Does not have a way of mapping the response that it

This preview shows page 254 - 256 out of 283 pages.

does not have a way of mapping the response that it receives for a query other than the query ID, which can be forged by the attacker. Let's look at how the combination of the lack of authentication and the connectionless nature of a DNS query allows the possibility of cash poisoning. DNS Vulnerability Quiz
Image of page 254

Subscribe to view the full document.

So as a quick quiz, which aspects of DNS make it vulnerable to attack? The fact that queries are sent over UDP? The fact that DNS names are human-readable? The fact that responses to DNS queries are not authenticated? Or, that the DNS is distributed or federated over many organizations? DNS Vulnerablitiy Quiz Answer As we discussed, the fact that the queries are sent over a connectionless channel and that there is no way to authenticate the query responses, makes the DNS vulnerable to various kinds of spoofing and cache poisoning attacks. The fact that DNS names are human readable does not make the DNS inherently insecure. Nor does the fact that it's distributed. There are certainly very well understood ways of securing distributed systems and that does not inherently make DNS insecure. DNS Cache Poisoning
Image of page 255
To see how see how a DNS cache poisoning attack works, consider a network where a stub resolver issues a query to its recursive resolver, and the recursive resolver in turn sends that A record query to the start of authority for that domain. Now, in an ideal world, the authoritative name server for that domain would reply with the correct IP address. If an attacker guesses that a recursive resolver might eventually need to issue a query for say, , the attacker can simply reply with multiple, specially crafted replies, each with different id's. Although this query has some query id, the attacker doesn't need to see that query because the attacker can simply flood the recursive resolver with a bunch of bogus replies, and one of them, in this case the response with id3, will match. As long as this bogus response reaches the recursive resolver before the legitimate response does, the recursive resolver will accept this bogus message, and worse, it caches the bogus message. And DNS, unfortunately, has no way to expunge a message once it has been cached. So now this recursive resolver will continue to send bogus A record responses for any query for this particular domain name until that entry expires from the cache. Now there's several defenses against DNS cache poisoning, and we've already seen one, which is the query ID. But of course, the query ID can be guessed. The next defense is to randomize the ID. So rather than having a resolver send queries where the ID's increment in sequence, the resolver can pick a random ID. This makes the ID tougher to guess, but still, the query ID is only 16 bits, which still makes it possible for an attacker to flood the recursive resolver with many possible responses. And, it's likely that with relatively few responses, one of these bogus responses will match the ID for the real query. Due to the birthday paradox, the success
Image of page 256
You've reached the end of this preview.
  • Fall '08
  • Staff
  • IP address, Transmission Control Protocol

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern