Transcript Here
DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor [email protected] Craig Shue [email protected] Outline • • • • Automated Attacking Costs to Organizations Some Observations Our Approach – Lightweight Capabilities – Fast Flux Defense • Future Directions 2 Automated Attacking • Attackers use others in attacks – Compromised machines form botnets • “Attacks” vary in goal, methodology – Reconnaissance – Footholds – Exfiltration – Exploitation • But most attacks are automated – Success rates may be low, but they make up for it in volume 3 Example Attacks • SQL Injection • Harvesting email addresses for spam • Phishing – The use of deception in electronic communication to obtain unauthorized access – A symptom of system and network security improvements 4 Organization Costs • Decreased credibility • Information exposure • Financial consequences – Billions lost a year – Identity theft • Business failure – Example: HBGary Federal 5 Some Observations • Automated clients do not need host names – Mnemonic names for human convenience • Automated clients can skip DNS queries – Directly scan IP address space – Cache records beyond what is allowed – Share with other machines in a botnet • Humans likely play by the rules – Their browsers are standards compliant – “Illegal” caching does not really help them 6 Associating Clients and Resolvers is Non-Trivial ISP DNS Resolver DNS ORNL Reply DNS Server ISP Network End DNSWeb User Query Query System ORNL Web Server 7 What does this motivate? • Some attackers are clearly skipping DNS, but a few still use it • Good users are unlikely to skip DNS steps • Can we use this knowledge to protect servers? – Make DNS a gatekeeper to the network – Failures to use DNS prevents access • But it still looks successful – Allow network providers know there is something awry with malicious clients 8 Fast Flux Defense DNS Reply ISP DNS Resolver DNS Server Honey Pot Web Server Honey Pot Web Server End DNS Web User System Query Honey Pot Web Server Honey Pot Web Server Honey Pot Web Server Real Web Server Honey Pot Web Server 9 Fast Flux Defense ISP DNS Resolver DNS Server Honey Pot Web Server Honey Pot Web Server End Web User System Query Honey Pot Web Server Honey Pot Web Server Real Web Server Honey Pot Web Server Honey Pot Web Server 10 Future Directions • We are ready to test – Works with BIND9, Linux’s iptables, and uses libpcap to intercept DNS requests • Limited deployment on ORNL’s network 11