-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
1/17
DNSDNSDNSDNS Cyber Weapon ofCyber Weapon ofCyber Weapon ofCyber Weapon ofMass DestructionMass DestructionMass DestructionMass DestructionDNSDNSDNSDNS Cyber Weapon ofCyber Weapon ofCyber Weapon ofCyber Weapon ofMass DestructionMass DestructionMass DestructionMass Destruction
Bojan drnja, CISSP, GCIA, GCIBojan!"drnja#infi$o!%r
IN&IG' IS %ttp())***!infi$o!%r
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
2/17
A$endaA$endaA$endaA$enda
DNS and its critica+ity
DNS as a *eapon
Denia+ of Serice attac-sCoert data transfer
o* to i.proe DNS security/
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
3/17
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
4/17
Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1Do.ain na.e syste. 0DNS1
'ri$ina+ specification +i.ited DNS 7DPpac-ets to @9> bytes
If +ar$er use 3CPBut *it% 3CP *e cannot spoof pac-ets
8&C >E9 5Ftension Mec%anis.s forDNS 05DNS:1
Si$na+i6ed by an 'P3 pseudo88 in t%eadditiona+ data section
i!e! ar( ! 'P3 7DPsi6e
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
5/17
Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS
DNS is a critica+ part of t%e Internet 0a$ain1We cannot +ie *it%out it
And t%e attac-ers +oe it7DP data$ra.s
3%e $odA-in$ %as betrayed a fata+ f+a*( ubris!
5asy to taunt, easy to tric-!7DP can be easi+y spoofed
Any ISPs doin$ e$ress fi+terin$/ 3%ou$%t not!
Set SourceIP to t%at of t%e tar$et
Set DestinationIP of 0a1 DNS serer
Set DestinationPort to @;
&ire a reuest J for$et
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
6/17
Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS
3%is a++o*s us to be a+.ost anony.ous
But proides anot%er $oa+ for an attac-er(
A.p+ificationIdea is ery si.p+e 0S.urf+i-e attac-s1
Send a 0re+atie+y s.a++1 DNS uery
Get a 0+ar$e1 DNS rep+ySpoof t%e senderKs IP address
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
7/17
Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS
Wait, *%at about 5DNS:/Send a s.a++ DNS uery 0L: bytes1
Get a +ar$e DNS rep+y 0L Mbit of ueries $enerates 9>: Mbit of responses
W%at can t%e attac-ers use/'pen reso+ersPerfect
Get t%e. to cac%e a +ar$e response 0.aybe eenattac-er $enerated1&ire at *i++
Any DNS serer rea++y
As +on$ as t%e response is +ar$e enou$%
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
8/17
Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS
Best 0or *orst, dependin$ on P'1 recordsto use
&ind +ar$e 3O3 recordsAttac-ers often use 3O3, een $enerate t%eir o*n
Abuse DNSS5CGood for a.p+ification due to +ar$e records for
DNS5Q or 88SIG resource records?uite often isc!or$ $ets pic-ed
Is it difficu+t to find open reso+ers/
7nfortunate+y notSo.e researc% says t%at t%ere are .ore t%an@::,::: open reso+ers on t%e Internet
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
9/17
Denia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNSDenia+ of Serice attac-s *it% DNS
o* can *e protect ourse+es/Difficu+t
Ma-e sure you %ae your upstrea. ISPscontacts %andy
In e.er$encies b+oc- responses *it% sourceport @;
3%is *i++ b+oc- your +e$iti.ate DNS responses as *e++
W%at if t%ey use us as a ref+ector/Do not run an open reso+er
See Pau+ iFieKs 8esponse 8ate Ri.itin$patc%es for BIND H
Not in standard BIND re+eases yet
Aai+ab+e at %ttp())***!redbarn!or$)dns)rate+i.its
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
10/17
DNS for coert trafficDNS for coert trafficDNS for coert trafficDNS for coert traffic
3unne+in$ traffic oer DNS is an o+d and*e++ -no*n tec%niue
'ften used to escape fro. *a++ed $ardensI!e! %ote+ or airport net*or-s
8euires a specia+ DNS c+ient and sererSi.p+e operation
5ncode sent data in ueries5ncode receied data in responses
Poor .anKs &i+e 3ransfer ia DNS by
o%annes # Internet Stor. Center(%ttp())isc!sans!edu)diary!%t.+/storyid9:;:
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
11/17
DNS for CJC trafficDNS for CJC trafficDNS for CJC trafficDNS for CJC traffic
Seera+ botnets use DNS forco..unication to CJC serers
DNS is a+*ays a++o*ed( perfectDNS is rare+y .onitored( perfect
&eederbot botnet
7ses DNS 3O3 resource records for datatransfer8ep+y pay+oad $ets 8C< encrypted
A C8C;> %eader is added
3%e *%o+e pac-a$e is no* Base< encoded3%is for.s t%e DNS 3O3 response
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
12/17
DNS for CJC trafficDNS for CJC trafficDNS for CJC trafficDNS for CJC traffic
3%e Morto *or. uses DNS for CJC traffictoo
Got fa.ous because it is an 8DP *or.A+so interestin$ because it saes encryptedpay+oad in re$istry
No fi+es
Si.i+ar+y to &eederbot uses 3O3 resourcerecords for co..unication
We can eFpect .ore in t%e future
'r funny conceptssuc% as usin$ 3*itteras CJC
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
13/17
W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/
We s%ou+d *or- on i.p+e.entin$ DNSS5Ceep in .ind t%at it %as not%in$ to do *it%described attac-s
It just .a-es sure t%at you $ot t%e ri$%tans*ers
!%r is sti++ not si$ned
So.e statistics(;9@ 3RDs in t%e root 6one in tota+ today
HH 3RDs are si$ned
Ma-e sure you are not runnin$ an openreso+er3%ey rea++y create prob+e.s
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
14/17
W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/
&or co.panies( i.p+e.ent proper DNSarc%itecture
8e.e.ber t%at DNS is a critica+ part of yourinfrastructure
7se a sp+it DNS setup('ne eFterna+ DNS serer serin$ on+y your pub+ic DNS
6ones'ne interna+ DNS serer
3%is one neer issues reuests direct+y but insteadfor*ards t%e. to t%e eFterna+ serer for reso+ution
eep your DNS serers up to date
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
15/17
W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/
I.p+e.ent adanced features t%at BINDsupports(
DNS 8esponse Po+icy "ones 08P"1A++o* you to tri$$er po+icy by uery na.es, addressesin responses or na.e of aut%oritatie serers
8esponse po+icy can cause seera+ actions
Wit% DNS 8P" you can 2poison4 do.ain na.esor IP addressesA*eso.e for preentin$ your c+ient .ac%ines fro.contactin$ -no*n CJC serers
Can be used to create *a++ed $ardensMore infor.ation at%ttps())-b!isc!or$)cate$ory)99:):)9:)Soft*areProducts)BINDH)&eatures)DNS8P")
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
16/17
W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/W%at to do to i.proe DNS security/
Monitor DNS3oo often DNS is not .onitored at a++
Many, .any benefits of .onitorin$ DNSIdentify interna+ c+ients *%ic% are reso+in$-no*n bad na.es +i-e CJC serers
3%ese are potentia++y infected
Identify spa..in$ .ac%ines
5ar+y *arnin$ syste. for p%is%in$
7ti+i6e passie DNS featuresSee .y paper 2Passie .onitorin$ of DNSano.a+ies4 at%ttp())***!caida!or$)pub+ications)papers)>
::E)dnsTano.a+ies)dnsTano.a+ies!pdf
-
8/13/2019 FSEC_20120919_DNS Cyber Weapon of Mass Destruction_BojanZdrnja
17/17
3%an- you for3%an- you for3%an- you for3%an- you for
your attentionyour attentionyour attentionyour attention