Report on DNS Spoofing and DDoS attacks

Assignment-Computer Networks

2016HT13092_Assignment - Computer Networks_DNS_DDoS

 Report on DNS Spoofing and DDoS attacks

Contents

1 Introduction ...................................................................................... 3

2 DNS Spoofing ................................................................................... 3

2.1 DNS operation and caching ............................................................... 3

3 DNS Spoofing by DNS Cache Poising ............................................ 6

4 DDoS attack (DNS based) ................................................................ 6

5 Example of DNS Spoofing ............................................................... 8

6 Popular Example of DDoS attack .................................................... 9

7 References ..................................................................................... 10

8 Conclusion ..................................................................................... 10

Rev PA1 2016HT13092 2 (10)

 Report on DNS Spoofing and DDoS attacks

1 Introduction
This report aims at providing specific information pertaining to DNS (domain name
system) spoofing and DDoS (Distributed Denial of Service) attacks, which pose
significant challenges to day to day smooth operations of computer networks, and
are common network security issues.

The report is divided into sections introducing the topics, starting from basic
definitions to elaborating into operational aspects, mechanisms, as well as
providing specific examples of the respective type of vulnerability.

All the references are listed at the end of the report, which will be succeeded by
the final conclusion of the report.

2 DNS Spoofing
DNS spoofing is an attack that exploits the vulnerability of domain name system
(DNS), in order to divert Internet Traffic away from legitimate naming servers to
fake ones, possibly to carry out a phishing attack, a DDoS attack (covered in later
sections), or both, etc.

2.1 DNS operation and caching

DNS Operation

To understand DNS spoofing, one needs to understand how DNS works and how
it uses the caching mechanism to optimize the load to upstream DNS server load.

Rev PA1 2016HT13092 3 (10)

 Report on DNS Spoofing and DDoS attacks

Figure 1: DNS operation

Whenever a client contacts a domain name like e.g. www.anouar.im, it must first
connect to the DNS server, as a DNS server maps the domain name of the
aforementioned website with the specific IP address where the same can be
accessed. This again goes through a process of domain name resolution, as
shown in the aforementioned diagram. The process can be summarized in the
flow chart below:

Client Recursive Root Top Level Naming

name Server Domain Server
server Server

Final IP address:
xxx.xxx.xxx.xxx

Figure 2: DNS operation flow

DNS Caching

As can be seen above, in principal, in order to resolve a DNS name, in absence of

any prior information, all requests for resolution must start with the DNS root
server. This method is inefficient as, each time a domain name needs to be
resolved, the queries are required to be sent upstream, needing additional
bandwidth as well as resource utilization. This can choke the bandwidth over a
period of time, even if DNS traffic is very small.

Rev PA1 2016HT13092 4 (10)

 Report on DNS Spoofing and DDoS attacks

Caching is used to remember the answers to queries, and short-circuit future

requests for the same information by responding with the remembered
information (rather than sending any signals over the drop to or through the ISP).

The Internet doesn’t just have a single DNS server, as that would be extremely
inefficient. An Internet service provider runs its own DNS servers, which cache
information from other DNS servers. A user’s home router functions as a DNS
server, which caches information from the respective ISP’s DNS servers. The
user’s computer has a local DNS cache, so it can quickly refer to DNS lookups it’s
already performed rather than performing a DNS lookup over and over again.

Figure 3: Naming Server Lookup

Rev PA1 2016HT13092 5 (10)

 Report on DNS Spoofing and DDoS attacks

3 DNS Spoofing by DNS Cache Poising

Figure 4: DNS Cache Poisoning

A DNS cache can become poisoned if it contains an incorrect entry. For example,
if an attacker gets control of a DNS server and changes some of the information
on it — for example, they could say that google.com actually points to an IP
address the attacker owns — that DNS server would tell its users to look for
Google.com at the wrong address. The attacker’s address could contain some
sort of malicious phishing website

DNS poisoning like this can also spread. For example, if various Internet service
providers are getting their DNS information from the compromised server, the
poisoned DNS entry will spread to the Internet service providers and be cached
there. It will then spread to home routers and the DNS caches on computers as
they look up the DNS entry, receive the incorrect response, and store it.

4 DDoS attack (DNS based)

Distributed denial of service (DDoS) attacks are a subclass of denial of service
(DoS) attacks. A DDoS attack involves multiple connected online devices,
collectively known as a “botnet”, which are used to overwhelm a target website
with fake traffic.

Rev PA1 2016HT13092 6 (10)

 Report on DNS Spoofing and DDoS attacks

Unlike other kinds of cyberattacks, DDoS assaults don't attempt to breach your
security perimeter. Rather, they aim to make your website and servers
unavailable to legitimate users. DDoS can also be used as a smokescreen for
other malicious activities and to take down security appliances, breaching the
target’s security perimeter.

A successful DDoS attack is a highly noticeable event impacting an entire online

user base. This makes it a popular weapon of choice for hacktivists, cyber
vandals, extortionists and anyone else looking to make a point or champion a
cause.

DDoS assaults often last for days, weeks and even months at a time, making
them extremely destructive to any online organization. Amongst other things,
DDoS attacks can lead to loss of revenues, erode consumer trust, force
businesses to spend fortunes in compensations and cause long-term reputation
damage. An illustrative representation of the DDoS attack is shown below for
reference.

Figure 5: Operation of DDoS attack

Rev PA1 2016HT13092 7 (10)

 Report on DNS Spoofing and DDoS attacks

5 Example of DNS Spoofing

Name:
Eugene Kashpureff’s attack on Network solutions Inc’s Internet’s Network
Information Center (InterNIC):

Vulnerability used:
Earlier implementation of Bind

Field of DNS protocol targeted:

Additional records section of the DNS response message.

Additional information:
Kashpureff injected bogus information into DNS caches around the world
concerning DNS information pertaining to Network Solutions Inc.’s (NSI) Internet’s
Network Information Center (InterNIC). The information redirected legitimate
clients wishing to communicate with the web server at the InterNIC to
Kashpureff’s AlterNIC web server. Kashpureff did this as a political stunt
protesting the Internic’s control over DNS domains. When the attack occurred in
July of 1997, many DNS servers were injected with this false information and
traffic for the Internic went to AlterNIC where Kashpureff’s web page was filled
with the propaganda surrounding his motives and objections to InterNIC’s control
over the DNS.

Possible Solutions:
Implementation of latest versions of BIND, 4.9.6 and 8.1.1, . In particular, both
versions check to ensure that resource records included in the additional data
section of a DNS reply message relate to the records in earlier sections of the
message, the answer and authority sections. For example, if you look up an MX
record, the additional data section of the reply message you receive should
contain address records corresponding to the mail exchangers listed for the
destination you looked up. It shouldn't contain arbitrary address records, or any
other kinds of records. The attack against the InterNIC exploited this weakness in
BIND by injecting spurious records into otherwise legitimate replies.

Rev PA1 2016HT13092 8 (10)

 Report on DNS Spoofing and DDoS attacks

6 Popular Example of DDoS attack

Name:
Spamhaus’s DDoS attack

Vulnerability used:
Weak Open DNS resolvers that send large DNS zone files

Field of DNS protocol targeted:

Spoofing of CloudFlare provided IPs with large DNS files.

Additional information:
While the majority of the traffic involved in the attack was DNS reflection, the
attacker threw in a few other attack methods as well. One was a so-called ACK
reflection attack. When a TCP connection is established there is a handshake.
The server initiating the TCP session first sends a SYN (for synchronize) request
to the receiving server. The receiving server responds with an ACK (for
acknowledge). After that handshake, data can be exchanged.

In an ACK reflection, the attacker sends a number of SYN packets to servers with
a spoofed source IP address pointing to the intended victim. The servers then
respond to the victim's IP with an ACK. Like the DNS reflection attack, this
disguises the source of the attack, making it appear to come from legitimate
servers. However, unlike the DNS reflection attack, there is no amplification
factor: the bandwidth from the ACKs is symmetrical to the bandwidth the attacker
has to generate the SYNs.

Possible Solutions:
The long term solution for the web is for providers to clean up the open resolvers
running on their networks.

Also, for the CloudFlare service providers to mitigate the ACK reflection attack,
they configured the system to drop unmatched ACKs, which mitigates these types
of attacks.

Rev PA1 2016HT13092 9 (10)

 Report on DNS Spoofing and DDoS attacks

7 References
1. https://www.darkreading.com/vulnerabilities-and-threats/spamhaus-ddos-
attacks-what-business-should-learn/d/d-id/1109304

2. https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/

3. http://sunsite.uakom.sk/sunworldonline/swol-11-1997/swol-11-bind.html

4. https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf

5. https://www.giac.org/paper/gcih/364/dns-spoofing-attack/103863

6. https://www.incapsula.com/ddos/denial-of-service.html

7. http://www.ckollars.org/dns-caching.html

8. https://howdns.works/

9. The Hitchhiker’s guide to DNS poisoning

https://www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf

10. https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-
poisoning/

8 Conclusion
We have tried to introduce the DNS Spoofing/ poisoning and DDoS attacks, and
discussed with an example each of these attacks. We also concluded that
mitigating and closing Open DNS resolvers and using the updated Bind definitions
can go a long way in resolving and preventing such malicious attacks that can
render individuals, businesses, and even countries hapless and cause huge
financial and personal losses to the same.

Rev PA1 2016HT13092 10 (10)