Application Layer Security

Application layer protocols

• Domain Name System (DNS)

• Hypertext transfer protocol (HTTP)

• File transfer protocol (FTP)

• Telnet

  • Remote access (not encrypted)

• SSH

  • More recent secure remote access and administration protocol

• IMAP/POP/SMTP

  • Email services

Domain Name System (DNS)

• Distributed, hierarchical database

• 13 logical root name “servers” worldwide

  • Each “server” replicated many times

DNS top level domains

• Generic top-level domains

  • Started in 1984

  • Originally supposed to be named by function

    • .com for commerical websites

    • .mil for military

  • Eventually agreed upon unrestricted TLDs for .net, .org, .info

• Country top-level domains

  • .it, .us were allowed since 1994

DNS Authoritative servers

• Organization's own DNS server(s), providing authoritative hostname to IP mappings for organization's named hosts

• Can be maintained by organization or service provider

Local DNS name server

• Does not strictly belong to hierarchy

• Each ISP (residential ISP, company, university) has one

  • Also called "default name server"

• When host makes DNS query, query is sent to its local DNS server

  • Has local cache of recent name-to-address translation pairs (but may be out of date)

  • Acts as proxy, forwards query into hierarchy

DNS caching

• Once (any) name server learns mapping, it caches mapping

  • TLD servers typically cached in local name servers

    • Thus root name servers not often visited

  • Cache entries timeout (disappear) after some time (TTL)

• Cached entries may be out-of-date (best effort name-to-address translation)

  • If name host changes IP address, may not be known Internet-wide until all TTLs expire

DNS protocol - messages

• Query and reply messages, both with the same message format

  • Message header

    • Identification

      • 16 bit # for query

      • Reply to query uses same #

    • Flags

      • Query or reply

      • Recursion desired

      • Recursion available

      • Reply is authoritative

DNS Attacks

• Pharming (DNS Hijacking)

• DNS Cache Poisoning

• Subdomain DNS cache poisoning

Pharming (DNS Hijacking)

Changing IP associated with a server maliciously

DNS Cache Poisoning

• Basic idea

  • Give DNS servers false records and get it cached

• DNS uses a 160bit request identifier to pair queries with answers

• Cache may be poisoned when a name server

  • Disregards identifiers

  • Has predictable IDs

  • Accepts unsolicited DNS records

• Challenges

  • Faster responses

  • Correct 16-bit query ID

Probability of successful DNS cache poisoning

• An attacker issuing n fake responses aim to guess a transaction ID equal to one of the 16-bit real IDs

  • When n=213, the probability of success is >50%

• The above attack is still challenging due to the limited time interval

  • The cached record may last for minutes, hours, or even days

  • The time between the initial request (i.e. after the old cached record expires) and the valid response from the authoritative name server

Subdomain DNS cache poisoning

• Instead of requesting the target domain (i.e. example.com) directly request different subdomains, aaa.example.com, bbb.example.com, etc., which do not exist at all

• The authoritative name server just ignores them

• Attacker can take his/her time to guess the random IDs

• Using subdomain resolution for DNS cache poisoning

  • Include a glue record that resolves the name server of the target domain (i.e. ns.example.com) to an attacker-controlled server

Vulnerability of DNS

• The following two weakness in the DNS protocol makes it vulnerable to subdomain DNS poisoning attacks

  1. Relying on a 16-bit number as the only authentication mechanism

  2. Having the response for a non-existing subdomain request be a nonresponse

DNS cache poisoning prevention

• Use random identifiers for queries

  • However, this simple prevention can be easily compromised based on the birthday paradox

    • The probability of two or more people in a group of 23 sharing the same birthday is greater than 50%

• Local DNS servers only accept DNS requests from internal network

  • Effective against attackers from outside

  • Still vulnerable to attacks launched from inside network

• Source port randomization for DNS requests

  • Better, but cannot completely stop

• Deploy DNSSEC

  • Challenging because it is still being deployed and requires reciprocity

DNSSEC

• A set of security extensions to the DNS protocol that prevent attacks by digitally signing all DNS replies using public-key cryptography

• Guarantees

  • Authenticity of DNS answer origin

  • Integrity of reply

  • Authenticity of denial of existence

• Accomplishes this by signing DNS replies at each step of the way

• Typically use trust anchors, entries in the OS to bootstrap the process

• RRSIG

  • Resource-record signature

    • Contains a digital signature of the returned records

• DNSKEY

  • Public key

• DNSSEC Deployment

  • As the Internet becomes regarded as critical infrastructure there is a push to secure DNS

  • NIST is in the process of deploying it on root servers now

  • May add considerable load to DNS servers with packets sizes considerably larger than 512 byte size of UDP packets

  • There are political concerns with the US controlling the root level of DNS