DNS Cyber Weapon of Mass Destruction

Bojan drnja, CISSP, GCIA, GCI Bojan!"drnja#infi$o!%r IN&IG' IS %ttp())***!infi$o!%r

A$enda

DNS and its critica+ity DNS as a *eapon

Denia+ of Ser,ice attac-s Co,ert data transfer

o* to i.pro,e DNS security/

Do.ain na.e syste. 0DNS1

DNS is a critica+ part of t%e Internet
23%e DNS .aps %ostna.es to IP addresses4

DNS is distributed
Great for %i$% a,ai+abi+ity 5ac% ser,er is responsib+e on+y for its 6one

Carried *it% 7DP data$ra.s or 3CP

'ri$ina++y defined by 8&C 9:;< 0==>1 A+*ays contains t%e fo++o*in$ < sections(
?uery 0defines na.e, type and c+ass1 Ans*er Aut%ority Additiona+

Do.ain na.e syste. 0DNS1

'ri$ina+ specification +i.ited DNS 7DP pac-ets to @9> bytes
If +ar$er AB use 3CP
But *it% 3CP *e cannot spoof pac-etsC

8&C >DE9 5Ftension Mec%anis.s for DNS 05DNS:1

Si$na+i6ed by an 'P3 pseudoA88 in t%e additiona+ data section
i!e! ar( ! 'P3 7DPsi6eG<:HD

I.portant %eaders
Source IP, Source 7DP Port Destination IP, Destination 7DP Port DNS ID 0Identification1

Denia+ of Ser,ice attac-s *it% DNS

DNS is a critica+ part of t%e Internet 0a$ain1
We cannot +i,e *it%out it And t%e attac-ers +o,e it

7DP data$ra.s
3%e $odA-in$ %as betrayed a fata+ f+a*( ubris! 5asy to taunt, easy to tric-!
7DP can be easi+y spoofed
Any ISPs doin$ e$ress fi+terin$/ 3%ou$%t not!

Set SourceIP to t%at of t%e tar$et Set DestinationIP of 0a1 DNS ser,er Set DestinationPort to @; &ire a reIuest J for$et

Denia+ of Ser,ice attac-s *it% DNS

3%is a++o*s us to be a+.ost anony.ous But pro,ides anot%er $oa+ for an attac-er(
A.p+ification

Idea is ,ery si.p+e 0S.urfA+i-e attac-s1

Send a 0re+ati,e+y s.a++1 DNS Iuery Get a 0+ar$e1 DNS rep+y Spoof t%e senderKs IP address

Denia+ of Ser,ice attac-s *it% DNS

Wait, *%at about 5DNS:/
Send a s.a++ DNS Iuery 0LD: bytes1 Get a +ar$e DNS rep+y 0L<::: bytes1 3%atKs an a.p+ification factor of DD
> Mbit of Iueries $enerates 9>:M Mbit of responsesC

W%at can t%e attac-ers use/

'pen reso+,ers
Perfect Get t%e. to cac%e a +ar$e response 0.aybe e,en attac-er $enerated1 &ire at *i++

Any DNS ser,er rea++y

As +on$ as t%e response is +ar$e enou$%

Denia+ of Ser,ice attac-s *it% DNS

Best 0or *orst, dependin$ on P'N1 records to use
&ind +ar$e 3O3 records
Attac-ers often use 3O3, e,en $enerate t%eir o*n

Abuse DNSS5C
Good for a.p+ification due to +ar$e records for DNSP5Q or 88SIG resource records

?uite often isc!or$ $ets pic-ed

Is it difficu+t to find open reso+,ers/

7nfortunate+y not So.e researc% says t%at t%ere are .ore t%an @::,::: open reso+,ers on t%e InternetC

Denia+ of Ser,ice attac-s *it% DNS

o* can *e protect ourse+,es/
Difficu+t Ma-e sure you %a,e your upstrea. ISPs contacts %andy In e.er$encies b+oc- responses *it% source port @;
3%is *i++ b+oc- your +e$iti.ate DNS responses as *e++C

W%at if t%ey use us as a ref+ector/

Do not run an open reso+,er See Pau+ NiFieKs 8esponse 8ate Ri.itin$ patc%es for BIND H
Not in standard BIND re+eases yet A,ai+ab+e at %ttp())***!redbarn!or$)dns)rate+i.its

DNS for co,ert traffic

3unne+in$ traffic o,er DNS is an o+d and *e++ -no*n tec%niIue
'ften used to escape fro. *a++ed $ardens
I!e! %ote+ or airport net*or-s

8eIuires a specia+ DNS c+ient and ser,er

Si.p+e operation 5ncode sent data in Iueries 5ncode recei,ed data in responses

Poor .anKs &i+e 3ransfer ,ia DNS by So%annes # Internet Stor. Center(
%ttp())isc!sans!edu)diary!%t.+/storyidG9:;:D

DNS for CJC traffic

Se,era+ botnets use DNS for co..unication to CJC ser,ers
DNS is a+*ays a++o*ed( perfectC DNS is rare+y .onitored( perfectC

&eederbot botnet
7ses DNS 3O3 resource records for data transfer
8ep+y pay+oad $ets 8C< encrypted A C8C;> %eader is added 3%e *%o+e pac-a$e is no* BaseD< encoded 3%is for.s t%e DNS 3O3 response

DNS for CJC traffic

3%e Morto *or. uses DNS for CJC traffic too
Got fa.ous because it is an 8DP *or. A+so interestin$ because it sa,es encrypted pay+oad in re$istry
No fi+es

Si.i+ar+y to &eederbot uses 3O3 resource records for co..unication

We can eFpect .ore in t%e future

'r funny concepts suc% as usin$ 3*itter as CJC

W%at to do to i.pro,e DNS security/

We s%ou+d *or- on i.p+e.entin$ DNSS5C
Peep in .ind t%at it %as not%in$ to do *it% described attac-s It just .a-es sure t%at you $ot t%e ri$%t ans*ers !%r is sti++ not si$ned
So.e statistics(
;9@ 3RDs in t%e root 6one in tota+ today HH 3RDs are si$ned

Ma-e sure you are not runnin$ an open reso+,er

3%ey rea++y create prob+e.s

W%at to do to i.pro,e DNS security/

&or co.panies( i.p+e.ent proper DNS arc%itecture
8e.e.ber t%at DNS is a critica+ part of your infrastructure 7se a sp+it DNS setup(
'ne eFterna+ DNS ser,er ser,in$ on+y your pub+ic DNS 6ones 'ne interna+ DNS ser,er
3%is one ne,er issues reIuests direct+y but instead for*ards t%e. to t%e eFterna+ ser,er for reso+ution

Peep your DNS ser,ers up to date

W%at to do to i.pro,e DNS security/

I.p+e.ent ad,anced features t%at BIND supports(
DNS 8esponse Po+icy "ones 08P"1
A++o* you to tri$$er po+icy by Iuery na.es, addresses in responses or na.e of aut%oritati,e ser,ers 8esponse po+icy can cause se,era+ actions

Wit% DNS 8P" you can 2poison4 do.ain na.es or IP addresses

A*eso.e for pre,entin$ your c+ient .ac%ines fro. contactin$ -no*n CJC ser,ers Can be used to create *a++ed $ardens

More infor.ation at %ttps())-b!isc!or$)cate$ory)99:):)9:)Soft *areAProducts)BINDH)&eatures)DNS8P")

W%at to do to i.pro,e DNS security/

Monitor DNSC
3oo often DNS is not .onitored at a++

Many, .any benefits of .onitorin$ DNS

Identify interna+ c+ients *%ic% are reso+,in$ -no*n bad na.es +i-e CJC ser,ers
3%ese are potentia++y infected

Identify spa..in$ .ac%ines

5ar+y *arnin$ syste. for p%is%in$

7ti+i6e passi,e DNS features See .y paper 2Passi,e .onitorin$ of DNS ano.a+ies4 at %ttp())***!caida!or$)pub+ications)papers)> ::E)dnsTano.a+ies)dnsTano.a+ies!pdf

3%an- you for your attentionC