Internet DRAFT - draft-fujiwara-dnsop-poisoning-measures
draft-fujiwara-dnsop-poisoning-measures
DNS Operations(dnsop) K. Fujiwara
Internet-Draft JPRS
Intended status: Informational July 3, 2014
Expires: January 4, 2015
Detection and countermeasure of forged response cache poisoning attacks
draft-fujiwara-dnsop-poisoning-measures-00.txt
Abstract
Although the Domain Name System Security (DNSSEC) Extensions has been
implemented, cache poisoning is still a big issue. "ID Guessing and
Query Prediction" type cache poisoning is detectable on a full
resolver. TCP transport has strong resistance to cache poisoning
attacks. This document proposes an improvement of full resolvers
about the detection and the measure against forged response cache
poisoning attacks.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Fujiwara Expires January 4, 2015 [Page 1]
�
Internet-Draft measure of Cache poisoning attacks July 2014
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Measures to forged response attacks . . . . . . . . . . . . . 3
4. Possible solution . . . . . . . . . . . . . . . . . . . . . . 3
5. Security considerations . . . . . . . . . . . . . . . . . . . 3
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
7. Normative References . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
"Threat Analysis of the Domain Name System (DNS)" [RFC3833] described
"ID Guessing and Query Prediction" and brute force attacks. Dan
Kaminsky proposed effective attack method [DK2008]. "Wikipedia
DNS_spoofing" [Wikipedia_DNS_spoofing] describes concrete attack
patterns.
It is difficult to distinguish a forged response from an authentic
response as the identity fields such as port number and query ID can
be guessed easily under certain circumstances. "Redirect the target
domain's name server" attack is effective because it forges
delegation information. Kaminsky offered the continuation attack
method to increase an attack probability.
"Detection" of forged response attacks is described in Section 2. A
Measure to forged response attacks is described in Section 3. A
possible solution is described in Section 4.
2. Detection
Attacks described in Section 1 hardly success by one-time trial in
almost all cases. The probability of success by one-time trial is 1
/ (number of Query IDs, 2^16) / (number of ports, 2^16 - 1024) /
(number of DNS servers of the domain name). A full resolver under
attack receives many unmatched responses which have different query
IDs, port numbers, IP addresses, or query names. Most of unmatched
responses are cache poisoning attacks.
These responses contain resource records which attackers want to
inject to the cache of the full resolver. Attacked domain names can
be picked up by parsing unmatched responses.
Detailed logs are useful for DNS server operations. They should
contain resource records which attackers want to inject.
Fujiwara Expires January 4, 2015 [Page 2]
�
Internet-Draft measure of Cache poisoning attacks July 2014
Log aggregation is important since number of forged responses may be
too many and logging takes many resources.
The log should contain summarized data from source IP addresses,
destination IP address, destination port number, query names, query
types, NS and glue RRs.
3. Measures to forged response attacks
Using TCP as a DNS transport is a good countermeasure against forged
responses attacks. First, each TCP packet has 32bit sequence number
field and predicting sequence numbers and timing control are very
hard. Second, the attacker need to inject at least two packets: one
is to establish a TCP connection and the other is to send a forged
response.
Using TCP transport may cause two issues. First, it increases query
response time. Second, it causes performance issues to both full
resolvers and authoritative DNS servers.
4. Possible solution
A feasible measure is a combination of the detection and the use of
TCP transport. A full resolver detects forged response attacks
described in Section 2. If an attack is detected, the full resolver
invalidate name resolution states which contain target-of-attack
domain names and restart the name resolution using TCP transport. If
forged response attacks are stopped, the full resolver detects it and
resume to use UDP transport for the attacked domains. The changing
delay may be a same value as timeout of the waiting for the response
from authoritative DNS servers.
This idea may be well known and some products may implement it
already. They may have patents.
Encryption of DNS traffic discussed on the dns-privacy mailing list
[dns-privacy] is good countermeasure against forged response attacks.
5. Security considerations
Idea described in Section 4 may cause a new weak point. Attackers
can force the full resolver to use TCP transport for a domain name by
sending small number of forged responses. This attack increases the
full resolver's state and load, authoritative DNS servers' states.
Fujiwara Expires January 4, 2015 [Page 3]
�
Internet-Draft measure of Cache poisoning attacks July 2014
6. IANA Considerations
7. Normative References
[DK2008] "DNS 2008 and the new (old) nature of critical
infrastructure,
http://www.slideshare.net/dakami/dmk-bo2-k8bhfed", July
2008.
[RFC3833] Atkins, D. and R. Austein, "DNS Threat Analysis", RFC
3383, August 2004.
[Wikipedia_DNS_spoofing]
"DNS spoofing, http://en.wikipedia.org/wiki/DNS_spoofing",
.
Author's Address
Kazunori Fujiwara
Japan Registry Services Co., Ltd.
Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
Chiyoda-ku, Tokyo 101-0065
Japan
Phone: +81 3 5215 8451
EMail: fujiwara@jprs.co.jp
Fujiwara Expires January 4, 2015 [Page 4]
