, not only have they poisoned mail.google.com but also the cached NS record for google.com ’s name server - so any future X .google.com lookups go through the attacker’s machine
Background image of page 6
7 Defending Against Blind SpooFng Additional information (variable # of resource records) Questions (variable # of resource records) Answers (variable # of resource records) Authority (variable # of resource records) # Authority RRs # Additional RRs Identification Flags # Questions # Answer RRs 16 bits 16 bits Central problem: all that tells a client they should accept a response is that it matches the Identification field.
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Wagner during the Spring '10 term at University of Central Arkansas.

Page1 / 28

2.17.network-control.v1 - Network Attacks / Control CS 161...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online