This view maps the victim host to the IP address of a prox - PowerPoint PPT Presentation

About This Presentation
Title:

This view maps the victim host to the IP address of a prox

Description:

This view maps the victim host to the IP address of a proxy server. nsupdate cannot add new views nor add clients to the view list. ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 11
Provided by: davidbwi
Learn more at: http://www.cs.uccs.edu
Category:
Tags: address | free | host | list | maps | prox | proxy | victim | view

less

Transcript and Presenter's Notes

Title: This view maps the victim host to the IP address of a prox


1
Investigations into BIND Dynamic Update with
OpenSSL
  • by David Wilkinson

2
Overview of DDOS attack
compromised.net
vigilant.net
incompetent.net
...
...
...
...
A
A
A
A
A
A
A
A
DNS
reflecting networks
DNS
DNS
R
R
reflecting networks
R
R
R
R
R
R
R
A Agent R Router
Victim
3
Stopping attack with the Secure Collective
Defense (SCOD)
compromised.net
vigilant.net
incompetent.net
...
...
...
...
A
A
A
A
A
A
A
A
DNS
reflecting networks
DNS
DNS
R
R
reflecting networks
R
proxy
proxy
proxy
R
proxy
blocked by IDS
R
blocked by IDS
blocked
R
R
R
A Agent R Router
blocked
blocked
Victim
reroute
Could I get some help here?
4
This project focus on sending the reroute
message to the servers of authority (soa) of
preferred clientele
  • Potential roadblocks/snafus
  • How to authenticate machine sending the reroute
    command to the various DNS servers, and visa
    versa?
  • How to change DNS software to accept this new
    command and reroute clients accordingly?

5
Using OpenSSL for Authentication
  • BIND9s transaction signatures (TSIG) use shared
    keys for verification not practical for
    verifying any machine on Internet
  • BIND9S DNS Security Extensions (DNSSEC) utilize
    public key cryptography to allow the client to
    authenticate the server, but not the other way
    around
  • A secure socket layer (SSL) on the other hand,
    enables any client and server on the Internet to
    verify the legitimacy of each other using public
    key cryptography. Use OpenSSL here because its
    free.

6
Combine OpenSSL with a modified version of
nsupdate to create reroute
  • In BIND9, the nsupdate command allows an
    authorized machine to change the zone data in a
    DNS server
  • Mostly used by ISPs and large companies to assign
    IP addresses to dialup and cable modem customers
    dynamically
  • ex nsupdate
  • gtprereq nxdomain mib.fx.movie.edu.
  • gtupdate add mib.fx.movie.edu. 300 A
    192.253.253.16
  • gt
  • result host mib.fx.movie.edu with IP address
    192.253.253.16 is added to servers zone file!

7
reroute is different from nsupdate in the
following ways
  • reroute does not update the zone data for its own
    networks (i.e., the victims) server of
    authority (soa). Instead it needs to add a new
    temporary zone file (that maps the victim host to
    the IP address of a proxy server in the SCOD
    schema) in the soa of every preferred client it
    has in its database. Dynamic updates cannot add
    new zones, period. (Or, in an alternate
    solution, reroute may add the preferred clients
    to a new view in the victims DNS server. This
    view maps the victim host to the IP address of a
    proxy server. nsupdate cannot add new views nor
    add clients to the view list. However, during a
    DDOS attack, the victims DNS server may become
    unavailable, so the first option may be
    preferable.)
  • Mutual authentication between server and client
    with SSL

8
Progress on adding SSL to nsupdate
  • Learned how to configure OpenSSL to create a
    certificate for a trusted root CA. Changed
    configuration file to create client and server
    certs signed by this CA. Set up a simple client
    and server that authenticated each other and
    communicated through an encrypted channel.
  • Traced the flow of nsupdate with GDB with the TCP
    option (-v) set. nsupdate.c and request.c must
    be modified on client (i.e., nsupdate) side
    interfacemgr.c and client.c must be modified on
    server (i.e., named) side.
  • Adding code to client side not without trials and
    tribulations not enough time for server side.

9
Work Ahead
  • Get nsupdate and named to actually authenticate
    each other
  • Make new command, reroute, from nsupdate that
    adds temp. zone files to foreign DNS servers or,
    alternatively, adds a new view to the victim DNS
    server with a match-list of preferred customers.
    This view routes the clients to the victim
    through proxy servers.

10
References
  • DNS and BIND. Paul Albitz and Cricket Liu,
    OReilly Associates, Inc., 2001.
  • Network Security with OpenSSL. John Viega, Matt
    Messier Pravir Chandra, OReilly, 2002.
  • The stacheldraht distributed denial of service
    attack tool. David Dittrich, University of
    Washington, Dec. 31, 1999.
  • DRDoS Distributed Reflection Denial of
    Service. Steve Gibson, grc.com, Feb. 22, 2002.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "This view maps the victim host to the IP address of a prox" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!